Jellyfin Forum
Admin local login only with Nginx Proxy Manager - Printable Version

+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: Admin local login only with Nginx Proxy Manager (/t-admin-local-login-only-with-nginx-proxy-manager)

Pages: 1 2

Admin local login only with Nginx Proxy Manager - Buzzi - 2024-07-27

Hello,

I have a remote access to my Jellyfin server using a subdomain (jellyfin.mydomain.com)

I would like to disable remote access for the admin.
I uncheck the box "Allow remote connections to this Jellyfin Server" for the admin.
But i still have remote access.

Anyone known a solution or why i still have access ?


I own a domain (mydomain.com) with Clouflare, exclusively for Jellyfin and Jellyseerr.

I configured Cloudflare DNS like this :
   

I use Nginx Proxy Manager with Proxy Host to redirect subdomains to Jellyfin and Jellyseerr
   

And I open port 80 and 443 in my router
   

RE: Admin local login only with Nginx Proxy Manager - TheDreadPirate - 2024-07-27

What do you have in the advanced tab for Nginx Proxy Manager? You need to add the header to pass the proxied IP, otherwise Jellyfin will only read the proxy's IP.

https://jellyfin.org/docs/general/networking/nginx/#nginx-proxy-manager

Code:
proxy_set_header X-Real-IP $remote_addr;


RE: Admin local login only with Nginx Proxy Manager - Buzzi - 2024-07-27

I have this :

Code:
    # Disable buffering when the nginx proxy gets very resource heavy upon streaming
    proxy_buffering off;

    # Proxy main Jellyfin traffic
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_headers_hash_max_size 2048;
    proxy_headers_hash_bucket_size 128;
   
    # Security / XSS Mitigation Headers
    # NOTE: X-Frame-Options may cause issues with the webOS app
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "0";
    add_header X-Content-Type-Options "nosniff";

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    # NOTE: The default CSP headers may cause issues with the webOS app
    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";


RE: Admin local login only with Nginx Proxy Manager - TheDreadPirate - 2024-07-27

When you access the server remotely, what does it say as the IP for the client?

RE: Admin local login only with Nginx Proxy Manager - Buzzi - 2024-07-27

It's the local IP of the server 192.168.1.20

RE: Admin local login only with Nginx Proxy Manager - TheDreadPirate - 2024-07-27

In Dashboard > Networking, add your server's IP as a "Known Proxy". Restart Jellyfin and try again.

RE: Admin local login only with Nginx Proxy Manager - Buzzi - 2024-07-27

In Known Proxy I had "jellyfin.mydomain.com"
I replaced it with "192.168.1.20" then by "http://192.168.1.20"
I can still connect remotely.
But the client IP changed 172.19.0.1

In networking I uncheck the box for enable remote connection, and i can still connect.

RE: Admin local login only with Nginx Proxy Manager - TheDreadPirate - 2024-07-27

You don't need to hide private IPs. They are not publicly accessible.

What network modes is Jellyfin and Nginx Proxy Manager using? If Nginx is using bridge networking and has its own IP, you should also add that IP to known proxies.

RE: Admin local login only with Nginx Proxy Manager - Buzzi - 2024-07-27

You lost me a little, I don't known how to check network mode.

I run Nginx Proxy Manager on the same machine as Jellyfin, with a dokcer compose.


Code:
# Add the below content into the file
version: "3"
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # Public HTTP Port:
      - '80:80'
      # Public HTTPS Port:
      - '443:443'
      # Admin Web Port:
      - '81:81'
    environment:
      # These are the settings to access your db
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "npm"
      DB_MYSQL_NAME: "npm"
    volumes:
      - XXX:/data
      - XXX:/etc/letsencrypt
      - XXX:/app/templates/_hsts.conf:ro
    depends_on:
      - db
  db:
    image: 'jc21/mariadb-aria:latest'
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: 'npm'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    volumes:
      - XXX:/var/lib/mysql



How can I check network mode ?

RE: Admin local login only with Nginx Proxy Manager - TheDreadPirate - 2024-07-27

You would have used "network_mode: host". Since that isn't present you are using bridge networking. If you run "sudo docker inspect nginx-proxy-manager | grep IPAddress" it will list the IP of Nginx. Add that IP to known hosts.

Though it doesn't look like you gave the nginx container a name so it may just have a UUID. Use "sudo docker ps" to list out the container and get the name of the container.