So I set up a media server with jellyfin for the first time this week and initially gave remote access to people by simply opening port 8096 on my router.
After learning that that isn’t good for security and copyright enforcement reasons, I found a guide and set up a reverse proxy using Caddy.
Is this enough for security and ensuring that my ISP or anyone else doesn’t know what’s on my server. I’m okay with it not being the most secure thing ever.
a reverse proxy that does not inspect or require authentication does not add any security
adding HTTPS only encrypts the data in transit, it does not prevent anyone from accessing the web applicatoin.
There’s no such thing as a completely secure external connection, though there are plenty of mitigations which can improve the security.
Somewhere in between those is the method I use, more secure than a simple reverse proxy, but less secure than VPN - I restrict incoming connections to only IP addresses from my own region, meaning that the “usual suspects” (USA/Russia/China/Israel) can’t get into my network. I do this at the router, using a weekly-updated address range list from IPDeny.
If you’re fortunate enough to have all your clients sitting on static IP addresses for their internet connectivity, you can restrict this even further by only allowing incoming connections from the addresses they’re on.
Reverse proxy only adds HTTPS support which will encrypt the traffic from your ISP., if you truly want to hide your services then VPN like Wireguard/Tailscale is your only solution.
Yes, it’s enough for secure remote access, after all it is just a website. Make sure you keep jellyfin up to date and that your users have passwords (and max login attempts set) in jellyfin.
Set up a Wireguard tunnel
I’m not good at this, so I’m sorry if this is a stupid question, but what should I be doing then?
I still want people to access the web application, I used Caddy for that express purpose, I just want to make sure I’m (realistically) covered from attacks or copyright enforcement
You mean Wireguard? 
Not sure forcing people to use a VPN to access a website is a very common solution.
the only way to protect from “attacks” is to prevent access, such as with a VPN (then the VPN becomes a point of attack).
are you allowing unauthenticated access, or do you require a logon to access?
OP was asking for secure solution. there is no better option.
So far I’ve only given it to one person and they have their own login credentials for their Jellyfin profile
He also said it was not just for him…
Well, I hope my banks, my investment providers and my private medical providers don’t start asking me to use their own VPNs to access their websites…
Is Caddy using HTTPS?
They have multiple million dollar industry level security systems in place, but hey if op can cough up the dough then by all means…
I think you are right: the way forward in 2023 to secure any website is to ask visitors to install VPNs.
I really wish there was some secure mechanism that could encrypt traffic between a client and a website, without requiring any special software…
After all those cookie prompts required by the EU, 2023 is not going to get easier.
If you’re paranoid of ISP’s/copyright holders and you want to make sure no outsider knows what is going on between server and users AND no other person should have access to it, then yes, vpn it is.
Otherwise https is plenty good…
isp dns servers, obvious subdomains, etc you know?