+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Off Topic (https://forum.jellyfin.org/f-off-topic)
+--- Forum: Self-hosting & Homelabs (https://forum.jellyfin.org/f-self-hosting-homelabs)
+--- Thread: Reverse Proxy SSL (/t-reverse-proxy-ssl)
Reverse Proxy SSL - blawford - 2025-01-29
I’m trying to figure out the best way to seamlessly access Jellyfin from my mobile devices, whether I’m at home or away.
My setup:
- Jellyfin is running in a Docker container on Unraid.
- The container’s network is set to
br0, and I’ve assigned it the static IP 10.0.0.6. It listens on ports 80/443. - I’m using Nginx Proxy Manager (NPM) in another container to handle reverse proxying.
- I have a subdomain,
media.domain.com, set up in NPM to route the traffic to Jellyfin. - The proxy host has a self signed SSL certificate and HTTPS is enforced.
This setup works perfectly when I’m outside my home network.
The problem:
I want
media.domain.com to work both at home and away, without needing to switch servers in the Jellyfin Android app. Additionally, I want traffic to route locally when I’m on my LAN, so it continues to work even if my internet is down. What I’ve tried:
I set up a static DNS entry on my router to resolve
media.domain.com to 10.0.0.4 (NPM), thinking this would allow my local devices to still reach JellyFin with SSL. However, when I do this I am unable to connect when using the Android app, I suspect because a SSL related issue. I haven't tried pointing the
media.domain.com on my router to 10.0.0.6 (JellyFin) directly, but if I did this I can't see how I could use https://media.domain.com both home and away.My question:
What’s the best way to set this up so that I can always the same server address, whether I’m at home or away with traffic routing locally when at home? I would prefer to not use any sort of setup that would require config on client devices (VPN for example).
Would love to hear how others have solved this.
RE: Reverse Proxy SSL - TheDreadPirate - 2025-01-29
Do the following
- Put Jellyfin back on port 8096. It does NOT need to be on 80 or 443. Nginx will handle those ports.
- If possible, switch Jellyfin to bridge networking and "expose" port 8096 instead of publishing it. I can't remember if unRAID allows you to do that.
- Configure Nginx Proxy Manager to listen on your domain name, set the proxy to go to protocol http, the bridge network IP for Jellyfin, on port 8096. Use the host IP if you aren't able to switch Jellyfin to "expose" instead of publish. Enable websockets, block common exploits, DO NOT enable caching. Ensure that the NPM container is publishing ports 80 and 443 or that you are using host networking.
- Setup port forwarding on your router to send port 443 external to port 443 internal to your unRAID host's IP.
- Add the container IP to Jellyfin as a "Known proxy", Dashboard > Networking. If you are using host networking for NPM, use the host's IP.
- Hopefully your router supports NAT loopback. If it does, enable it. If it doesn't, you can also add custom DNS entries (often labeled "edit hosts") so that DNS requests to your domain, while on your home network, will resolve to the local IP instead of your public IP. Either option will keep local traffic local when using your domain name.