pfsense + HAProxy setup for JellyFin

[Protos]

I've been trying to do this forever and I am completely stuck. I have a working cert from ACME but that's as far as I've gotten. I've changed so many settings so many times in HAProxy but nothing even tries to work. Does anyone have a working setup with HAProxy on pfsense? If so, please share your wizard magic. I would greatly appreciate it... I've attached images of my setup below. And yes, I did enable HAProxy in the general settings. I know thats a common thing people miss

[TheDreadPirate]

Did you read this walkthrough in our guide section?

https://forum.jellyfin.org/t-haproxy-on-...ks-and-all

[Protos]

Yeah and still no luck...

[TheDreadPirate]

Pretty sure for the "server list", you should be specifying port 8096 and http instead of 443 and https. It is already 443/https on the external connection.

[Protos]

Ah yeah I noticed that and I changed it a few days ago but still nothing

[joshuaboniface]

What exactly isn't working about it?

I'm not super familiar with pfSense's GUI wrapper on top of HAProxy, but I have had this working in the past. Here was my backend section:

Code:

backend jfX_http
    mode http
    balance leastconn
    cookie SERVERID insert indirect nocache
    stick store-request src
    stick-table type ip size 200k expire 30m peers keepalived-pair
    option httpchk GET /health HTTP/1.1\r\nHost:\ jellyfin
    option forwardfor
    timeout queue 5000
    timeout server 32000000
    timeout connect 5000
    acl no_BAD path_reg -i ^\/Images\/Remote
    acl no_BAD path_reg -i ^\/Items\/RemoteSearch\/Image
    acl no_BAD path_reg -i ^\/Items\/[^\.]*\/RemoteImages\/Download
    http-request redirect location https://i.ytimg.com/vi/avCWDDox1nE/maxresdefault.jpg if no_BAD
    http-response set-header X-Frame-Options SAMEORIGIN
    http-response set-header X-XSS-Protection "1;mode=block"
    http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin"
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
    http-response set-header Content-Security-Policy  "default-src 'none'; font-src 'self'; connect-src 'self' wss: ws: https://mb3admin.com; media-src 'self' blob: data:; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'unsafe-inline' 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self'"
    server jf1 192.168.0.100:8096/ check inter 5000 cookie jf1

That said, I moved to NGiNX for Jellyfin and avoid sending it through my load balancer at this point; I'd recommend the same as it makes the TLS stuff easier and such.

[Protos]

This is what currently lies in my Backend Pass-thru settings:

Code:

http-request set-header X-Forwarded-Port %[dst_port]   
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server JellyFin 192.168.0.157:8096
http-response set-header Access-Control-Allow-Origin https://movies.protostv.com
http-response set-header Cache-Control "no-cache, no-store, must-revalidate, private"
http-response del-header Server