jellyfin NPM https - no images in local network

[deadcxap]

The essence of the problem: I have a nas UNRAID installation, Jellyfin and Nginx Proxy Manager containers are installed. Nas is connected to the router, the provider gives me a fixed external IP, my domain is linked to it. Ports 80 and 443 were forwarded to NPM on router, a subdomain was configured to access jellyfin from the Internet, in the jf configuration I specified my domain and server ip as a reverse proxy ip (NPM works on it, right?..). I didn’t do in NPM initially no special settings - just added the internal ip and http port jellyfin. But with this setup, I received constant errors when watching together with friends or connecting to the server remotely.
At the same time, other programs on the server worked without problems through NPM - access was available both from within the home network and from an external one. NO PROBLEM.
In search of a solution to the problem, I found official instructions for setting up the nginx config. I tried to implement it through the NPM web interface, but nothing worked. Next, I found the configuration file created by NPM and edited it manually (I checked - this also works, the config does not change, and is read by NPM correctly), adding 3 location sections according to the instructions, plus the specified add_header.
And this is where the problems begin. At random times, pictures simply disappear via links from third-party domains (a form for searching and replacing images for a film). The chrome developer tools indicate that the "Cross-Origin-Resource-Policy" setting is incorrect. Setting this header to "cross-origin" does not solve the problem. Complete removal from the configuration of any mention of Cross-Origin-Resource-Policy and related ones does not solve the problem. Restarting the browser helps, about once in 3 times.
The problem only occurs when connecting from within the local network, and only to the assigned domain. Yes, in theory I can enter http://ip:port when I'm at home... But we assign beautiful domain names just so as not to do this, isn't it?
My nginx config:

Code:

server {
  set $forward_scheme http;
  set $server        "192.168.20.70";
  set $port          8096;
 
listen 8080;
listen [::]:8080;

listen 4443 ssl http2;
listen [::]:4443 ssl http2;


  server_name SUB.MY.DOMAIN;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";

    # COOP/COEP. Disable if you use external plugins/images/assets
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;
    add_header Cross-Origin-Resource-Policy "cross-origin" always;

# Permissions policy. May cause issues on some clients
    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Tell browsers to use per-origin process isolation
    add_header Origin-Agent-Cluster "?1" always;


    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    # NOTE: The default CSP headers may cause issues with the webOS app
    add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";


    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

access_log /config/log/proxy-host-4_access.log proxy;
error_log /config/log/proxy-host-4_error.log warn;

client_max_body_size 20M;

location = / {
        return 302 http://$host/web/;
        return 302 https://$host/web/;
    }

    location / {


        # Proxy main Jellyfin traffic
        proxy_pass http://$server:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;

proxy_set_header Accept-Encoding "";
sub_filter '</body>' '<script plugin="Jellyscrub" version="1.0.0.0" src="/Trickplay/ClientScript"></script>    </body>';
sub_filter_once on;
}

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://$server:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

proxy_set_header Accept-Encoding "";
sub_filter '</body>' '<script plugin="Jellyscrub" version="1.0.0.0" src="/Trickplay/ClientScript"></script>    </body>';
sub_filter_once on;
    }

    location /socket {


        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$server:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }



  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

I'm already going crazy, I tried everything possible in all possible options, I tried to add different headers according to the recommendations from the chrome developer tool, I tried to add external image domains to the trusted ones above... It doesn't help. Only sometimes the situation became even worse - playback stopped working when subtitles were turned on, for example. Or syncplay starts disconnecting every 10 minutes...

[TheDreadPirate]

When you initially setup NPM did you also have proxy the websocket?

From the official nginx doc.

Code:

location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

https://jellyfin.org/docs/general/networking/nginx/

[deadcxap]

Yes, I initially created a location in NPM 2 - / with code for integrating jellyscrub and /socket with code from the manual, like yours. But in this configuration, nginx does not start at all; the web interface displays a red dot and startup errors in the container logs.
I don’t remember exactly, but it seems like deleting the line proxy_http_version 1.1; solved the problem.
But in this case, there were still problems with syncplay and playing movies with subtitles turned on.

[TheDreadPirate]

I just migrated from apache to nginx today. Remove this entire section.

Code:

location = /web/ {

        # Proxy main Jellyfin traffic
        proxy_pass http://$server:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

proxy_set_header Accept-Encoding "";
sub_filter '</body>' '<script plugin="Jellyscrub" version="1.0.0.0" src="/Trickplay/ClientScript"></script>    </body>';
sub_filter_once on;
}

[deadcxap]

I just migrated from apache to nginx today.  Remove this entire section.

I tried it, but the "Cross-Origin-Resource-Policy" errors still persist.

[TheDreadPirate]

Do you have any themes or custom CSS?

[deadcxap]

no, the only third-party plugins and modifications are jellyscrub and a couple of metadata grabbers.

[TheDreadPirate]

One of the folks in the matrix chat wrote up an NPM guide because you aren't the only person recently that has had issues getting NPM to work with jellyfin. See if their draft helps you out.

https://github.com/Ladrien-git/jellyfin....manager.md

[deadcxap]

https://github.com/Ladrien-git/jellyfin....manager.md

Um... There's a 404 error.