Nginx reverse proxy

[visualblind]

You don't need port 8096 open on the reverse proxy.  Just the Jellyfin server.  Port 80 and 443 needs to be open on the reverse proxy.

On your router, port 443 is forwarded to the reverse proxy?

Can you share a censored version of /var/log/nginx/access.log via privatebin.net?

Before I reply, I just want to say, that you're a legend for always helping people! Gosh, if I see that cute little duck, I know it's gonna be you.

I put in the external="" parameter, and everything is/was fixed... very odd, lol...

I know you got it working already, but there might be something worth using from my own config:
https://is.gd/Zm8RwC

Code:

# Proxy Cache
proxy_cache_path /dev/shm/nginx-cache/jellyfin levels=1:2 keys_zone=jellyfin:20m max_size=1600M inactive=52h use_temp_path=off loader_threshold=400 loader_files=325;

# Limit Connections Zone
limit_conn_zone $binary_remote_addr zone=perip:10m;

upstream jellyfin_backend {
    server X.X.X.X:8096;
    keepalive 32;
    keepalive_requests 1000;
    keepalive_timeout 180s;
}

server {
    ### Redirect to site root ###
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ~^(www\.)?travisflix\.com$;

    include proxy_params;
    include moz_ssl;

    return 301 https://travisflix.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name travisflix.com cdn.travisflix.com;

    include proxy_params;
    include moz_ssl;
    set $jellyfin_server "http://jellyfin_backend";

    real_ip_header X-Forwarded-For;

    brotli on;
    brotli_static on;
    include brotli.types;

    access_log /var/log/nginx/travisflix.com.cache.log cache;
    error_log /var/log/nginx/travisflix.com.error.log warn;

    root /var/www/travisflix.com;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_buffering on;

    # Security / XSS Mitigation Headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    # HSTS HTTPS Security
    add_header Strict-Transport-Security "max-age=2592000";

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.

    add_header Content-Security-Policy "default-src 'self' blob: data: https: https://i.ibb.co https://image.tmdb.org; connect-src 'self'; font-src 'self' data: https://fonts.gstatic.com/ https://fonts.googleapis.com; img-src 'self' https://repo.jellyfin.org https://raw.githubusercontent.com https://cdn.travisflix.com https://i.ibb.co https://image.tmdb.org https://assets.fanart.tv http://assets.fanart.tv https://m.media-amazon.com/ https://static.tvmaze.com/; object-src 'none'; script-src 'self' 'unsafe-inline' blob: https://www.gstatic.com/ https://www.youtube.com https://static.cloudflareinsights.com/beacon.min.js https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/js/materialize.min.js https://cdn.jsdelivr.net; script-src-elem 'self' 'unsafe-inline' youtube.com blob: https://www.gstatic.com/ https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://cdnjs.cloudflare.com/";

    if (-f $document_root/maintenance.html) {
        return 503;
    }

    error_page 404 @http404;
    error_page 429 @http429;
    error_page 503 @maintenance;

    location @maintenance {
        rewrite ^(.*)$ /maintenance.html break;
    }

    location @http404 {
        internal;
        root /var/ErrorPages/404colors;
        rewrite ^(.*)$ /404.html break;
    }

    location @http429 {
        rewrite ^(.*)$ /http429.html break;
    }

    location = / {
        return 302 https://$host/web/;
    }

    location / {
        include proxy_params;
        proxy_connect_timeout 30s;
        add_header X-Nginx-Forwarded-Host $http_host;
        add_header Strict-Transport-Security "max-age=2592000";
        proxy_pass $jellyfin_server;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass $jellyfin_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    ### Cache images ###
    location ~ ^/Items/(.*)/Images|/web/.*(?:\.js|\.css|\.woff2) {
        include proxy_params;
        sendfile on;
        proxy_pass $jellyfin_server;
        proxy_cache_key "$host$request_uri";
        proxy_cache jellyfin;
        proxy_cache_revalidate on;
        proxy_cache_lock off;
        proxy_cache_valid 200 301 302 48h;
        proxy_cache_methods GET HEAD;
        proxy_cache_min_uses 1;
        proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires Vary;
        proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
        add_header X-Nginx-Cache $upstream_cache_status; # HTTP response header "X-Nginx-Cache" = HIT/MISS/BYPASS/EXPIRED
    }

    location ~ ^/Items/(.*)/Download$ {
        include proxy_params;

        ## Rate-limit all downloads
        limit_rate 8192k; # Speed in Kilobyte/s
        limit_conn perip 3; # Simultaneous connections/per ip
        limit_conn_status 429;
        proxy_buffering on; # Required for limit_conn

        sendfile off;
        add_header X-Nginx-Forwarded-Host $http_host;
        add_header Strict-Transport-Security "max-age=2592000";
        proxy_pass $jellyfin_server;
    }

    location /-_- {
        include proxy_params;
        default_type "video/mp4";
        alias /var/www/zoidberg/futurama-zoidberg.mp4;
    }

    location /help/ {
        proxy_set_header Host help.travisflix.com;
        add_header X-Nginx-ClientIP $remote_addr;
        add_header X-Nginx-Proxy $proxy_host;
        add_header X-Nginx-Forwarded-Host $http_host;
        add_header Strict-Transport-Security "max-age=2592000";
        proxy_pass https://visualblind.github.io/;
    }

    location /web/assets/img/icon-transparent.png {
        sendfile on;
        rewrite ^(.*)$ /web/img/icon-transparent-tf.png break;
    }

    location ~ /web(/assets)?/img/banner-(light|dark)\.png$ {
        sendfile on;
        rewrite ^(.*)$ /web/img/banner-travisflix.png break;
    }

    location /web/img/ {
        sendfile on;
        try_files $uri $uri/ =404;
    }

    location /web/test/ {

        if ($request_uri ~* "([^/]*$)" ) {
            set  $last_path_component  $1;
        }

        return 301 https://$host/test/$last_path_component;
    }

    location ~* ^/Videos/(.*)$ {
        include proxy_params;
        tcp_nodelay on;
        tcp_nopush on;
        sendfile off;
        add_header X-Nginx-Stream "tcp_nodelay=ON tcp_nopush=ON sendfile=OFF";
        add_header X-Nginx-Forwarded-Host $http_host;
        add_header X-Nginx-Proxy $proxy_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
        proxy_pass $jellyfin_server;
    }

    location ~ ^/Playback/(BitrateTest.*)$ {
        include proxy_params;
        proxy_buffering off;
        add_header X-Nginx-Proxy $proxy_host;
        proxy_pass $jellyfin_server;
    }

    location /Sessions/Capabilities/ {
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_pass $jellyfin_server;
    }

    location ~ ^/(web/)?favicon.(.*) {
        sendfile on;
        try_files /favicon.$2 /web/favicon.$2 /web/img/favicon.$2 =404;
        add_header X-Nginx-ClientIP $remote_addr;
    }

    location /web/bc8d51405ec040305a87.ico {
        rewrite ^(.*)$ /favicon.ico break;
    }

    location ~ ^/web/(379bab68d056910336f9|3f3fe0fd3a0b637b5030|f5bbb798cb2c65908633|23a72f5d56f82554aeab|d6ecf2254db85ff3b545|522fa270807b7b12a9ba|a962662957ebbb8eb436|baafa93a783b76e667ec|0df719b48efcaef953df|106a7abc109fb5e78742|49d14d0eb7bcdf6f2d1b|f94ebf203ea0c91a47c6|d0e56683308a17dba86d|0b37f660ac0f7f01ab41|6de874568a98308c4a74|d31413d3f03c0873ccbb|16fc81178d1aee54f6cc|e62987a12a58b24f383a|39209dd2362c0db7c673|eb8bef4f19b6ad227f46|142d834c201895a46a01|bbb3e6d43389ba0d436c|7b8ef9809145cfec0aa6|3fa90c593184d5737eb3|d28a57b1e61f9f0dabd9|6a2e2e6b4186720e5d4f)\.png$ {
        rewrite ^(.*)$ /favicon.png break;
    }

    location /web/baba78f2a106d9baee83.png {
        rewrite ^(.*)$ /web/img/logo/tf-logo-536.png break;
    }

    location ~ ^/([0-9a-z]+)\.txt {
        sendfile on;
        include proxy_params;
        more_set_headers 'Content-Type: text/plain';
        try_files $1.txt $uri =404;
        add_header X-Nginx-ClientIP $remote_addr;
        add_header X-Nginx-Txt $1;
    }

    location ~ ^/(web/)?touchicon(72|114|144|512)?\.png$ {
        sendfile on;
        try_files /web/img/touchicon/touchicon$2.png /web/touchicon$2.png =404;
        add_header X-Nginx-ClientIP $remote_addr;
    }

    location /netdata/ {
        sendfile on;
        try_files $uri $uri/ =404;
    }

    location /loaderio-548b6134a9005e7b66f4b8ddabf08733 {
        try_files /loaderio-548b6134a9005e7b66f4b8ddabf08733.txt $uri =404;
    }

}