No servers found when using reverse proxy.

[jersak]

I'm new to jellyfin, just got my first server setup.

Running on baremetal Ubuntu 24.04
8th gen Intel I5
GTX 1050
8 GB ram
500 GB SSD for OS/Jellyfin
Media on an external SSD
Jellyfin 10.10.5
nginx 1.24.0 as reverse proxy

If I connect using the LAN IP:port, everything works fine. I can watch my stuff just fine from either browsers on other computers in the house, my android TV, iphone, it's great.
However I was setting up a reverse proxy so, in the future, I can have it available outside my LAN for when im not home (yeah i know its not a good idea, but not the point here) and it mostly goes fine but when i try to access it through jellyfin.mydomain i get to the landing jellyfin page and i get a message saying "No servers have been found using the automatic server discovery". Trying to manually add a server using the LAN IP obviously doesn't work.

I've read so many guides and posts, made sure no firewall is enabled/blocking, etc, to no avail. This seems like a problem with either the jellyfin networking settings or my nginx config, but I'm at a loss at this point. Has anyone went through anything similar?

[bitmap]

Can you share your nginx config?

[jersak]

Can you share your nginx config?

/etc/nginx/sites-available (also symlinked to sites-enabled)

Code:

server {
    listen 80;
    listen [::]:80;
    server_name jellyfin.mydomain.com; #omitted from post

    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    # Nginx versions prior to 1.25
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Nginx versions 1.25+
    #listen 443 ssl;
    #listen [::]:443 ssl;
    #http2 on;

    server_name jellyfin.mydomain.com; #omitted from post

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Comment next line to allow TLSv1.0 and TLSv1.1 if you have very old clients
    ssl_protocols TLSv1.3 TLSv1.2;

    ssl_certificate /etc/letsencrypt/live/jellyfin.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jellyfin.mydomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/jellyfin.mydomain.com/chain.pem;

    # use a variable to store the upstream proxy
    set $jellyfin 127.0.0.1;

    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";

    # Permissions policy. May cause issues with some clients
    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

[TheDreadPirate]

That looks like a copy and paste from our docs (huzzah!). Obviously with your domain for the server_name.

Try clearing your browser cache? Or use an incognito tab. Also make sure you didn't tell Jellyfin to bind just to your LAN IP since you are using your local loopback address in Nginx. Speaking of, you could also try using the LAN IP of your server instead of the local loopback.

[jersak]

Hmm, I assume you meant binding it using the jellyfin settings right (Dashboard > Networking > Bind to local network address) right?



If so, no dice. I tried binding it to:
- Lan IP and 0.0.0.0 - Same behavior.
- 127.0.0.1 for shits and giggles - Makes it only accessible inside the server machine through localhost.

Incognito/clearing cache also didn't help.

Do I need to make some change in my networking setup? Like port forwarding of any kind, hosts file, etc, even if only used within my lan? I'm assuming not but just to be sure...
Tracerout of my personal domain never leaves my network so i didn't think so, but i noticed now it stops at my router and not at the actual server, so that might be it?

[TheDreadPirate]

0.0.0.0 = bind to all interfaces available
127.0.0.1 = only bind to local loop back.

You would need to use your LAN IP in the bind field. Usually 192.168.X.X or 10.X.X.X. Once you do this you would need to update Nginx to use that LAN IP instead of 127.0.0.1.

[jersak]

Not working unfortunately.

I updated the nginx config file to use my LAN IP (set $jellyfin 10.0.0.68;).
I've set the value of the field "Bind to local network addres" to the same LAN IP: 10.0.0.68.

Restarted both nginx and jellyfin. Still the same behavior.

One question: when you create your DNS "A Record", do you use your WAN IP or your LAN IP?

[TheDreadPirate]

WAN IP.

Can you share the output of "sudo ufw status"?

[jersak]

It is inactive. I've checked for and disabled every possible firewall and similar i could find references to. I think i'm gonna give up for now. This isn't super important tbh since i can use it just fine inside my LAN.
I'll try again in the future, maybe using Caddy or Apache.

[TheDreadPirate]

UFW is a firewall frontend (UI) for either iptables of nftables. UFW being inactive simply means that rules created in UFW aren't applied to the actual firewall. We WANT UFW to be active and the rules created.

Code:

sudo ufw enable
sudo ufw allow 8096
sudo ufw allow 7359/udp
sudo ufw allow 1900/udp

Port 7359 UDP is used for service discovery (currently bugged) and 1900 UDP is for DLNA (don't bother if you don't use this).