+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: LG WebOS Error Code 27 (/t-lg-webos-error-code-27)
LG WebOS Error Code 27 - dnightbane - 2025-03-09
Hello! I'm having trouble accessing my server from my LG c2 using the LG Store client, specifically, when I enter the URL for the server and hit continue it fails with error code 27.
Playback works fine in the browser and on my pixel 8 pro.
I am hosting jellyfin inside docker (latest tag) with nginx as a reverse proxy using the following nginx configuration:
Code:
server {
listen 443 ssl;
http2 on;
server_name jellyfin.domain.com;
ssl_certificate /etc/nginx/ssl/domain.com/domain.com.crt;
ssl_certificate_key /etc/nginx/ssl/domain.com/domain.com.key;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
# add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
access_log /var/log/nginx/domain/jellyfin.access.log;
error_log /var/log/nginx/domain/jellyfin.error.log;
location / {
# Proxy main Jellyfin traffic
set_real_ip_from 10.200.200.2;
proxy_pass http://jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location /socket {
# Proxy Jellyfin Websockets traffic
set_real_ip_from 10.200.200.2;
proxy_pass http://jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}RE: LG WebOS Error Code 27 - TheDreadPirate - 2025-03-09
Do you know if there are other nginx configs that are "included" elsewhere? There are several CORS header options that are problematic for WebOS that may be added via additional conf files that Nginx includes by default.
RE: LG WebOS Error Code 27 - dnightbane - 2025-03-09
Not that I'm aware of.
The default nginx.conf file is this
Code:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
##buffer policy
# client_body_buffer_size 1K;
# client_header_buffer_size 1k;
# client_max_body_size 2M;
# large_client_header_buffers 2 1k;
large_client_header_buffers 4 8k;
##end buffer policy
server_tokens off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_prefer_server_ciphers off;
proxy_read_timeout 50000;
proxy_connect_timeout 50000;
proxy_send_timeout 50000;
include /etc/nginx/conf.d/*.conf;
}
#include /etc/nginx/dnstls.conf;The only other app on this box is jellystat and that uses the below as an included file for it's server block.
Code:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;RE: LG WebOS Error Code 27 - TheDreadPirate - 2025-03-10
Code:
include /etc/nginx/conf.d/*.conf;Are there any conf files in this directory? If so, what is in them? Also, can you share the output of this command? It shouldn't include your domain name, but censor it if it does show up in the output. Obviously replace "jellyfin.domain.tld" with your actual domain.
Code:
curl --head -i https://jellyfin.domain.tldThis will print the headers used by the current nginx config for Jellyfin.
Code:
HTTP/2 302
server: nginx/1.26.3
date: Mon, 10 Mar 2025 13:47:20 GMT
location: web/
strict-transport-security: max-age=63072000
x-xss-protection: 0
x-content-type-options: nosniff
last-modified: Monday, 10-Mar-2025 13:47:20 GMT
cache-control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
permissions-policy: accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()
origin-agent-cluster: ?1
content-security-policy: default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self' ; font-src 'self'RE: LG WebOS Error Code 27 - dnightbane - 2025-03-10
There are 2 files in that directory
Code:
root@489c9d8f2654:/# ls /etc/nginx/conf.d/
jellyfin.conf jellyfinsecure.confjellyfin.conf contains
Code:
server {
listen 443 ssl;
http2 on;
server_name jellyfin.my.internal.domain;
ssl_certificate /etc/nginx/ssl/my.internal.domain/my.internal.domain.crt;
ssl_certificate_key /etc/nginx/ssl/my.internal.domain/my.internal.domain.key;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
# add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
access_log /var/log/nginx/jellyfin/jellyfin.access.log;
error_log /var/log/nginx/jellyfin/jellyfin.error.log;
location / {
# Proxy main Jellyfin traffic
set_real_ip_from 10.200.200.2;
proxy_pass http://jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location /socket {
# Proxy Jellyfin Websockets traffic
set_real_ip_from 10.200.200.2;
proxy_pass http://jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
server {
listen 443 ssl;
http2 on;
server_name jellystats.my.internal.domain;
include /etc/nginx/conf.d/jellyfinsecure.conf;
access_log /var/log/nginx/jellyfin/jellystats.access.log;
error_log /var/log/nginx/jellyfin/jellystats.error.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://jellystat:3000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}and jellyfinsecure.conf contains
Code:
ssl_certificate /etc/nginx/ssl/my.internal.domain/my.internal.domain.crt;
ssl_certificate_key /etc/nginx/ssl/my.internal.domain/my.internal.domain.key;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;Command Output
Code:
$ curl --head -i -k https://jellyfin.my.internal.domain
HTTP/2 302
server: nginx
date: Mon, 10 Mar 2025 17:27:21 GMT
location: web/
x-content-type-options: nosniff
content-security-policy: default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'RE: LG WebOS Error Code 27 - TheDreadPirate - 2025-03-10
Code:
add_header X-Frame-Options "SAMEORIGIN" always;This one is known to be problematic for WebOS.
Code:
add_header X-XSS-Protection "1; mode=block" always;I believe this one is OBE and should be removed.
Remove both, reload nginx, then try again.
RE: LG WebOS Error Code 27 - dnightbane - 2025-03-10
Both of those lines aren't in the jellyfin server block but I commented them out along with all the other add headers in the jellyfinsecure.conf file
Code:
ssl_certificate /etc/nginx/ssl/my.internal.domain/my.internal.domain.crt;
ssl_certificate_key /etc/nginx/ssl/my.internal.domain/my.internal.domain.key;
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#add_header Referrer-Policy "no-referrer" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-Download-Options "noopen" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-Permitted-Cross-Domain-Policies "none" always;
#add_header X-Robots-Tag "none" always;
#add_header X-XSS-Protection "1; mode=block" always;I restarted nginx and tested but i'm still getting error code -27. Could it be something to do with the Let's Encrypt certificates that I'm using?
RE: LG WebOS Error Code 27 - TheDreadPirate - 2025-03-10
Did they expire?
Also try commenting out the CSP line in jellyfin.conf.
RE: LG WebOS Error Code 27 - dnightbane - 2025-03-10
Nope, certificate is valid
Code:
Issuer: C=US, O=Let's Encrypt, CN=R10
Validity
Not Before: Jan 7 13:44:23 2025 GMT
Not After : Apr 7 13:44:22 2025 GMTHOWEVER commenting out the CSP line allowed the screen to move on to the username/password screen and I was able to login and play something
Code:
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";RE: LG WebOS Error Code 27 - TheDreadPirate - 2025-03-11
Huzzah. Could have sworn the documented CSP was fine for WebOS. Noted.