+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: difference between nginx and ddns service (/t-difference-between-nginx-and-ddns-service)
Pages:
1
2
difference between nginx and ddns service - Drake97 - 2024-10-29
Hello everyone,
As the title says, I wanted to ask you what is the notable difference between using nginx and a ddns service, beyond perhaps security.
Currently I have a ddns service (NO-IP) which is enabled with the port of jellyfin and from the outside I can enter as MyDDNS.bla.bla:PORT and everything work flawless, but I feel that perhaps being a very specific service in addition to my port is "visible", it is not as secure as it seems or maybe I'm wrong.
What do I gain in general terms if I use nginx instead of my DDNS service? it is worth mentioning that I have a dynamic public ip with my isp and that is the reason why I use a DDNS service.
If nginx is something better, how is the best way to install and configure it? as much as I read the networking section in the documentation I feel that I do not understand, or I am misunderstanding the details.
Thanks in advance
RE: difference between nginx and ddns service - TheDreadPirate - 2024-10-29
Regardless whether you use Nginx or not, you'd need to use a DDNS service. Nginx is just a proxy or http/s server. The DDNS service is what allows you to use a domain name while having a dynamic IP address. If you were to use Nginx, you'd still need your DDNS service.
As for why we suggest using Nginx, security is one and, related, https is another. Jellyfin's built in http server is not hardened and even if you were to use https directly within Jellyfin, there are attacks against https that weaken encryption that Jellyfin is not built to handle. Additionally, when using plaintext http, your API key is part of the URL that is sent between the client and server. And that API key travels over the Internet unencrypted. Using https would protect your API key since that portion of the URL becomes encrypted.
Which is where Nginx comes in. Nginx is hardened, much more secure by default, and much, much more configurable to enhance security further. There are also a lot of tools to automate the process of getting and renewing certificates for proper https.
Since you are using Ubuntu, just run "sudo apt install nginx" and follow our guide here.
https://jellyfin.org/docs/general/networking/nginx/
And once you have the https config for Jellyfin setup, you can then request certs. Let's Encrypt has an app, Certbot, to automate the request and renewal of your certs.
https://certbot.eff.org/instructions?ws=nginx&os=snap
RE: difference between nginx and ddns service - Drake97 - 2024-10-30
(2024-10-29, 01:12 PM)TheDreadPirate Wrote: Regardless whether you use Nginx or not, you'd need to use a DDNS service. Nginx is just a proxy or http/s server. The DDNS service is what allows you to use a domain name while having a dynamic IP address. If you were to use Nginx, you'd still need your DDNS service.
As for why we suggest using Nginx, security is one and, related, https is another. Jellyfin's built in http server is not hardened and even if you were to use https directly within Jellyfin, there are attacks against https that weaken encryption that Jellyfin is not built to handle. Additionally, when using plaintext http, your API key is part of the URL that is sent between the client and server. And that API key travels over the Internet unencrypted. Using https would protect your API key since that portion of the URL becomes encrypted.
Which is where Nginx comes in. Nginx is hardened, much more secure by default, and much, much more configurable to enhance security further. There are also a lot of tools to automate the process of getting and renewing certificates for proper https.
Since you are using Ubuntu, just run "sudo apt install nginx" and follow our guide here.
https://jellyfin.org/docs/general/networking/nginx/
And once you have the https config for Jellyfin setup, you can then request certs. Let's Encrypt has an app, Certbot, to automate the request and renewal of your certs.
https://certbot.eff.org/instructions?ws=nginx&os=snap
sorry, I was doing the configuration of nginx and I have a problem, I have investigated about the symlinks but it has not given me result, do you know how to solve it?
I have this:
https://imgur.com/a/JguglDc
at the moment I already have port 8096 and 80 open in my router.
Thanks
RE: difference between nginx and ddns service - Drake97 - 2024-10-30
i gave up, i deleted everything i installed on nginx and certbot because it didn't give me the config, so i resigned myself haha
RE: difference between nginx and ddns service - TheDreadPirate - 2024-10-30
You probably had a self referencing "include" in nginx.conf. If you made any changes to nginx.conf, you shouldn't need to for a basic https setup.
RE: difference between nginx and ddns service - Drake97 - 2024-11-15
(2024-10-30, 12:59 PM)TheDreadPirate Wrote: You probably had a self referencing "include" in nginx.conf. If you made any changes to nginx.conf, you shouldn't need to for a basic https setup.
hello, me again
I managed to fix the symlinks config, now they do not give me problems, however I have another one that I think is easy to solve but I am not with the solution.
I installed nginx, changed the listening port from 80 to 8080, this in the default and jellyfin files (port 80 is already used by another service) and rename the server name to jellyfin.somewords.com:
![[Image: J7eK7tY.png]](https://i.imgur.com/J7eK7tY.png)
then, doing the nginx tutorial with certbot and snap, I get to the part where I run
sudo certbot --nginx
and there I get the following error:
![[Image: AnlnVTF.png]](https://i.imgur.com/AnlnVTF.png)
reading and researching on the internet, they said it was because the config was duplicated, so I went to /etc/nginx/nginx,conf and commented out the following lines
![[Image: Ktip4cl.png]](https://i.imgur.com/Ktip4cl.png)
and create manually the file options-ssl-nginx.conf with this info
https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
and doing all this, i still get this error mesagge:
![[Image: 2CmU1s1.png]](https://i.imgur.com/2CmU1s1.png)
and managed to fix that, now i get this:
![[Image: o18kljT.png]](https://i.imgur.com/o18kljT.png)
pls help
PD: port 80 is used by pi-hole and lighttpd, my server is My Jellyfin and ad-blocker
RE: difference between nginx and ddns service - TheDreadPirate - 2024-11-15
A couple things. You need SOMETHING listening on port 80 that will respond to the acme challenge so you can acquire certs. It sounds like you might have that covered.
If have NOT acquired certs already, you will need to comment out all of the letsencrypt lines. Both for the certs and for any SSL/TLS configs, like options-ssl-nginx.conf. Certbot will ADD those lines during the cert request process.
RE: difference between nginx and ddns service - Drake97 - 2024-11-15
(2024-11-15, 02:57 PM)TheDreadPirate Wrote: A couple things. You need SOMETHING listening on port 80 that will respond to the acme challenge so you can acquire certs. It sounds like you might have that covered.
If have NOT acquired certs already, you will need to comment out all of the letsencrypt lines. Both for the certs and for any SSL/TLS configs, like options-ssl-nginx.conf. Certbot will ADD those lines during the cert request process.
inside the file located in /etc/nginx/sites-enabled/jellyfin I commented the following lines (red circled) and i edited the port and server_name (yellow circled)
![[Image: a3eolIJ.png]](https://i.imgur.com/a3eolIJ.png)
my /etc/letsencrypt/options-ssl-nginx.conf looked like this:
![[Image: o9ZCoId.png]](https://i.imgur.com/o9ZCoId.png)
and my /etc/nginx/nginx.conf looked like this.
https://pastebin.com/DxAzsvnP
however when I execute the commands, I get this error:
![[Image: Ozg5Fex.png]](https://i.imgur.com/Ozg5Fex.png)
it is worth mentioning that inside the letsencrypt folder there is nothing, and I followed the certbot tutorial you gave me.
server@msi-server:~$ cd /etc/letsencrypt/
server@msi-server
etc/letsencrypt$ tree.
├── options-ssl-nginx.conf
└── renewal-hooks
├── deploy
├── post
└── pre
5 directories, 1 file
server@msi-server
etc/letsencrypt$
RE: difference between nginx and ddns service - TheDreadPirate - 2024-11-15
It's been a long time since I've done this process. I had to re-read the guides I used. It looks like you CANNOT have any https configs, period.
Remove all https servers, you only need a server config listening on port 80. Run the certbot setup and it will acquire the certificates. THEN you setup your https configs.
https://www.f5.com/company/blog/nginx/using-free-ssltls-certificates-from-lets-encrypt-with-nginx
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-22-04
RE: difference between nginx and ddns service - Drake97 - 2024-11-16
(2024-11-15, 09:57 PM)TheDreadPirate Wrote: It's been a long time since I've done this process. I had to re-read the guides I used. It looks like you CANNOT have any https configs, period.
Remove all https servers, you only need a server config listening on port 80. Run the certbot setup and it will acquire the certificates. THEN you setup your https configs.
https://www.f5.com/company/blog/nginx/using-free-ssltls-certificates-from-lets-encrypt-with-nginx
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-22-04
I managed to make it work, I had to change the port of use of pihole and leave the 80 for all the nginx config, besides, I had to acquire a ddns to put in my domain.
I did the steps, I downloaded a certificate, the file /etc/nginx/sites-enabled/jellyfin was left with the new certbot config, however when I put my ddns.net:8096 it does not redirect me to jellyfin with HTTPS, but when I put ddns.net:80 it redirects me to the nginx home with HTTPS, in jellyfin it stays as HTTP.
I have to do one more configuration ? in my router I have open TCP ports 80 and 443 and 8096 in TCP/UDP.
In the jellyfin configuration should I enable something else?
thanks in advance