2023-12-02, 05:57 PM
The essence of the problem: I have a nas UNRAID installation, Jellyfin and Nginx Proxy Manager containers are installed. Nas is connected to the router, the provider gives me a fixed external IP, my domain is linked to it. Ports 80 and 443 were forwarded to NPM on router, a subdomain was configured to access jellyfin from the Internet, in the jf configuration I specified my domain and server ip as a reverse proxy ip (NPM works on it, right?..). I didn’t do in NPM initially no special settings - just added the internal ip and http port jellyfin. But with this setup, I received constant errors when watching together with friends or connecting to the server remotely.
At the same time, other programs on the server worked without problems through NPM - access was available both from within the home network and from an external one. NO PROBLEM.
In search of a solution to the problem, I found official instructions for setting up the nginx config. I tried to implement it through the NPM web interface, but nothing worked. Next, I found the configuration file created by NPM and edited it manually (I checked - this also works, the config does not change, and is read by NPM correctly), adding 3 location sections according to the instructions, plus the specified add_header.
And this is where the problems begin. At random times, pictures simply disappear via links from third-party domains (a form for searching and replacing images for a film). The chrome developer tools indicate that the "Cross-Origin-Resource-Policy" setting is incorrect. Setting this header to "cross-origin" does not solve the problem. Complete removal from the configuration of any mention of Cross-Origin-Resource-Policy and related ones does not solve the problem. Restarting the browser helps, about once in 3 times.
The problem only occurs when connecting from within the local network, and only to the assigned domain. Yes, in theory I can enter http://ip:port when I'm at home... But we assign beautiful domain names just so as not to do this, isn't it?
My nginx config:
I'm already going crazy, I tried everything possible in all possible options, I tried to add different headers according to the recommendations from the chrome developer tool, I tried to add external image domains to the trusted ones above... It doesn't help. Only sometimes the situation became even worse - playback stopped working when subtitles were turned on, for example. Or syncplay starts disconnecting every 10 minutes...
At the same time, other programs on the server worked without problems through NPM - access was available both from within the home network and from an external one. NO PROBLEM.
In search of a solution to the problem, I found official instructions for setting up the nginx config. I tried to implement it through the NPM web interface, but nothing worked. Next, I found the configuration file created by NPM and edited it manually (I checked - this also works, the config does not change, and is read by NPM correctly), adding 3 location sections according to the instructions, plus the specified add_header.
And this is where the problems begin. At random times, pictures simply disappear via links from third-party domains (a form for searching and replacing images for a film). The chrome developer tools indicate that the "Cross-Origin-Resource-Policy" setting is incorrect. Setting this header to "cross-origin" does not solve the problem. Complete removal from the configuration of any mention of Cross-Origin-Resource-Policy and related ones does not solve the problem. Restarting the browser helps, about once in 3 times.
The problem only occurs when connecting from within the local network, and only to the assigned domain. Yes, in theory I can enter http://ip:port when I'm at home... But we assign beautiful domain names just so as not to do this, isn't it?
My nginx config:
Code:
server {
set $forward_scheme http;
set $server "192.168.20.70";
set $port 8096;
listen 8080;
listen [::]:8080;
listen 4443 ssl http2;
listen [::]:4443 ssl http2;
server_name SUB.MY.DOMAIN;
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
# COOP/COEP. Disable if you use external plugins/images/assets
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Resource-Policy "cross-origin" always;
# Permissions policy. May cause issues on some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Tell browsers to use per-origin process isolation
add_header Origin-Agent-Cluster "?1" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# NOTE: The default CSP headers may cause issues with the webOS app
add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Force SSL
include conf.d/include/force-ssl.conf;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
access_log /config/log/proxy-host-4_access.log proxy;
error_log /config/log/proxy-host-4_error.log warn;
client_max_body_size 20M;
location = / {
return 302 http://$host/web/;
return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$server:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
proxy_set_header Accept-Encoding "";
sub_filter '</body>' '<script plugin="Jellyscrub" version="1.0.0.0" src="/Trickplay/ClientScript"></script> </body>';
sub_filter_once on;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://$server:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Accept-Encoding "";
sub_filter '</body>' '<script plugin="Jellyscrub" version="1.0.0.0" src="/Trickplay/ClientScript"></script> </body>';
sub_filter_once on;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$server:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
# Custom
include /data/nginx/custom/server_proxy[.]conf;
}I'm already going crazy, I tried everything possible in all possible options, I tried to add different headers according to the recommendations from the chrome developer tool, I tried to add external image domains to the trusted ones above... It doesn't help. Only sometimes the situation became even worse - playback stopped working when subtitles were turned on, for example. Or syncplay starts disconnecting every 10 minutes...