2023-08-22, 02:19 AM
(This post was last modified: 2023-10-06, 06:36 PM by TheDreadPirate. Edited 3 times in total.)
***DISCLAIMER - THIS WILL CAUSE SSL/TLS HANDSHAKE ISSUES WITH VERY OLD OPERATING SYSTEMS AND BROWSERS THAT DON'T SUPPORT THESE STRONG CIPHERS***
Having said that, if you are using an operating system old enough to not support any of these strong ciphers, Jellyfin probably doesn't work on the system anyway.
BACKUP YOUR APACHE/NGINX CONFIGS BEFORE PROCEEDING!!!
This is not a guide to setup a reverse proxy with Apache or Nginx. This is for users who are already running a Jellyfin server behind an Apache or Nginx reverse proxy and these instructions assume this has already been completed. Additionally, this only applies if you already have certs and are using HTTPS. For new Apache or Nginx users, please review the official docs and post in the troubleshooting section of the forum if you need help with the initial setup.
https://jellyfin.org/docs/general/networking/apache/
https://jellyfin.org/docs/general/networking/nginx/
https://jellyfin.org/docs/general/networ...tsencrypt/
Only a few additional lines to an Apache or Nginx config are required to disable weak ciphers.
====Apache====
Within your site config, usually in /etc/apache2/sites-available/000-default.conf, there is this section of parameters that define how Apache handles SSL/TLS. This example is taken from the official Jellyfin Apache guide.
While this disables the absolute weakest of ciphers, there is new guidance to further restrict the ciphers offered.
Replace the entire section above with the following.
Restart Apache.
====Nginx====
The process is pretty much identical. If you followed the official Jellyfin Nginx guide, your Jellyfin reverse proxy config is at /etc/nginx/conf.d/jellyfin.conf.
From the official Jellyfin Nginx guide, the SSL section we are going to change looks like the following.
Swap these lines out for the following.
Restart Nginx.
************************
Sources:
https://media.defense.gov/2021/Jan/05/20...443-20.PDF
https://github.com/nsacyber/Mitigating-Obsolete-TLS
Having said that, if you are using an operating system old enough to not support any of these strong ciphers, Jellyfin probably doesn't work on the system anyway.
BACKUP YOUR APACHE/NGINX CONFIGS BEFORE PROCEEDING!!!
This is not a guide to setup a reverse proxy with Apache or Nginx. This is for users who are already running a Jellyfin server behind an Apache or Nginx reverse proxy and these instructions assume this has already been completed. Additionally, this only applies if you already have certs and are using HTTPS. For new Apache or Nginx users, please review the official docs and post in the troubleshooting section of the forum if you need help with the initial setup.
https://jellyfin.org/docs/general/networking/apache/
https://jellyfin.org/docs/general/networking/nginx/
https://jellyfin.org/docs/general/networ...tsencrypt/
Only a few additional lines to an Apache or Nginx config are required to disable weak ciphers.
====Apache====
Within your site config, usually in /etc/apache2/sites-available/000-default.conf, there is this section of parameters that define how Apache handles SSL/TLS. This example is taken from the official Jellyfin Apache guide.
Code:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem
Protocols h2 http/1.1
# Enable only strong encryption ciphers and prefer versions with Forward Secrecy
SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
SSLHonorCipherOrder on
# Disable insecure SSL and TLS versions
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1While this disables the absolute weakest of ciphers, there is new guidance to further restrict the ciphers offered.
Replace the entire section above with the following.
Code:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem
# Enable only strong encryption ciphers and prefer versions with Forward Secrecy
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd Curves secp384r1
SSLHonorCipherOrder On
SSLSessionTickets Off
Protocols h2 http/1.1
# Disable insecure SSL and TLS versions
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"Restart Apache.
====Nginx====
The process is pretty much identical. If you followed the official Jellyfin Nginx guide, your Jellyfin reverse proxy config is at /etc/nginx/conf.d/jellyfin.conf.
From the official Jellyfin Nginx guide, the SSL section we are going to change looks like the following.
Code:
ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;Swap these lines out for the following.
Code:
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;Restart Nginx.
************************
Sources:
https://media.defense.gov/2021/Jan/05/20...443-20.PDF
https://github.com/nsacyber/Mitigating-Obsolete-TLS
Jellyfin 10.10.7 (Docker)
Ubuntu 24.04.2 LTS w/HWE
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
4x WD Red Pro 6TB CMR in RAIDZ1
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github)
Ubuntu 24.04.2 LTS w/HWE
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
4x WD Red Pro 6TB CMR in RAIDZ1
