HTTPS via Cloudflare-Nginx-Jellyfin Question

[SammyD]

Hello All,

I'm looking for guidance on how to change my remote connection to HTTPS. I'm not a noob but I'm no expert either. I'm confused as to what needs to be done on each component (Cloudflare, Nginx, Jellyfin). I currently have the following HTTP connection working. My Nginx Proxy Manager is on it's own container and Jellyfin is in another container. You can get an SSL in Nginx and it also looks like Jellyfin also has SSL. Any help would be appreciated. Thanks.

Cloudflare               Nginx Proxy Mgr (debian LXC)        Jellyfin (on another debian LXC)
-----------------------------------------------------------------------------------------------------------------
CNAME...                 Proxy Host...                                    Networking...
jellyfin.xxx.com        Name: jellyfin.xxx.com                     HTTP Port: 8096
                                Scheme: http                                   HTTPS: NOT ENABLED
                                IP: 192.168.1.111                             HTTPS Port: 8920
                                Port: 8096                                        SSL Cert Path: <blank>
                                SSL: NONE                                       Cert Password: <blank>

If I get an SSL in Nginx do I also need one in Jellyfin? 
Does Jellyfin need to reference the Nginx SSL?
What is Certbot and do I need this also?
Confused!

[TheDreadPirate]

In cloudflare you should have an A and/or AAAA record for your domain.tld that points to your IP. Then you need a CNAME that is JUST the subdomain, like "jellyfin" and that points to your domain.tld.

We have Nginx Proxy Manager docs here. Nginx Proxy Manager will automate the certificate request process from Let's Encrypt. You do NOT need certbot.

https://jellyfin.org/docs/general/networ...xy-manager

You DO NOT need https between Nginx and Jellyfin if they are on the same machine or is another machine on your LAN.

[SammyD]

Thanks!
In cloudflare I do have the A record xxx.com and my CNAME jellyfin points to the A record so that part is solid.
I'll create an SSL in Nginx and follow the Jellyfin/Nginx notes.
Nginx and Jellyfin are 2 separate machines on the same LAN so I'll keep the HTTP connection.

[SammyD]

I'm getting closer to getting this working. I set up Nginx per instructions and aquired a certificate. Now when I try to connect I get a 500 Internal Server Error. My address shows as https://jellyfin.XXX.com with the https crossed out (not secure). I think I'm missing something in Jellyfin because I haven't changed anything there and HTTPS is not enabled and there is no certificate specified.

[TheDreadPirate]

Nginx is acting as the middleman and handles https with the client. Jellyfin stays http on port 8096.

Is your cert just for your domain.tld? Or is it a wildcard cert? domain.tld with the subdomain as a SAN?

[SammyD]

Is your cert just for your domain.tld?  Or is it a wildcard cert?  domain.tld with the subdomain as a SAN?

I tried wildcard and just the domain cert but both didn't work. I think I may have an issue with Nginx because, while I can get other redirects working without an SSL (home assistant, pihole, proxmox), I can't get these working with a certificate also.

[SammyD]

Is your cert just for your domain.tld?  Or is it a wildcard cert?  domain.tld with the subdomain as a SAN?

I tried wildcard and just the domain cert but both didn't work. I think I may have an issue with Nginx because, while I can get other redirects working without an SSL (home assistant, pihole, proxmox), I can't get these working with a certificate also.

Figured out the problem. When I'm connected to my home network, the same network as the Nginx and Jellyfin, SSL connections fail. I can access if I'm outside of my home. I don't understand why but at least I know what the problem is.

[TheDreadPirate]

Do you have NAT loopback enabled on your router?

[SammyD]

Do you have NAT loopback enabled on your router?

I do not have that option on my tplink ax3000 router.