2024-01-18, 05:57 PM
(This post was last modified: 2024-01-19, 02:45 AM by SKECHER9. Edited 1 time in total.)
Ok got it, thanks TheDreadPirate. Was racking my brain on understanding this process, and was having trouble with the HAproxy setup. Got setup to enforce "modern" only TLS v1.3 and AEAD ciphers.
Since I found a solution to the setup I was struggling with for pfSense router ACME and HAProxy forwarding to my Jellyfin server, here is what walked me through.
This guide from Lawrence Systems on YouTube does a good job at explaining the setup. https://youtu.be/bU85dgHSb2E?si=J8C1Zo3N4RawYW1z
In their example though, they don't connect to the outside internet (he gives a simple explanation on what to switch to do so) and they use the self signed cert to encrypt back end for TrueNAS. I think it should be simple enough to set a self signed cert for back end with JF even if it's unnecessary.
Edit: After some testing with help from a friend. An important setting to check to enable logging for Fail2ban on Jellyfin's side is "forwardfor" under pfSense's HAProxy Frontend rules, whatever front end rule is listening outword, under "Advanced settings" "forwardfor" option creates an HTTP "X-Forwarded-For" header which contains the client's IP address. This is useful to let the final web server know what the client address was. (eg for statistics on domains)
--For others who may come back to read this setup, a plain English explanation "forwardfor" lets the jellyfin server on the backend know the external client's IP address. If "forwardfor" is not enabled all external traffic will appear to your Jellyfin server like the client traffic is coming from your router. So then the Jellyfin logs, and therefor the logs Fail2ban, would read (assuming you followed the setup on the Jellyfin docs) that your router failed access and may be blocked.
Since I found a solution to the setup I was struggling with for pfSense router ACME and HAProxy forwarding to my Jellyfin server, here is what walked me through.
This guide from Lawrence Systems on YouTube does a good job at explaining the setup. https://youtu.be/bU85dgHSb2E?si=J8C1Zo3N4RawYW1z
In their example though, they don't connect to the outside internet (he gives a simple explanation on what to switch to do so) and they use the self signed cert to encrypt back end for TrueNAS. I think it should be simple enough to set a self signed cert for back end with JF even if it's unnecessary.
Edit: After some testing with help from a friend. An important setting to check to enable logging for Fail2ban on Jellyfin's side is "forwardfor" under pfSense's HAProxy Frontend rules, whatever front end rule is listening outword, under "Advanced settings" "forwardfor" option creates an HTTP "X-Forwarded-For" header which contains the client's IP address. This is useful to let the final web server know what the client address was. (eg for statistics on domains)
--For others who may come back to read this setup, a plain English explanation "forwardfor" lets the jellyfin server on the backend know the external client's IP address. If "forwardfor" is not enabled all external traffic will appear to your Jellyfin server like the client traffic is coming from your router. So then the Jellyfin logs, and therefor the logs Fail2ban, would read (assuming you followed the setup on the Jellyfin docs) that your router failed access and may be blocked.
