+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Nginx Proxy Manager Settings for Jellyfin (/t-nginx-proxy-manager-settings-for-jellyfin)
Nginx Proxy Manager Settings for Jellyfin - jennystreaming - 2024-08-22
Dear Jellyfiners,
I’m currently using Jellyfin within an LXC container and managing the access towards it via Nginx Proxy Manager. To ensure optimal performance, security, and functionality, I’m seeking your experiences rather than a detailed and definitive guide on configuring Nginx Proxy Manager for Jellyfin.
Could we share our configurations, experiences and ideas in order to help each other improve?
Thank you!
RE: Nginx Proxy Manager Settings for Jellyfin - TheDreadPirate - 2024-08-22
I wrote a guide for improving the security of plain Nginx. But they should still work with Nginx Proxy Manager.
https://forum.jellyfin.org/t-apache-nginx-disable-weak-tls-ciphers
Below is a modified list from my guide. I looked at the defaults in Nginx Proxy Manager and the options below are either not defined or the defaults are not as secure. In the Nginx Proxy Manager git "ssl_prefer_server_ciphers" is defined twice in two different configs. One on and one off, so I'm not sure which is actually used. But including it in your Nginx Proxy Manager config should override whatever default is actually applied.
In the Advanced tab of Nginx Proxy Manager, copy and paste the lines below.
Code:
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;I only use Nginx Proxy Manager on one of my test setups so I've never actually tried adding these settings. So let me know if these work or if it breaks it.
RE: Nginx Proxy Manager Settings for Jellyfin - keklol - 2024-08-23
Here is mine:
### TWEAKSS AND STUFF
proxy_buffering off;
proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys.
proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested.
proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested.
proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server.
#proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.
## ADDITIONAL SECURITY-SETTINGS ##
## Optional settings to improve security ##
## add these after you have completed your testing and ssl setup ##
## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ##
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
## WEBSOCKET-SETTINGS ##
Used to pass two way real time info to and from jf and the client.
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
RE: Nginx Proxy Manager Settings for Jellyfin - keklol - 2024-08-23
Adding this as well since i know lots of people have issues with that:
Syncplay not working behind nginx reverse proxy
https://www.reddit.com/r/jellyfin/comments/iuz92t/syncplay_not_working_behind_nginx_reverse_proxy/
RE: Nginx Proxy Manager Settings for Jellyfin - TheDreadPirate - 2024-08-23
(2024-08-23, 07:47 PM)keklol Wrote: add_header X-XSS-Protection "1; mode=block" always;
Enabling this header is no longer needed. And is actually problematic as it creates attack vectors.
From our docs, there is this comment.
Code:
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerousEchoed by Mozilla and others.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://support.okta.com/help/s/article/regarding-vulnerabilities-used-in-absence-of-x-xss-protection?language=en_US
This header can help very old browsers be more secure, but other security settings, including the ones in your post, are not compatible with those old browsers and operating systems that would benefit from enabling X-XSS-Protection. Such as the use of TLS 1.2 and 1.3 exclusively, the default for Nginx Proxy Manager.
(2024-08-23, 07:54 PM)keklol Wrote: Adding this as well since i know lots of people have issues with that:
Syncplay not working behind nginx reverse proxy
https://www.reddit.com/r/jellyfin/comments/iuz92t/syncplay_not_working_behind_nginx_reverse_proxy/
Simply flipping on "Websocket support" is enough to cover Jellyfin's use of websockets. Since we're talking about Nginx Proxy Manager, and not plain Nginx.
RE: Nginx Proxy Manager Settings for Jellyfin - presentabsence - 2024-08-25
From a pure functionality standpoint you don't need any advanced configs, just enable websocket support in the proxy config on NPM to make sure things like syncplay work. Nothing special.
As far as security goes, some of the advanced configs already shared are good ideas.
RE: Nginx Proxy Manager Settings for Jellyfin - dthree - 2024-10-17
Found this thread while searching and have a related question.
I followed the documentation to setup Nginx Proxy Manager for JF. When it came to the optional but recommended security settings to enter in Custom Nginx Config, I added this but noticed that there was a note under the config entry box on the advanced tab:
Quote:Please note, that any add_header or set_header directives added here will not be used by nginx. You will have to add a custom location '/' and add the header in the custom config there.I didn't use the "Custom Location" to setup up the proxy host, does that mean that most of what I've entered in the custom config of the advanced tab is inactive?
RE: Nginx Proxy Manager Settings for Jellyfin - TheDreadPirate - 2024-10-17
Quite possible. I will research this and update the documentation where needed. I only use Nginx Proxy Manager for testing so I may have missed that bit.