SOLVED: Android App not connecting anymore

[holger_kuehn]

For reference, the Android App is blocked from connecting when the proxy adds a Content-Security-Policy-Header that blocks outside sources and those are used by skins for example. This was the case here as I used Ultrachromic skin via Skin Manager.
The following virtual host is working as expected, and honoring most best practices from pentest-tools.com:

Code:

<VirtualHost *:443>
    ServerName domain.tld
    DocumentRoot "${SRVROOT}/htdocs/jellyfin"
    ErrorLog "${SRVROOT}/logs/jellyfin_error.log"
    CustomLog "${SRVROOT}/logs/jellyfin_access.log" combined
    ProxyPreserveHost On
    ProxyPass "/.well-known/" "!"
   
    # Tell Jellyfin to forward that requests came from TLS connections
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    ProxyPass "/socket" "ws://localhost:8096/socket"
    ProxyPassReverse "/socket" "ws://localhost:8096/socket"
    ProxyPass "/" "http://localhost:8096/"
    ProxyPassReverse "/" "http://localhost:8096/"

    SSLEngine on
    SSLCertificateFile "${SRVROOT}/conf/ssl.crt/server.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl.key/server.key"
    SSLCertificateChainFile "${SRVROOT}/conf/ssl.fullchain/fullchain.pem"
    Protocols h2 http/1.1

    ### Add headers ###
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
    Header always set Strict-Transport-Security "max-age=15552000; preload"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Robots-Tag none
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "same-origin"

    Header always set Content-Security-Policy "default-src 'self' dachs.blog; script-src 'self' 'unsafe-inline' dachs.blog www.gstatic.com/cv/js/; style-src 'self' 'unsafe-inline' dachs.blog cdn.jsdelivr.net/gh/CTalvio ctalvio.github.io fonts.googleapis.com/css2; connect-src 'self' dachs.blog; object-src 'none'; worker-src 'self' dachs.blog; frame-ancestors 'self' dachs.blog; base-uri 'self' dachs.blog"

    Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; speaker 'self'; fullscreen 'self'; payment 'self'"

    RewriteEngine on
    RewriteRule ^/web/robots.txt https://domain.tld/robots.txt [L,R=301]
    RewriteRule ^/.well-known/security.txt https://domain.tld/.well-known/security.txt [L,R=301]
</VirtualHost>