+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: Docker & reverse proxy: how to optimally set up? (/t-docker-reverse-proxy-how-to-optimally-set-up)
Docker & reverse proxy: how to optimally set up? - ancionio - 2025-04-20
I've been using a setup where jellyfin is behind a reverse proxy (nginx, via npm) and it's been working fine so far, but my setup isn't ideal imo and I can't figure out how to make it better.
Here's a quick description of my setup:
both jellyfin and npm are running as independent docker containers on a Syno nas.
The jellyfin container uses its own docker network, with this configuration:
Code:
"Name": "synobridge",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.20.0.0/24",
"IPRange": "172.20.0.0/26",
"Gateway": "172.20.0.254"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
...Within jellyfin's networking settings, I set "172.20.0.254" as a known proxy, which works: the correct IPs are reported for each client connecting to the server.
However, the only way I could make this work is if I set the npm container to use the host docker network (and thus redirect my jellyfin url to "localhost:8096" in npm's config).
As soon as I try to restrict npm's networking to its own docker network + jellyfin's docker network (that I called "synobridge", with details above), I can't find any way to have jellyfin report real client IPs anymore.
I tried a bunch of different configuration for jellyfin's known proxies, but none worked: adding jellyfin's IP on the npm docker network, the gateway of the npm docker network, all of that with or without jellyfin's IP on synobridge, also with or without synobridge's gateway IP, etc. Whatever I do, the jellyfin server always reports its own IP on the npm docker network.
Is there any way to make this work or is it essentially impossible to have the reverse proxy not use the host docker network in this configuration?
Thanks a lot in advance.
RE: Docker & reverse proxy: how to optimally set up? - TheDreadPirate - 2025-04-20
SOMETHING has to be listening on the host's interface. If you are using bridge networking for NPM with "ports" published, that is still technically "host networking" but only on the published ports.
You mentioned you've tried several IPs for known proxies, but you don't make clear whether you've tried multiple at the same time. Or all of them.
On my system I have plain Nginx running directly on the host with Jellyfin in a bridge network "exposing" port 8096 instead of port publishing. I add the host's IP and the bridge network's gateway IP to the known proxies field.
Additionally, if there are two separate bridge networks, the optimal setup is to have Jellyfin in both networks. However, if Jellyfin and NPM by themselves in their respective networks, I wouldn't bother having separate networks.
RE: Docker & reverse proxy: how to optimally set up? - Duvel - 2025-04-21
My config if that helps.
I am 100% docker but my config is slightly different then yours because I have 2 distinct servers in my DMZ for the Reverse Proxy and Jellyfin, but all in one its just the same: As a rule of thumb, I only use host-IP for all my settings, and not docker internal networks at all.
My setup is :
Jellyfin and other web apps are running (in containers) on server 192.168.2.4
My reverse proxy (caddy docker) is running on server 192.168.2.10, and ALL http(s) traffic is redirected on it by my router. And then caddy dispatch to correct host-port of my network depending on the subdomain (got one subdomain per webapp)
All docker networks of all the stacks on both servers are bridged.
This is my Jellyfin network.xml :
Code:
<?xml version="1.0" encoding="utf-8"?>
<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<BaseUrl />
<EnableHttps>false</EnableHttps>
<RequireHttps>false</RequireHttps>
<CertificatePath />
<CertificatePassword />
<InternalHttpPort>8096</InternalHttpPort>
<InternalHttpsPort>8920</InternalHttpsPort>
<PublicHttpPort>8096</PublicHttpPort>
<PublicHttpsPort>8920</PublicHttpsPort>
<AutoDiscovery>true</AutoDiscovery>
<EnableUPnP>true</EnableUPnP>
<EnableIPv4>true</EnableIPv4>
<EnableIPv6>false</EnableIPv6>
<EnableRemoteAccess>true</EnableRemoteAccess>
<LocalNetworkSubnets>
<string>192.168.2.0/24</string>
<string>192.168.1.0/24</string>
<string>172.20.0.0/16</string>
<string>172.22.0.0/16</string>
</LocalNetworkSubnets>
<LocalNetworkAddresses>
<string>192.168.2.4</string>
</LocalNetworkAddresses>
<KnownProxies>
<string>192.168.2.10</string>
</KnownProxies>
<IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
<VirtualInterfaceNames>
<string>veth</string>
</VirtualInterfaceNames>
<EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
<PublishedServerUriBySubnet />
<RemoteIPFilter />
<IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
</NetworkConfiguration>So basically, I tell jellyfin that :
- its own IP is 192.168.2.4 which is the host IP address
- Known proxies are 192.168.2.10, which is the IP address of Caddy's server (host)
- The LAN subnets are :
- 192.168.2.0/24 (my DMZ)
- 192.168.1.0/24 (my LAN)
- 172.20.0.0/16 and 172.22.0.0/16 (internal docker networks)
So basically I dont use the internal docker networks ranges in the web app configs, and that's what you should do to avoid issues: bridge your docker networks, and work with host(s) IP(s) in your applications' settings. Its the port that matters to know where the apps should forward/listen/expose. In you case the host ip is the same for both jellyfin and npm