Jellyfin Forum
Yet another dude with Jellyfin Android app not connecting when using domains - Printable Version

+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: Yet another dude with Jellyfin Android app not connecting when using domains (/t-yet-another-dude-with-jellyfin-android-app-not-connecting-when-using-domains)

Pages: 1 2

Yet another dude with Jellyfin Android app not connecting when using domains - fakemoth - 2025-01-22

Hi. I usually lurk on the forums, and just as I was hoping for things to stay the same, I am met with an insurmountable problem. I am always self hosting everything, so here is the relevant info for my issue:
  • so I had Jellyfin as a jail on my TrueNAS Core for quite a while, worked fine, TVs and phone apps connected on my own domain;
  • Core is gone so enter TrueNAS Scale, the Linux version; Jellyfin was also a deciding factor as it didn't work anymore on latest Core version;
  • now Jellyfin is in a docker container, had some problems but everything checks out fine;
  • some personal subdomains, including the one for Jellyfin are managed by my own DNS servers, pointing to my OPNSense router at home that has a static IP address;
  • access from outside world is blocked in the firewall, but I always was able to access the personal subdomains with my personal services only from LAN and via Wireguard;
  • on the OPNSense machine I also run my NGINX proxy, via the plugin, works fine for all the subdomains; worked even for Jellyfin on Core until breakage, nothing was changed;
  • but now I can't connect my phone (moved to CalyxOS from LineageOS if it matters) using the official app from FDroid (also tried the on from Google, via Aurora);
  • I just can't even connect - it is eating my brains for days now; keeps saying "Tried 3 candidates for input without success. Unable to reach server" or something of that sort;
  • I am filling, as I once did, only the address in the form > "https://my.domain.tld" tried other variations, with ":443" and such, no luck;
  • problem is: I can access the Jellyfin docker container just fine from the browser on my phone, my PC, or any other device, so in fact it is not like stuff is not reachable...
  • and yes, in the app is getting over the first field and I am asked for a username and password if I fill in the internal IP of the TrueNAS machine and the port of the container; just not working with a domain;
  • and before you ask: yes, I have the X-Forwarded-For active in NGINX; and yes, I filed a bunch of IPs in Jellyfin's "Known proxies" setting: the external public IP, the IPs of the NAS, the IPs of the router; and yes, I did restart the devices involved, like a lot;
  • the NGINX logs: Stream Error log - empty; Stream Access log - empty; HTTP Error log - nothing with my phone IP (???); HTTP Access log - when trying with app=nothing, when from phone's browser = it displays access
  • as for the OPNSense firewall itself it shows that it properly allows traffic both from the app and from web, from the same phone, to the Jellyfin container. So no problem there with the switches either, between VLANS and such. Proof is that I can access the domain from my phone, except with the Jellyfin app.

Thank you very much and let me extend my appreciation for this great project!

RE: Yet another dude with Jellyfin Android app not connecting when using domains - bitmap - 2025-01-22

Could you provide your Jellyfin log via pastebin or privatebin? I hear a couple different setups here and it's a little confusing, i.e., using both RP and Wireguard. I also don't see anything about certs, but that doesn't mean much. You could try http://mydomain.tld, could double-check whether remote connections are allowed to the server for the user account you're attempting to use, but without looking at a log those are shots in the dark.

RE: Yet another dude with Jellyfin Android app not connecting when using domains - fakemoth - 2025-02-02

Been a while didn't have the time to get back to this one. As I said, nothing gets logged - for example in the past 15 minutes tried again multiple times from the app and nothing in the log (the Jellyfin log in the interface, right?), only stuff like (and on my time zone is 14.55):

[2025-02-02 14:38:28.477 +02:00] [WRN] [27] Emby.Server.Implementations.Library.LibraryManager: Cannot fetch image from "http://image.tmdb.org/t/p/original/n6sBEBLPngFwQSHqYuEwR2EmyYc.jpg"
System.InvalidOperationException: Unable to convert any images to local
at Emby.Server.Implementations.Library.LibraryManager.ConvertImageToLocal(BaseItem item, ItemImageInfo image, Int32 imageIndex, Boolean removeOnFailure)
at Emby.Server.Implementations.Library.LibraryManager.UpdateImagesAsync(BaseItem item, Boolean forceUpdate)

RE: Yet another dude with Jellyfin Android app not connecting when using domains - fakemoth - 2025-02-02

Let me try to clear things up:
- it is not from Wireguard, though I did try with Wireguard also and of course it is not different; I am in my local network, and even if in a different VLAN, my phone has access to everything. Proof is - it works from Fennec, on the same phone | second proof is - it works via the direct Jellyfin IP; so no routing or firewalling issues;
- the cert is fine, it is a valid wildcard from Let's encrypt automatically renewed on my server and copied on OPNSense; ssllabs.com gives me an A+ for the implementation;
- NGINX serves everything fine, proof is the same: it works from web, from any devices I decided to grant access;
- more: believe it or not it works from the app of a silly LG TV, in a third different network, one that always gave me grief (in the TrueNAS Core days, the older setup). Now it is flawless Smiling-face , properly working with my domain.
- the Jellyfin version is 10.10.5 as a Docker app on TrueNAS Scale ElectricEel-24.10.2, the app version is 2.6.2 from FDroid running on Android 15 (CalyxOS 6.3.0)

So everyone/everything is quite happy; except me, with the darn app on my own phone, with my own domain lol

RE: Yet another dude with Jellyfin Android app not connecting when using domains - TheDreadPirate - 2025-02-03

Can you share your Nginx config with the domain name censored?

RE: Yet another dude with Jellyfin Android app not connecting when using domains - fakemoth - 2025-02-03

Thank you for trying to help!
I hope I didn't leave anything private in the config, in a hurry right now; here is the section for my subdomain:

Code:
server {

    listen 80;

    listen 443 ssl;
    http2 on;
    ssl_certificate_key /usr/local/etc/nginx/key/my.domain.key;
    ssl_certificate /usr/local/etc/nginx/key/my.domain.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
    ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_prefer_server_ciphers on;
    ssl_stapling off;

    sendfile On;
    server_name  my.domain;
    real_ip_header X-Forwarded-For;

    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    charset utf-8;
    access_log  /var/log/nginx/my.domain.access.log main;
    access_log  /var/log/nginx/tls_handshake.log handshake;
    error_log  /var/log/nginx/my.domain.error.log error;
    #include tls.conf;
    error_page 403 /opnsense_error_403.html;
    error_page 404 /opnsense_error_404.html;
    error_page 405 /waf_denied.html;
    error_page 500 501 502 503 504 /opnsense_server_error.html;

    location = /opnsense_error_403.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_error_404.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_server_error.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    # location to ban the host permanently
    set $naxsi_extensive_log 0;
    location @permanentban {
        access_log /var/log/nginx/permanentban.access.log main;
        access_log /var/log/nginx/perm_ban.access.log main_ban;
        internal;
        add_header "Content-Type" "text/plain; charset=UTF-8" always;
        return 403 "You got banned permanently from this server.";
    }
    error_page 418 = @permanentban;
    location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;
    }
    # block based on User Agents defined in global http settings
    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
        return 418;
    }
    location /opnsense-auth-request {
      internal;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
      fastcgi_index index.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param Original-URI $request_uri;
      fastcgi_param Original-HOST $host;
      fastcgi_param SERVER-UUID "c8449996-bb2c-4a9d-b39e-69414f6caef1";
      fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
      fastcgi_param AUTH_SERVER "Local Database";
      fastcgi_intercept_errors on;
      include        fastcgi_params;
    }
    if ($scheme != "https") {
        return 302 https://$host$request_uri;
    }
    include c8449996-bb2c-4a9d-b39e-69414f6caef1_pre/*.conf;


location  / {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    if ($scheme != "https") {
        return 302 https://$host$request_uri;
    }
        # IP ACL
        allow x.y.z.w/27;

        deny all;
    autoindex off;
    proxy_set_header Host $host;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
    proxy_ignore_client_abort off;
    proxy_request_buffering on;
    proxy_max_temp_file_size 1024m;
    proxy_buffering on;
    proxy_pass http://upstreamafdd56911f3640859ad5d426a4f9d922;
    proxy_hide_header X-Powered-By;
    include 64941bab-b974-47bc-956b-93198373ff49_post/*.conf;
}
    include c8449996-bb2c-4a9d-b39e-69414f6caef1_post/*.conf;

}


RE: Yet another dude with Jellyfin Android app not connecting when using domains - TheDreadPirate - 2025-02-03

I'm not sure what I'm looking at here. A lot of extra stuff.

Can you describe your setup? The proxy_pass is to an obfuscated URL, not sure what that is going to. If that is Jellyfin or not. Lots of includes with no descriptive names.

Also, example nginx configs are provided in our documentation.

https://jellyfin.org/docs/general/networking/nginx/

One thing, off the bat, that you should disable is proxy_buffering. That isn't related to your problem, but can be problematic in terms of resource consumption and playback consistency.

RE: Yet another dude with Jellyfin Android app not connecting when using domains - fakemoth - 2025-02-03

NGINX as a plugin on OPNSense is managed (and it is the recommended way) via the web interface, beautifully integrated BTW. So those are lines generated via the web interface, some seem like pure sensible defaults/placeholders for when something will be written there.
Bottom line: no other problems with NGINX anywhere else, including with Jellyfin on a TV and via web. Seems like the phone app is the only thing that is stuck somehow on the very first setup screen, can't reach the domain.

In the past there were no such problems, thing is of course that is no longer relevant. But due to stopping using Jellyfin last year because of the TrueNAS-Core-going-down-the-drain-drama, I can't pinpoint what other things changed during the different updates as the source of this non-sense. And there also is THE SILENCE - no piece of software complains or says anything... Or at least I don't know anymore where to look.

RE: Yet another dude with Jellyfin Android app not connecting when using domains - TheDreadPirate - 2025-02-03

Try adding this to the config.

Code:
ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem; # managed by Certbot

Replace the path to wherever your chain.pem is located.

RE: Yet another dude with Jellyfin Android app not connecting when using domains - fakemoth - 2025-02-04

Thanks @TheDreadPirate but I don't think that something like that could be the problem. Instead I tried from my wife's phone, that it is still LineageOS - and it worked like a charm. So it is something related to Android 15...

Can someone confirm that the app is fine, with a fresh install on Android 15?