2024-12-07, 04:45 PM
Hey Guys,
i am struggeling with a similar Problem. I already googled a bunch of stuff and tried a lot, but all failed. Goal is to get the X-Real-Ip shown in Jellyfin to really distinguish between requests for External users and bandwiths configuration:
This is my setup:
* I am using a fritz.box exposing port 443 to the web.
* My Domain Provider forwards requests to subdomains to my "myfritz-dndns" address to my fritz.box.
* Behind my fritz.box I have a raspberry-pi with docker. It uses traefik as reverse-proxy.
* Additionally i am using an adguard in docker as a dns-ad-blocker.
Setup is running fine so far.
* I have a self-signed cert with lets-encrypt to run some stuff on my pi with HTTPS using a acme-dns-challenge (which also works like a charm for e.g. my password-manager)
Now comes the tricky part:
* in my home-network is also an ubuntu-maschine running also a traefik as reverseproxy to host some services.
* Jellyfin runs on that server
This is my traefik-server-configuration:
[providers.file]
directory = "/etc/traefik"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.jellyfin1]
address = ":1900/udp"
[entryPoints.jellyfin2]
address = ":7359/udp"
[entryPoints.web.forwardedHeaders]
trustedIps = ["192.168.178.50"] #raspberry-pi host-ip
[api]
dashboard = true
insecure = true
[providers.docker]
endpoint = "unix
//var/run/docker.sock"
watch = true
exposedByDefault = false
network = "skynet"
[log]
level = 'WARN'
This is my traefik on my pi:
[providers.file]
directory = "/etc/traefik"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[api]
dashboard = true
insecure = true
[providers.docker]
endpoint = "unix//var/run/docker.sock"
watch = true
exposedByDefault = false
network = "skynet"
[log]
level = 'WARN'
and the dynamic-conf of my pi-traefik: (relevant part)
[http]...
[http.routers.jellyfin]
rule = "Host(
entryPoints=["websecure"]
service = "jellyfin"
tls = true
[http.services]
[http.services.jellyfin.loadBalancer]
[[http.services.jellyfin.loadBalancer.servers]]
url = "http://192.168.178.51:80"
[udp]
[udp.routers]
[udp.routers.jellyfinudp1900]
entryPoints = ["p1900"]
service = "jellyfin-1900"
[udp.routers.jellyfinudp7359]
entryPoints = ["p7359"]
service = "jellyfin-7359"
[udp.services]
[udp.services.jellyfin-1900.loadBalancer]
[[udp.services.jellyfin-1900.loadBalancer.servers]]
address = "192.168.178.51:1900"
[udp.services.jellyfin-7359.loadBalancer]
[[udp.services.jellyfin-7359.loadBalancer.servers]]
address = "192.168.178.51:7359"
The setup works fine, my server is accessible over the web, on my tv, app or pc.
In jellyfin I set the "known-proxies" in the networksettings to the ip of the traefik of my server
(which is the 172.18... for the local docker network), the name of the docker-host, the hostname of the pi and to the ip of my raspberry pi: (192.168.178.50)
so: 172.18.0.2, 192.168.178.50, traefik, raspberry
To check my configuration I ran "traefikwhoami" from traefik to test what is sent to it.
i fire it up on my server and set the listen-address to port 80 (for this my treafik on the server is shut down temporary)
so typed my subdomain.domain.web in my browser and got this:
Hostname: e12a1eb262b3
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
RemoteAddr: 192.168.178.50:44414 #note-> this it the raspberry-pi ip
GET / HTTP/1.1
Host: subdomain.domain.web
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,de;q=0.5
Dnt: 1
Priority: u=0, i
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: HERE_WAS_MY_EXTERNAL_IP_SHOWN_IN_FRITZ_BOX
X-Forwarded-Host: subdomain.domain.web
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 51e955e860a1
X-Real-Ip: HERE_WAS_MY_EXTERNAL_IP_SHOWN_IN_FRITZ_BOX
However, in the logs and activity-log in the ui of jellyfin only the ip of the docker-container (on my server) is shown.
I noticed that the behaviour is different depending on which ip-adress is used as first entry in the input-field in the ui.
If i use the ip of my raspberry-pi first, it shows the docker-ip from the traefik-container of the server (so basically localhost treafik ip)
If i use the traefik-ip first, it shows the ip from my raspberry pi.
Sadly I am out of ideas on how to solve this issue.
Using this I am not able to limit bandwith for external access.
Is there anything i've missed?
I wish all of you a lovely christmas-time and hope your server works on xmas-eve to enjoy some movies.
Like Die-Hard
i am struggeling with a similar Problem. I already googled a bunch of stuff and tried a lot, but all failed. Goal is to get the X-Real-Ip shown in Jellyfin to really distinguish between requests for External users and bandwiths configuration:
This is my setup:
* I am using a fritz.box exposing port 443 to the web.
* My Domain Provider forwards requests to subdomains to my "myfritz-dndns" address to my fritz.box.
* Behind my fritz.box I have a raspberry-pi with docker. It uses traefik as reverse-proxy.
* Additionally i am using an adguard in docker as a dns-ad-blocker.
Setup is running fine so far.
* I have a self-signed cert with lets-encrypt to run some stuff on my pi with HTTPS using a acme-dns-challenge (which also works like a charm for e.g. my password-manager)
Now comes the tricky part:
* in my home-network is also an ubuntu-maschine running also a traefik as reverseproxy to host some services.
* Jellyfin runs on that server
This is my traefik-server-configuration:
[providers.file]
directory = "/etc/traefik"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.jellyfin1]
address = ":1900/udp"
[entryPoints.jellyfin2]
address = ":7359/udp"
[entryPoints.web.forwardedHeaders]
trustedIps = ["192.168.178.50"] #raspberry-pi host-ip
[api]
dashboard = true
insecure = true
[providers.docker]
endpoint = "unix
//var/run/docker.sock"watch = true
exposedByDefault = false
network = "skynet"
[log]
level = 'WARN'
This is my traefik on my pi:
[providers.file]
directory = "/etc/traefik"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[api]
dashboard = true
insecure = true
[providers.docker]
endpoint = "unix
//var/run/docker.sock"watch = true
exposedByDefault = false
network = "skynet"
[log]
level = 'WARN'
and the dynamic-conf of my pi-traefik: (relevant part)
[http]...
[http.routers.jellyfin]
rule = "Host(
subdomain.domain.web)"entryPoints=["websecure"]
service = "jellyfin"
tls = true
[http.services]
[http.services.jellyfin.loadBalancer]
[[http.services.jellyfin.loadBalancer.servers]]
url = "http://192.168.178.51:80"
[udp]
[udp.routers]
[udp.routers.jellyfinudp1900]
entryPoints = ["p1900"]
service = "jellyfin-1900"
[udp.routers.jellyfinudp7359]
entryPoints = ["p7359"]
service = "jellyfin-7359"
[udp.services]
[udp.services.jellyfin-1900.loadBalancer]
[[udp.services.jellyfin-1900.loadBalancer.servers]]
address = "192.168.178.51:1900"
[udp.services.jellyfin-7359.loadBalancer]
[[udp.services.jellyfin-7359.loadBalancer.servers]]
address = "192.168.178.51:7359"
The setup works fine, my server is accessible over the web, on my tv, app or pc.
In jellyfin I set the "known-proxies" in the networksettings to the ip of the traefik of my server
(which is the 172.18... for the local docker network), the name of the docker-host, the hostname of the pi and to the ip of my raspberry pi: (192.168.178.50)
so: 172.18.0.2, 192.168.178.50, traefik, raspberry
To check my configuration I ran "traefikwhoami" from traefik to test what is sent to it.
i fire it up on my server and set the listen-address to port 80 (for this my treafik on the server is shut down temporary)
so typed my subdomain.domain.web in my browser and got this:
Hostname: e12a1eb262b3
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
RemoteAddr: 192.168.178.50:44414 #note-> this it the raspberry-pi ip
GET / HTTP/1.1
Host: subdomain.domain.web
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,de;q=0.5
Dnt: 1
Priority: u=0, i
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: HERE_WAS_MY_EXTERNAL_IP_SHOWN_IN_FRITZ_BOX
X-Forwarded-Host: subdomain.domain.web
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 51e955e860a1
X-Real-Ip: HERE_WAS_MY_EXTERNAL_IP_SHOWN_IN_FRITZ_BOX
However, in the logs and activity-log in the ui of jellyfin only the ip of the docker-container (on my server) is shown.
I noticed that the behaviour is different depending on which ip-adress is used as first entry in the input-field in the ui.
If i use the ip of my raspberry-pi first, it shows the docker-ip from the traefik-container of the server (so basically localhost treafik ip)
If i use the traefik-ip first, it shows the ip from my raspberry pi.
Sadly I am out of ideas on how to solve this issue.
Using this I am not able to limit bandwith for external access.
Is there anything i've missed?
I wish all of you a lovely christmas-time and hope your server works on xmas-eve to enjoy some movies.
Like Die-Hard