Nginx Proxy Manager, Fail2Ban, and Jellyfin

[crashx]

That very well could be it. Let me investigate what this fail2ban config could look like against nginx. Thanks for brainstorming with me!

[TheDreadPirate]

You wouldn't need to setup a separate fail2ban config for nginx. You'd stream the jellyfin logs to the nginx container, or put the jellyfin logs in a place both containers can read, and then setup the exact same fail2ban jellyfin config you are using now but on the nginx container.

[crashx]

Understood. The rub is getting them from one box to the other. I'm looking at configuring rsyslog now.

[TheDreadPirate]

Your other option is to configure Jellyfin to write logs to a non-standard directory and that directory is a mapped volume on both nginx and jellyfin. Or symlinks.

[crashx]

Problem solved. Guidance seems to be that fail2ban should be on the most edge server in the network so your thinking was correct. Using this guide (https://betterstack.com/community/guides...og-server/) I set up an rsyslog server/client setup. On the client, I then streamed the JF logs into rsyslog, then forwarded the logs from .106 to .108. I migrated my f2b implementation to .108 as well and boom, it works.

Here's my custom config file for rsyslog:

# Forward logs to rsyslog server

*.* @@192.168.1.108:514

module(load="imfile" PollingInterval="10") #needs to be done just once

input(type="imfile"
File="/home/<username>/jellyfin/config/log/log*.log"
Tag="jellyfin")

jellyfin.* /home/<username>/jellyfin/config/log/log*.log

[Fetzi]

Hey Guys,

i am struggeling with a similar Problem. I already googled a bunch of stuff and tried a lot, but all failed. Goal is to get the X-Real-Ip shown in Jellyfin to really distinguish between requests for External users and bandwiths configuration:
This is my setup:

* I am using a fritz.box exposing port 443 to the web.
* My Domain Provider forwards requests to subdomains to my "myfritz-dndns" address to my fritz.box.
* Behind my fritz.box I have a raspberry-pi with docker. It uses traefik as reverse-proxy.
* Additionally i am using an adguard in docker as a dns-ad-blocker.
Setup is running fine so far.
* I have a self-signed cert with lets-encrypt to run some stuff on my pi with HTTPS using a acme-dns-challenge (which also works like a charm for e.g. my password-manager)

Now comes the tricky part:
* in my home-network is also an ubuntu-maschine running also a traefik as reverseproxy to host some services.
* Jellyfin runs on that server
This is my traefik-server-configuration:

[providers.file]
directory = "/etc/traefik"

[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.jellyfin1]
address = ":1900/udp"
[entryPoints.jellyfin2]
address = ":7359/udp"

[entryPoints.web.forwardedHeaders]
trustedIps = ["192.168.178.50"] #raspberry-pi host-ip

[api]
dashboard = true
insecure = true

[providers.docker]
endpoint = "unix//var/run/docker.sock"
watch = true
exposedByDefault = false
network = "skynet"

[log]
level = 'WARN'

This is my traefik on my pi:

[providers.file]
directory = "/etc/traefik"

[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"

[api]
dashboard = true
insecure = true


[providers.docker]
endpoint = "unix//var/run/docker.sock"
watch = true
exposedByDefault = false
network = "skynet"

[log]
level = 'WARN'

and the dynamic-conf of my pi-traefik: (relevant part)
[http]...

[http.routers.jellyfin]
rule = "Host(subdomain.domain.web)"
entryPoints=["websecure"]
service = "jellyfin"
tls = true

[http.services]
[http.services.jellyfin.loadBalancer]
[[http.services.jellyfin.loadBalancer.servers]]
url = "http://192.168.178.51:80"
[udp]
[udp.routers]
[udp.routers.jellyfinudp1900]
entryPoints = ["p1900"]
service = "jellyfin-1900"

[udp.routers.jellyfinudp7359]
entryPoints = ["p7359"]
service = "jellyfin-7359"

[udp.services]
[udp.services.jellyfin-1900.loadBalancer]
[[udp.services.jellyfin-1900.loadBalancer.servers]]
address = "192.168.178.51:1900"

[udp.services.jellyfin-7359.loadBalancer]
[[udp.services.jellyfin-7359.loadBalancer.servers]]
address = "192.168.178.51:7359"

The setup works fine, my server is accessible over the web, on my tv, app or pc.

In jellyfin I set the "known-proxies" in the networksettings to the ip of the traefik of my server
(which is the 172.18... for the local docker network), the name of the docker-host, the hostname of the pi and to the ip of my raspberry pi: (192.168.178.50)

so: 172.18.0.2, 192.168.178.50, traefik, raspberry

To check my configuration I ran "traefikwhoami" from traefik to test what is sent to it.
i fire it up on my server and set the listen-address to port 80 (for this my treafik on the server is shut down temporary)
so typed my subdomain.domain.web in my browser and got this:

Hostname: e12a1eb262b3
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
RemoteAddr: 192.168.178.50:44414 #note-> this it the raspberry-pi ip
GET / HTTP/1.1
Host: subdomain.domain.web
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,de;q=0.5
Dnt: 1
Priority: u=0, i
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: HERE_WAS_MY_EXTERNAL_IP_SHOWN_IN_FRITZ_BOX
X-Forwarded-Host: subdomain.domain.web
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 51e955e860a1
X-Real-Ip: HERE_WAS_MY_EXTERNAL_IP_SHOWN_IN_FRITZ_BOX


However, in the logs and activity-log in the ui of jellyfin only the ip of the docker-container (on my server) is shown.

I noticed that the behaviour is different depending on which ip-adress is used as first entry in the input-field in the ui.

If i use the ip of my raspberry-pi first, it shows the docker-ip from the traefik-container of the server (so basically localhost treafik ip)
If i use the traefik-ip first, it shows the ip from my raspberry pi.

Sadly I am out of ideas on how to solve this issue.
Using this I am not able to limit bandwith for external access.

Is there anything i've missed?

I wish all of you a lovely christmas-time and hope your server works on xmas-eve to enjoy some movies.
Like Die-Hard

[TheDreadPirate]

The known proxies field only accepts IP addresses.

[Fetzi]

Hey @TheDreadPirate:
Thanks for your reply.
The input-field in the gui states "ip adresses or hostnames of known proxies." So I tried it.
Nevertheless, removing the hostnames from the list leaves me with 2 ip-addresses which have the exact behavoiur described above (depending on which is written first in a comma-seperated list)
I just tested it with several reboots of the whole docker-container (not just the restart of the server when saving the network-settings)

[TheDreadPirate]

Is your Jellyfin container publishing ports or exposing ports? In my setup I had to add the docker bridge gateway IP to my known proxies when using "expose". I used to publish port 8096 and I had to add the docker host IP and router IP as known proxies.

[Fetzi]

Yes, i do expose ports (8086, udp and tcp 1900, 7359 as in my first post described.)
I have to do this to use jellyfin with my local ip for my tv. (If not, a request from tv would have to use my domain which in return would be an external request.)

So yes, i do expose ports and put the docker-bridge ips in the input field.

I can confirm now, that it is working, but this is what i had to do:

172.18.0.0/16, 172.16.0.0/12, 192.168.178.50/32

-> without adding the subnet it will not work in my setup!
as you can see i use the docker-traefik ips and the real ip of the raspberry-pi as known-proxy list.
Now it correctly can detect external/internal ip-addresses.
It would be nice when the text for configuration would reflect that.
And, if as you said, hostnames aren't supported at all, it shouldn't state that in the description.

Hope this helps!