2025-05-17, 05:23 PM
Hey sorry for meddling in, but what's exactly needed?
I think I have a similar set up, or had (but still kinda do): I'm chaining proxies.
Last year I used to have a remote proxy — HAProxy — that sent the connection through a couple of tunnels to a local HAProxy using the Proxy v2 protocol, it was due to MTU and email reasons though, but since it was my main public address, or addresses I should say, everything came in through the remote one. I also proxy everything internally to inject CSPs that prevent third party resources from loading.
I have a static IP address now so I don't need the remote proxy anymore. Jury's still out on that but, since my local proxy is outside the main group of subnets and the Jellyfin server happens to have a direct attachment to one of the user subnets, it would create asymmetric routing therefore I could either (1) NAT it to snat leading to the main proxy or (2) set up a second proxy right in the same host so if I screw something up and apps end up using the impossible to memorize Jellyfin ports, I still can use the standard unwritten web ports and it'll work itself out which is what I did. And other than the fact that I can't get health checks to work, which is why I was here today, it does work if I disable them.
I'm using again the Proxy v2 protocol between the proxies to make it more efficient. The proxies might have the same public IP address but they are one or two levels deep behind their own routers. If this is not common, I might have something to share. I've kept all the configuration files of several firewall platforms I've used over the years, and documented a lot of things, on the case of Jellyfin specifically, the DNS-SD services to advertise since multicast isn't-, or is a very noisy option across networks. I would just need to gather it all up into something easy..ier to digest.
I bookmarked that link in the mea— F**k it! I'm gonna start now, put it on the web later, I'll just add it to my own site if unneeded.
(an 8-ball emoji would be perfect for this level of ADHD)
--
To the OP*, just leave the proxy, they're have negligible performance impact if at all and it will allow you to manipulate your setup in ways the server alone won't. Let's assume you have you actual media in a storage server and not in the Jellyfin server itself (judging from your setup I think you actually might) and your Jellyfin server proved to be too popular and thus it keeps getting jellyfinished. No biggie; you have the option to easily deploy a second (or third) one — specially if we're talking containers — and already you have everything in place to load balance them. You have an add-water-and-put-in-microwave-for-three-minutes-type of setup now, but you know it wasn't as straightforward getting there; leverage that ramen. You would still need a proxy to prevent your self-hosted services to sneak in and out data from a browser, where it's much harder to control. It's that or editing the source code of your apps. Jellyfin is not on of these, thankfully.
*: I might be wrong, I don't know forum lingo.
I think I have a similar set up, or had (but still kinda do): I'm chaining proxies.
Last year I used to have a remote proxy — HAProxy — that sent the connection through a couple of tunnels to a local HAProxy using the Proxy v2 protocol, it was due to MTU and email reasons though, but since it was my main public address, or addresses I should say, everything came in through the remote one. I also proxy everything internally to inject CSPs that prevent third party resources from loading.
I have a static IP address now so I don't need the remote proxy anymore. Jury's still out on that but, since my local proxy is outside the main group of subnets and the Jellyfin server happens to have a direct attachment to one of the user subnets, it would create asymmetric routing therefore I could either (1) NAT it to snat leading to the main proxy or (2) set up a second proxy right in the same host so if I screw something up and apps end up using the impossible to memorize Jellyfin ports, I still can use the standard unwritten web ports and it'll work itself out which is what I did. And other than the fact that I can't get health checks to work, which is why I was here today, it does work if I disable them.
I'm using again the Proxy v2 protocol between the proxies to make it more efficient. The proxies might have the same public IP address but they are one or two levels deep behind their own routers. If this is not common, I might have something to share. I've kept all the configuration files of several firewall platforms I've used over the years, and documented a lot of things, on the case of Jellyfin specifically, the DNS-SD services to advertise since multicast isn't-, or is a very noisy option across networks. I would just need to gather it all up into something easy..ier to digest.
I bookmarked that link in the mea— F**k it! I'm gonna start now, put it on the web later, I'll just add it to my own site if unneeded.
(an 8-ball emoji would be perfect for this level of ADHD)--
To the OP*, just leave the proxy, they're have negligible performance impact if at all and it will allow you to manipulate your setup in ways the server alone won't. Let's assume you have you actual media in a storage server and not in the Jellyfin server itself (judging from your setup I think you actually might) and your Jellyfin server proved to be too popular and thus it keeps getting jellyfinished. No biggie; you have the option to easily deploy a second (or third) one — specially if we're talking containers — and already you have everything in place to load balance them. You have an add-water-and-put-in-microwave-for-three-minutes-type of setup now, but you know it wasn't as straightforward getting there; leverage that ramen. You would still need a proxy to prevent your self-hosted services to sneak in and out data from a browser, where it's much harder to control. It's that or editing the source code of your apps. Jellyfin is not on of these, thankfully.
*: I might be wrong, I don't know forum lingo.
(2023-12-08, 12:42 AM)TheDreadPirate Wrote: Honestly, you should write a tutorial for what you did. I know for a fact there are people with remote reverse proxies that want to do something similar.
https://forum.jellyfin.org/f-guides-walk...-tutorials
Doesn't make sense? It's a puzzle! Every 5th & 7th letter in a wor— Okay. I'm dyslexic, w just a bit of ADHD, a touch of OCPD, & rosemary. I don't write the last of, or add an extra D to words for some reason then I fail to notice; self-correct; make it worse (sorry.)