LG WebOS Error Code 27

[dnightbane]

Hello! I'm having trouble accessing my server from my LG c2 using the LG Store client, specifically, when I enter the URL for the server and hit continue it fails with error code 27.

Playback works fine in the browser and on my pixel 8 pro.

I am hosting jellyfin inside docker (latest tag) with nginx as a reverse proxy using the following nginx configuration:

Code:

server {
    listen 443 ssl;
    http2 on;
    server_name jellyfin.domain.com;

    ssl_certificate    /etc/nginx/ssl/domain.com/domain.com.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.com/domain.com.key;

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";

    # Permissions policy. May cause issues with some clients
    #    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";

    access_log /var/log/nginx/domain/jellyfin.access.log;
    error_log /var/log/nginx/domain/jellyfin.error.log;

    location / {
        # Proxy main Jellyfin traffic
        set_real_ip_from 10.200.200.2;
        proxy_pass http://jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        set_real_ip_from 10.200.200.2;
        proxy_pass http://jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

[TheDreadPirate]

Do you know if there are other nginx configs that are "included" elsewhere? There are several CORS header options that are problematic for WebOS that may be added via additional conf files that Nginx includes by default.

[dnightbane]

Not that I'm aware of.

The default nginx.conf file is this

Code:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    ##buffer policy
#    client_body_buffer_size 1K;
#    client_header_buffer_size 1k;
#    client_max_body_size 2M;
#    large_client_header_buffers 2 1k;
    large_client_header_buffers 4 8k;
    ##end buffer policy
    server_tokens off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
    ssl_prefer_server_ciphers off;
    proxy_read_timeout 50000;
    proxy_connect_timeout 50000;
    proxy_send_timeout 50000;
    include /etc/nginx/conf.d/*.conf;
}
#include /etc/nginx/dnstls.conf;

The only other app on this box is jellystat and that uses the below as an included file for it's server block.

Code:

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

[TheDreadPirate]

Code:

include /etc/nginx/conf.d/*.conf;

Are there any conf files in this directory? If so, what is in them? Also, can you share the output of this command? It shouldn't include your domain name, but censor it if it does show up in the output. Obviously replace "jellyfin.domain.tld" with your actual domain.

Code:

curl --head -i https://jellyfin.domain.tld

This will print the headers used by the current nginx config for Jellyfin.

Code:

HTTP/2 302
server: nginx/1.26.3
date: Mon, 10 Mar 2025 13:47:20 GMT
location: web/
strict-transport-security: max-age=63072000
x-xss-protection: 0
x-content-type-options: nosniff
last-modified: Monday, 10-Mar-2025 13:47:20 GMT
cache-control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
permissions-policy: accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()
origin-agent-cluster: ?1
content-security-policy: default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self' ; font-src 'self'

[dnightbane]

There are 2 files in that directory

Code:

root@489c9d8f2654:/# ls /etc/nginx/conf.d/
jellyfin.conf  jellyfinsecure.conf

jellyfin.conf contains

Code:

server {
    listen 443 ssl;
    http2 on;
    server_name jellyfin.my.internal.domain;

    ssl_certificate     /etc/nginx/ssl/my.internal.domain/my.internal.domain.crt;
    ssl_certificate_key /etc/nginx/ssl/my.internal.domain/my.internal.domain.key;

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";

    # Permissions policy. May cause issues with some clients
    #    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";

    access_log /var/log/nginx/jellyfin/jellyfin.access.log;
    error_log /var/log/nginx/jellyfin/jellyfin.error.log;

    location / {
        # Proxy main Jellyfin traffic
        set_real_ip_from 10.200.200.2;
        proxy_pass http://jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        set_real_ip_from 10.200.200.2;
        proxy_pass http://jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}
server {
    listen 443 ssl;
    http2 on;
    server_name jellystats.my.internal.domain;
    include /etc/nginx/conf.d/jellyfinsecure.conf;

    access_log /var/log/nginx/jellyfin/jellystats.access.log;
    error_log /var/log/nginx/jellyfin/jellystats.error.log;

    location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   Host $host;
        proxy_pass         http://jellystat:3000/;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";
    }
}

and jellyfinsecure.conf contains

Code:

ssl_certificate     /etc/nginx/ssl/my.internal.domain/my.internal.domain.crt;
    ssl_certificate_key /etc/nginx/ssl/my.internal.domain/my.internal.domain.key;
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

the above block was what I was previously using however I removed it from the include for the server block for troubleshooting purposes

Command Output

Code:

$ curl --head -i -k https://jellyfin.my.internal.domain
HTTP/2 302
server: nginx
date: Mon, 10 Mar 2025 17:27:21 GMT
location: web/
x-content-type-options: nosniff
content-security-policy: default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'

[TheDreadPirate]

Code:

add_header X-Frame-Options "SAMEORIGIN" always;

This one is known to be problematic for WebOS.

Code:

add_header X-XSS-Protection "1; mode=block" always;

I believe this one is OBE and should be removed.

Remove both, reload nginx, then try again.

[dnightbane]

Both of those lines aren't in the jellyfin server block but I commented them out along with all the other add headers in the jellyfinsecure.conf file

Code:

ssl_certificate     /etc/nginx/ssl/my.internal.domain/my.internal.domain.crt;
    ssl_certificate_key /etc/nginx/ssl/my.internal.domain/my.internal.domain.key;
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #add_header Referrer-Policy "no-referrer" always;
    #add_header X-Content-Type-Options "nosniff" always;
    #add_header X-Download-Options "noopen" always;
    #add_header X-Frame-Options "SAMEORIGIN" always;
    #add_header X-Permitted-Cross-Domain-Policies "none" always;
    #add_header X-Robots-Tag "none" always;
    #add_header X-XSS-Protection "1; mode=block" always;

I restarted nginx and tested but i'm still getting error code -27. Could it be something to do with the Let's Encrypt certificates that I'm using?

[TheDreadPirate]

Did they expire?

Also try commenting out the CSP line in jellyfin.conf.

[dnightbane]

Nope, certificate is valid

Code:

Issuer: C=US, O=Let's Encrypt, CN=R10
        Validity
            Not Before: Jan  7 13:44:23 2025 GMT
            Not After : Apr  7 13:44:22 2025 GMT

HOWEVER commenting out the CSP line allowed the screen to move on to the username/password screen and I was able to login and play something

Code:

# Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    #add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";

[TheDreadPirate]

Huzzah. Could have sworn the documented CSP was fine for WebOS. Noted.