2024-06-26, 09:54 AM
(This post was last modified: 2024-06-26, 11:43 AM by DingleBob. Edited 2 times in total.)
Hey everyone,
Jellyfin itself works and I have been using it from outside through wireguard VPN and it works great. I want to improve accessibility for friends, so I decided I will give port forwarding a try.
This is my setup right now
Domain (cname) > dynamic DNS (duckdns.org) > my local network which does port forwarding (fritzbox) > caddy (as suggested in jellyfin docs) as reverse proxy (on a raspberry pi) > jellyfin (running on trueNAS)
Since port forwarding poses risks, I definitely don't want to do it without SSL. So I ran certbot (lets encrypt) on my raspberry pi. Certbot requires ports 80 (http) and port 443 (https) in order to do its job and provide the certificates. For that purpose, I set temporary port forwarding for 80 & 443 from my fritzbox to my raspberry pi. this worked and I was able to create the certs.
After I obtained the certs, I created the .p12 file. Then I created a new dataset on my trueNAS which only contains the SSL cert. I created a mountpoint for the jellyfin jail and then set up HTTPS in the jellyfin dashboard -> network settings (using jellyfin's default https port: 8920). I also set the path to the .p12 file and entered the cert password that I had set up when I generated the .p12 file.
So far so good, I managed to do all the steps that I had planned.
My port forwarding is set up in this way: I call my domain with ":8920" ending -> this goes to the fritzbox. fritzbox has forwarding for :8920 -> caddy. caddy does reverse proxy -> jellyfin:8920
This is what my Caddyfile looks like (replaced domain and ips with placeholders):
When I run caddy with this configuration, it receives the hit from my call to my domain (with :8920) but it seems like it doesn't go further (doesn't hit jellyfin it seems)
This is the caddy log (I replaced domain names and ips with placeholders):
Can someone help me and point me into a direction or give me advise on what to try next or what to look for? I'm not an expert when it comes to networks and I'm already proud of how far I gotten on my own, but I feel like I've reached my limits.
Jellyfin itself works and I have been using it from outside through wireguard VPN and it works great. I want to improve accessibility for friends, so I decided I will give port forwarding a try.
This is my setup right now
Domain (cname) > dynamic DNS (duckdns.org) > my local network which does port forwarding (fritzbox) > caddy (as suggested in jellyfin docs) as reverse proxy (on a raspberry pi) > jellyfin (running on trueNAS)
Since port forwarding poses risks, I definitely don't want to do it without SSL. So I ran certbot (lets encrypt) on my raspberry pi. Certbot requires ports 80 (http) and port 443 (https) in order to do its job and provide the certificates. For that purpose, I set temporary port forwarding for 80 & 443 from my fritzbox to my raspberry pi. this worked and I was able to create the certs.
After I obtained the certs, I created the .p12 file. Then I created a new dataset on my trueNAS which only contains the SSL cert. I created a mountpoint for the jellyfin jail and then set up HTTPS in the jellyfin dashboard -> network settings (using jellyfin's default https port: 8920). I also set the path to the .p12 file and entered the cert password that I had set up when I generated the .p12 file.
So far so good, I managed to do all the steps that I had planned.
My port forwarding is set up in this way: I call my domain with ":8920" ending -> this goes to the fritzbox. fritzbox has forwarding for :8920 -> caddy. caddy does reverse proxy -> jellyfin:8920
This is what my Caddyfile looks like (replaced domain and ips with placeholders):
Code:
{
http_port 8096
https_port 8920
}
<my domain>:8920 {
reverse_proxy <local ip of jellyfin>:8920
tls /etc/letsencrypt/live/<my domain>/fullchain.pem /etc/letsencrypt/live/<my domain>/privkey.pem
}When I run caddy with this configuration, it receives the hit from my call to my domain (with :8920) but it seems like it doesn't go further (doesn't hit jellyfin it seems)
This is the caddy log (I replaced domain names and ips with placeholders):
Code:
2024/06/26 07:38:55.951 ERROR http.log.error dial tcp <ip of my jellyfin>:8920: connect: connection refused
{
"request": {
"remote_ip": "<internet ip of my home>",
"remote_port": "47234",
"proto": "HTTP/2.0",
"method": "GET",
"host": "<my domain>:8920",
"uri": "/",
"headers": {
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"
],
"Accept-Language": [
"en-GB,en;q=0.9"
],
"Sec-Fetch-Site": [
"none"
],
"Accept-Encoding": [
"gzip, deflate, br, zstd"
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"Upgrade-Insecure-Requests": [
"1"
],
"Sec-Ch-Ua": [
"\"Brave\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\""
],
"Sec-Ch-Ua-Platform": [
"\"Linux\""
],
"Sec-Gpc": [
"1"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Priority": [
"u=0, i"
],
"User-Agent": [
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
],
"Sec-Fetch-User": [
"?1"
],
"Sec-Fetch-Dest": [
"document"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4867,
"proto": "h2",
"server_name": "<my domain>"
}
},
"duration": 0.004535443,
"status": 502,
"err_id": "ds21t4g8t",
"err_trace": "reverseproxy.statusError (reverseproxy.go:1272)"
}Can someone help me and point me into a direction or give me advise on what to try next or what to look for? I'm not an expert when it comes to networks and I'm already proud of how far I gotten on my own, but I feel like I've reached my limits.
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github){kind=icon}