Jellyfin Forum
Caddy, fail2ban, podman - Printable Version

+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: Caddy, fail2ban, podman (/t-caddy-fail2ban-podman)



Caddy, fail2ban, podman - 42piper - 2024-12-23

Hi,

so I am trying to setup jellyfin behind a reverse-proxy (caddy) and protect the login with fail2ban.

caddy and jellyfin are running as rootless podman containers in separate pods.

So far, I managed to setup caddy and access jellyfine. Great!

Before setting up fail2ban, I tried to login with wrong credentials: The log shows that but the IP is set to 10.0.2.100 (not sure what that is, some local address that all my containers have, but NOT the local IP of the machine hosting the containers). I already added 10.0.2.100 and the IP of the machine to the known-proxy list without success.

What am I missing?

Thanks!


RE: Caddy, fail2ban, podman - TheDreadPirate - 2024-12-23

What address is the caddy using for Jellyfin? Is it using the docker IP for Jellyfin? Are you publishing ports for both containers? Or just publishing ports for caddy?


RE: Caddy, fail2ban, podman - 42piper - 2024-12-23

Jellyfins http-port is mapped to 3000. Caddy exposes 443. Caddy then uses 192.168.50.200:3000 (where the IP is the IP of the machine) to reach jellyfin.


RE: Caddy, fail2ban, podman - TheDreadPirate - 2024-12-23

Are the pods using host networking or bridge networking? If both are using bridge networking, you can expose port 3000 on the jellyfin container and use the bridge IP. Then Jellyfin should see the caddy pod's IP, which is what you'd add to the known proxies field.


RE: Caddy, fail2ban, podman - 42piper - 2024-12-23

Since it's rootless podman, it's basically host-networking (see slirp4netns here https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md).

maybe it was not clear from my post: the reverse_proxy works, I can log in and everything, but for some reason jellyfin does not detect the correct source-IP to write in the logs.


RE: Caddy, fail2ban, podman - TheDreadPirate - 2024-12-23

You can add multiple IPs as proxies, separated with a comma. Add the host IP in addition to, I'm assuming, the Caddy container's IP.


RE: Caddy, fail2ban, podman - 42piper - 2024-12-24

I did that too.

However, figured out the problem - rootless containers in podman run in the slrip4netns network and there the source IP is not preserved / passed on.
So I need to change my setup (found some solutions via sockets), back to the drawing board.
Thanks for your help though!