Jellyfin + Nginx not working

[cyndaqua]

Hi,

I'm having trouble connecting to Jellyfin via an nginx reverse proxy. The reverse proxy and Jellyfin server are both running on the same Windows 10 machine, both Jellyfin and nginx are both near-fresh installations, the only change being that in the jellyfin.conf the listening port is set to 8080 and the ip address is 127.0.0.1, aka localhost. I have tried adding the ip address of the server and all devices I have tested with to the Known-Proxies section under Networking in the Jellyfin Network configuration in the Dashboard, to no avail. I have tried connecting to Jellyfin with the host computer, and a few other devices on the same network (pointing to the host computer's ip address, not their own).

To be clear, connecting directly to Jellyfin via localhost:8096 (the host computer's ip address in the case of other devices) does work on all of my devices, I'm just struggling with the reverse proxy, any help would be appreciated. Thanks.

Another note: when I made changes to the nginx.conf file which is present in the same folder as the jellyfin.conf file, those changes were reflected as I intended, such as adding SSL or changing the port that is being listened to.

This is what my jellyfin.conf file looks like: 

Code:

# Uncomment the commented sections after you have acquired a SSL Certificate
server {
    listen 8080;
    listen [::]:8080;
    # server_name DOMAIN_NAME;

    # Uncomment to redirect HTTP to HTTPS
    # return 301 https://$host$request_uri;
#}

#server {
    # listen 443 ssl http2;
    # listen [::]:443 ssl http2;
    server_name 127.0.0.1;

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # use a variable to store the upstream proxy
    # in this example we are using a hostname which is resolved via DNS
    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
    set $jellyfin jellyfin;
    resolver 127.0.0.1 valid=30;

    #ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
    #ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
    #include /etc/letsencrypt/options-ssl-nginx.conf;
    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    #add_header Strict-Transport-Security "max-age=31536000" always;
    #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
    #ssl_stapling on;
    #ssl_stapling_verify on;

    # Security / XSS Mitigation Headers
    # NOTE: X-Frame-Options may cause issues with the webOS app
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
    add_header X-Content-Type-Options "nosniff";

    # COOP/COEP. Disable if you use external plugins/images/assets
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;

    # Permissions policy. May cause issues on some clients
    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Tell browsers to use per-origin process isolation
    add_header Origin-Agent-Cluster "?1" always;


    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    # NOTE: The default CSP headers may cause issues with the webOS app
    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

    location = / {
        return 302 http://$host/web/;
        #return 302 https://$host/web/;
    }

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

[bitmap]

A few things I see here. First, make sure you don't have any duplicate declarations in your nginx.conf. I see a few that might be the case, namely proxy_http_version. Some of the other headers might get set there as well, but those won't cause panic responses. That one will.

Second, you have two root location blocks...is there a reason for that? I'm not an nginx whiz, quite the opposite, but I'm fairly certain you can only have one block and all your directives have to go under that single location. Right now, you have two. That won't work. I also have no idea why you have the block returning 302 when it should be set to proxy_pass instead. I'd comment out this first root location block entirely as it doesn't appear to serve a purpose (unless it's functioning a way I don't know of, which is entirely possible).

Next, depending on how your RP and your container are hosted, you need to consider how your directives are sending traffic. For instance, proxy_set_header Host $host won't work right if your RP is in a container not in host network mode. I see you have set $jellyfin jellyfin which indicate this might be a containerized setup, but I've had issues using names, so you might try the IP address of the host machine (not localhost or 127.0.0.1).

Lastly, I'm confused...why are you setting up nginx? I don't believe you can use localhost/127.0.0.1 as your domain name, not to mention there wouldn't be a reason to do so. Just note the IP of the computer. On the same computer, you could use "localhost", on any other machine, use its local IP address (e.g., 192.168.1.xxx). Reverse proxy shouldn't be necessary inside your own network...again, unless I'm missing something here -- but I'm *fairly* confident, at least, that you can't set this up so "localhost" redirects to your Jellyfin server.

I think the question I'm left with after trying to help you solve this and then re-reading a few times is...what are you trying to accomplish?

[cyndaqua]

A few things I see here. First, make sure you don't have any duplicate declarations in your nginx.conf. I see a few that might be the case, namely proxy_http_version. Some of the other headers might get set there as well, but those won't cause panic responses. That one will.

Second, you have two root location blocks...is there a reason for that? I'm not an nginx whiz, quite the opposite, but I'm fairly certain you can only have one block and all your directives have to go under that single location. Right now, you have two. That won't work. I also have no idea why you have the block returning 302 when it should be set to proxy_pass instead. I'd comment out this first root location block entirely as it doesn't appear to serve a purpose (unless it's functioning a way I don't know of, which is entirely possible).

Next, depending on how your RP and your container are hosted, you need to consider how your directives are sending traffic. For instance, proxy_set_header Host $host won't work right if your RP is in a container not in host network mode. I see you have set $jellyfin jellyfin which indicate this might be a containerized setup, but I've had issues using names, so you might try the IP address of the host machine (not localhost or 127.0.0.1).

Lastly, I'm confused...why are you setting up nginx? I don't believe you can use localhost/127.0.0.1 as your domain name, not to mention there wouldn't be a reason to do so. Just note the IP of the computer. On the same computer, you could use "localhost", on any other machine, use its local IP address (e.g., 192.168.1.xxx). Reverse proxy shouldn't be necessary inside your own network...again, unless I'm missing something here -- but I'm *fairly* confident, at least, that you can't set this up so "localhost" redirects to your Jellyfin server.

I think the question I'm left with after trying to help you solve this and then re-reading a few times is...what are you trying to accomplish?

I'm trying to safely open it to the web with a domain name, I was just having an issue with the reverse proxy. I'm switching away from nginx though because I have discovered it is weird on Windows. I believe the issue I was having was that it was removing the port when it was proxy-ing to Jellyfin and automatically assuming port 80, which is always used by nginx in a manner that I cannot find a solution for on Windows, regardless of what it's set to in nginx.conf. If I had a linux machine I think it would've worked just fine. I'm looking into Caddy now.

[bitmap]

I suggest reviewing the information here: https://jellyfin.org/docs/general/networ...erse-proxy.

You can find examples of nginx, caddy, Apache, Traefik, and others. They will all require some customization. You'll see the nginx example differs quite a bit from yours. If you're interested I can post my configuration. If you're moving away from nginx it won't help, though. If you're looking to safely reverse proxy your instance, don't aim for port 80, aim for 443. Check out the info that TheDreadPirate posted regarding upgrading SSL ciphers as well in the guides section once you're more comfortable.

This is a big step for sure and the guides that exist have a wealth of information. Don't reinvent the wheel and try to understand what you're implementing before you paste it since it can be very dangerous to expose your instance to the open internet. Feel free to keep asking questions. I can help a bit with nginx, others can probably help with caddy or other RP apps. Good luck.

[cyndaqua]

I suggest reviewing the information here: https://jellyfin.org/docs/general/networ...erse-proxy.

You can find examples of nginx, caddy, Apache, Traefik, and others. They will all require some customization. You'll see the nginx example differs quite a bit from yours. If you're interested I can post my configuration. If you're moving away from nginx it won't help, though. If you're looking to safely reverse proxy your instance, don't aim for port 80, aim for 443. Check out the info that TheDreadPirate posted regarding upgrading SSL ciphers as well in the guides section once you're more comfortable.

This is a big step for sure and the guides that exist have a wealth of information. Don't reinvent the wheel and try to understand what you're implementing before you paste it since it can be very dangerous to expose your instance to the open internet. Feel free to keep asking questions. I can help a bit with nginx, others can probably help with caddy or other RP apps. Good luck.

I don't know exactly what it was with nginx, but I got Caddy working exactly as I intended in under 30 minutes, SSL/TLS and everything. Although I did have to use port 8443 instead of port 443 because I didn't really feel like trying to make the reverse proxy go to my site too, just so I could have everything on port 443. It still retains certification and works as intended. The site is protected by Cloudflare, although I don't know exactly how protected it is because I don't know too much about how Jellyfin works.

Thanks for the help!

[Jerky]

I think your whole problem was that you didn't uncomment server_name in your nginx conf.