+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: SSL + Caddy (reverse proxy) (/t-ssl-caddy-reverse-proxy)
SSL + Caddy (reverse proxy) - DingleBob - 2024-06-26
Hey everyone,
Jellyfin itself works and I have been using it from outside through wireguard VPN and it works great. I want to improve accessibility for friends, so I decided I will give port forwarding a try.
This is my setup right now
Domain (cname) > dynamic DNS (duckdns.org) > my local network which does port forwarding (fritzbox) > caddy (as suggested in jellyfin docs) as reverse proxy (on a raspberry pi) > jellyfin (running on trueNAS)
Since port forwarding poses risks, I definitely don't want to do it without SSL. So I ran certbot (lets encrypt) on my raspberry pi. Certbot requires ports 80 (http) and port 443 (https) in order to do its job and provide the certificates. For that purpose, I set temporary port forwarding for 80 & 443 from my fritzbox to my raspberry pi. this worked and I was able to create the certs.
After I obtained the certs, I created the .p12 file. Then I created a new dataset on my trueNAS which only contains the SSL cert. I created a mountpoint for the jellyfin jail and then set up HTTPS in the jellyfin dashboard -> network settings (using jellyfin's default https port: 8920). I also set the path to the .p12 file and entered the cert password that I had set up when I generated the .p12 file.
So far so good, I managed to do all the steps that I had planned.
My port forwarding is set up in this way: I call my domain with ":8920" ending -> this goes to the fritzbox. fritzbox has forwarding for :8920 -> caddy. caddy does reverse proxy -> jellyfin:8920
This is what my Caddyfile looks like (replaced domain and ips with placeholders):
Code:
{
http_port 8096
https_port 8920
}
<my domain>:8920 {
reverse_proxy <local ip of jellyfin>:8920
tls /etc/letsencrypt/live/<my domain>/fullchain.pem /etc/letsencrypt/live/<my domain>/privkey.pem
}When I run caddy with this configuration, it receives the hit from my call to my domain (with :8920) but it seems like it doesn't go further (doesn't hit jellyfin it seems)
This is the caddy log (I replaced domain names and ips with placeholders):
Code:
2024/06/26 07:38:55.951 ERROR http.log.error dial tcp <ip of my jellyfin>:8920: connect: connection refused
{
"request": {
"remote_ip": "<internet ip of my home>",
"remote_port": "47234",
"proto": "HTTP/2.0",
"method": "GET",
"host": "<my domain>:8920",
"uri": "/",
"headers": {
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"
],
"Accept-Language": [
"en-GB,en;q=0.9"
],
"Sec-Fetch-Site": [
"none"
],
"Accept-Encoding": [
"gzip, deflate, br, zstd"
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Upgrade-Insecure-Requests": [
"1"
],
"Sec-Ch-Ua": [
"\"Brave\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\""
],
"Sec-Ch-Ua-Platform": [
"\"Linux\""
],
"Sec-Gpc": [
"1"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Priority": [
"u=0, i"
],
"User-Agent": [
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
],
"Sec-Fetch-User": [
"?1"
],
"Sec-Fetch-Dest": [
"document"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4867,
"proto": "h2",
"server_name": "<my domain>"
}
},
"duration": 0.004535443,
"status": 502,
"err_id": "ds21t4g8t",
"err_trace": "reverseproxy.statusError (reverseproxy.go:1272)"
}Can someone help me and point me into a direction or give me advise on what to try next or what to look for? I'm not an expert when it comes to networks and I'm already proud of how far I gotten on my own, but I feel like I've reached my limits.
RE: SSL + Caddy (reverse proxy) - DingleBob - 2024-06-26
ahahahaha I just fixed it, it was so simple!
when using caddy to handle the SSL, I don't need to add anything SSL related to jellyfin.
I changed my caddyfile to point to jellyfins http port and it works now! caddy handles the SSL!
this also makes maintenance easier, as I just have to renew the cert on the raspberry pi and not change anything on my NAS.
fuck yeah!!! 🤘🏾😎
RE: SSL + Caddy (reverse proxy) - DingleBob - 2024-06-27
I have follow-up questions, maybe someone can help me:
- whats the best way to prevent my jellyfin from being indexed? is a robots.txt good enough? where would I place it? near the reverse proxy or does it have to be placed within my jellyfin? (if within jellyfin, how do I do that? do I actually have to ssh into my NAS and push a file there? I want to prevent 'touching' my jellyfin as much as I can and handle everything from the admin panel if possible)
- should I change the address from https:<domainname>:<custom port> to just https:<domainname>? is it somehow less secure? I assume it makes no difference since script kiddies will run scanners anyway. Any downside when using the 443 default port?
RE: SSL + Caddy (reverse proxy) - TheDreadPirate - 2024-06-27
Script kiddies aren't going to spend the time to scan EVERY port. They scan common service ports, scan a couple random ports, then move on. My router logs these blocked accesses so I can confirm this is how they typically behave.
IMO, I'd stick with a custom port (that's what I do).
As for indexing, robots.txt is the usual answer.
https://stackoverflow.com/questions/6502085/whats-the-best-way-to-stop-search-engines-indexing-my-login-pages
RE: SSL + Caddy (reverse proxy) - DingleBob - 2024-06-28
thanks!!! I just looked into this and it seems that jellyfin already comes with a working robots.txt: https://github.com/jellyfin/jellyfin-web/blob/master/src/robots.txt
I checked on my domain, adding /robots.txt to the request and I receive it with the wildcard and disallowing from root.
all good then! 👌🏾
thanks dreadpirate for your time and help! 🙏🏾