![]() |
HAproxy on PFsense (websocket working) Updated Dec24 - Printable Version +- Jellyfin Forum (https://forum.jellyfin.org) +-- Forum: Support (https://forum.jellyfin.org/f-support) +--- Forum: Guides, Walkthroughs & Tutorials (https://forum.jellyfin.org/f-guides-walkthroughs-tutorials) +--- Thread: HAproxy on PFsense (websocket working) Updated Dec24 (/t-haproxy-on-pfsense-websocket-working-updated-dec24) Pages:
1
2
|
HAproxy on PFsense (websocket working) Updated Dec24 - gaming09 - 2024-12-01 **This is an update to my original step by step, which is no longer valid on the last few versions of haproxy/pfsense ****Basic config and setup for HAproxy on Pfsense I suggest to follow Tom Lawrence's YT video here. The base config from that video will need to be in place before adding/editing my step by step Overview Text Only: Code: **Summary of HAProxy Configuration for WebSocket Support on pfSense (Obfuscated Version)** Examples and screenshots (screenshot is below example): Settings Tab: General Settings: Max Connections 10000 ![]() Logging: /var/run/log local0 Debugging ![]() Backend Tab: Edit HAPRroxy Backend server pool: Create your Backend Name Jellyfin Server: can be anything but needs to be consistent mine is 'jf' (lowercase) | include your address and port (default 8096) | No SSL | No SSL checks Timeout / retry settings: Connection timeout 60000 Server timeout 3600000 Retries 5000 ![]() Advanced Settings: Backend pass thru (change 192.168.x.x to your JF IP) Code: http-request set-header X-Forwarded-Port %[dst_port] ![]() Frontend Tab: Edit HAProxy Frontend:Your listening address (should be wan or whatever gw you're using)Port 443 with SSL offloading checked ![]() Access Control lists: (Order Matters) Have these entries first hdr_connection_upgrade | Custom acl: | hdr(Connection) -i upgrade hdr_upgrade_websocket | Custom acl: | hdr(Upgrade) -i websocket Then your host matches second name jf (or whatever the backend server name was (not the list name) ) jf | host matches | jf.yourdomain.com ![]() Actions: (Order Matters) http-request header set | { req.hdr(Upgrade) -i websocket }
![]() Advanced Settings: Client timeout: 7200000 Advanced pass thru: Code: http-request set-header X-Forwarded-Port %[dst_port] ![]() Helpful additions internal DNS settings/config: This is assuming your using your pfsense for local DNS Code: Just an FYI if you have a TV or something static(non mobile) I wouldn't use the host name just use the IP. This routes the traffic through the pfsense box to your device instead of Server -> Device it becomes Server ->pfsense -> device If you're using your hostname (jf.yourdomain.com) internally (you need to add your LAN address to your front end or have a separate fronted just for internal) Frontend: ![]() Go To Services>DNS Resolver: ![]() Go to the bottom of the page to "Host Overides" and click "Add" and fill in the following https://i.imgur.com/Gf2YZWh.png https://i.imgur.com/pQfevpI.png click save add another entry for your jellyfin for JF.YOURDOMAIN.com you would put it like this: https://i.imgur.com/Vk99iY9.png RE: HAproxy on PFsense (websocket working) Updated Dec24 - jaillybelly - 2024-12-11 Thanks for another fantastic guide gaming09! A question I have is: what HAproxy version is this guide appropriate for, and what versions was the previous guide made for? I noticed in your screenshots that you appear to be on HAproxy-devel and not stable HAproxy. The reason I ask is that I have been encountering various websocket errors in the logs that seem to coincide with playback stuttering. I realized I may be using the wrong guide for my HAproxy version but I don't know which one to use. Thanks again for the incredibly detailed guide. RE: HAproxy on PFsense (websocket working) Updated Dec24 - gaming09 - 2024-12-11 (2024-12-11, 05:05 AM)jaillybelly Wrote: Thanks for another fantastic guide gaming09! A question I have is: what HAproxy version is this guide appropriate for, and what versions was the previous guide made for? I noticed in your screenshots that you appear to be on HAproxy-devel and not stable HAproxy. The reason I ask is that I have been encountering various websocket errors in the logs that seem to coincide with playback stuttering. I realized I may be using the wrong guide for my HAproxy version but I don't know which one to use. Hey, Im running 2.9.10, dlevel is haproxy-devel-2.9.d11 but this guide should work on both since they were merged a version or two back. What errors have you been getting. RE: HAproxy on PFsense (websocket working) Updated Dec24 - jaillybelly - 2024-12-14 Great, thanks for filing that in gaming09. I've narrowed down the issue actually to a bug in the interaction between jellyfin and wireguard tunnels. Discussion is here: https://forum.jellyfin.org/t-websockets-dying-and-freezing-playback RE: HAproxy on PFsense (websocket working) Updated Dec24 - shm0 - 2025-01-18 Hi! Thank you for this guide. I have some questions! Doesn't http-response set-header Connection "keep-alive" override http-request set-header Connection "upgrade" if { req.hdr(Upgrade) -i WebSocket } ? I tried to add some conditional checks (if !{ req.hdr(Upgrade) -i WebSocket }) to the set keep-alive rule but it still breaks websockets on some Smart TV apps. And X-Frame-Options "SAMEORIGIN" breaks the LG WebOS App (Black screen after login). And these acls: jf hdr_connection_upgrade hdr_upgrade_websocket or jf -> will always evaluate to jf emby hdr_connection_upgrade hdr_upgrade_websocket or emby -> will always evaluate to emby making hdr_connection_upgrade hdr_upgrade_websocket obsolete. I'm not sure if it is actually needed to set: option http-server-close option forwardfor and some other options, in both the fronted and backend. Is it actually a good idea to enable http-server-close for non websocket traffic? The timeouts also seem quite high? //edit http-server-close actually seems to break websockets for me... The only relevant timeout for websockets seems to be the tunnel one. RE: HAproxy on PFsense (websocket working) Updated Dec24 - dreunion61 - 2025-02-15 I don't get it, why is the old tutorial not valid anymore? I'm running the server with your old tutorial since November. Jellyfin 10.10.5 pfSense Plus 24.11 Not once I had a problem. RE: HAproxy on PFsense (websocket working) Updated Dec24 - ianmcleish - 2025-08-15 This is an excellent help - I had no idea getting Jellyfin to work behind a roxy would be so complicated! However, I have checked and rechecked this guide and my settings three times now and keep getting this error... Errors found while starting haproxy [NOTICE] (98607) : haproxy version is 2.9.14-7c591d5 [NOTICE] (98607) : path to executable is /usr/local/sbin/haproxy [ALERT] (98607) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:77] : error detected in frontend 'https_shared-merged' while parsing 'http-after-response set-header' rule : sample fetch <req.hdr(Upgrade)]> may not be reliably used here because it needs 'HTTP request headers' which is not available here. [ALERT] (98607) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg I set up following Lawrence's guide and thus far did get immich to work through the proxy, though that was the only one so far.... Would anyone have any suggestions please. Running on PfSense CE 2.8.0 RELEASE. Thanks in anticipation! RE: HAproxy on PFsense (websocket working) Updated Dec24 - gaming09 - 2025-08-15 (2025-08-15, 11:57 AM)ianmcleish Wrote: This is an excellent help - I had no idea getting Jellyfin to work behind a roxy would be so complicated! try this instead HAProxy > Frontends > Edit the relevant frontend > Advanced settings > Frontend pass thru field. http-request set-var txn.upgrade req.hdr(Upgrade) http-after-response set-header Upgrade %[var(txn.upgrade)] RE: HAproxy on PFsense (websocket working) Updated Dec24 - ianmcleish - 2025-08-16 Many thanks for the reply. I stripped all of the work out of the front end, to get back to before I started this guide. Somehow, Jellyfin is working now, but only remotely or over a VPN. Locally fails.. not that that is a big issue, I dont need to remote access at home! I will go through the guide and try again over the next couple of days using those suggestions, I just added those as instructed, but that caused an error, no doubt cos I stripped everything else out. I'll try this and report back. Ian RE: HAproxy on PFsense (websocket working) Updated Dec24 - citruspickles - 2025-08-17 (2025-08-16, 02:12 PM)ianmcleish Wrote: Many thanks for the reply. I stripped all of the work out of the front end, to get back to before I started this guide. Somehow, Jellyfin is working now, but only remotely or over a VPN. Locally fails.. not that that is a big issue, I dont need to remote access at home! You might need to add a LAN entry matching the WAN entry in the front end. |