pfsense + HAProxy setup for JellyFin

[joshuaboniface]

What exactly isn't working about it?

I'm not super familiar with pfSense's GUI wrapper on top of HAProxy, but I have had this working in the past. Here was my backend section:

Code:

backend jfX_http
    mode http
    balance leastconn
    cookie SERVERID insert indirect nocache
    stick store-request src
    stick-table type ip size 200k expire 30m peers keepalived-pair
    option httpchk GET /health HTTP/1.1\r\nHost:\ jellyfin
    option forwardfor
    timeout queue 5000
    timeout server 32000000
    timeout connect 5000
    acl no_BAD path_reg -i ^\/Images\/Remote
    acl no_BAD path_reg -i ^\/Items\/RemoteSearch\/Image
    acl no_BAD path_reg -i ^\/Items\/[^\.]*\/RemoteImages\/Download
    http-request redirect location https://i.ytimg.com/vi/avCWDDox1nE/maxresdefault.jpg if no_BAD
    http-response set-header X-Frame-Options SAMEORIGIN
    http-response set-header X-XSS-Protection "1;mode=block"
    http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin"
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
    http-response set-header Content-Security-Policy  "default-src 'none'; font-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; media-src 'self' blob: data:; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'unsafe-inline' 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self'"
    server jf1 192.168.0.100:8096/ check inter 5000 cookie jf1

That said, I moved to NGiNX for Jellyfin and avoid sending it through my load balancer at this point; I'd recommend the same as it makes the TLS stuff easier and such.