Reverse-proxy working on web/windows app but not working on android app

[Javier Fernandez Romeo]

Hello all.

I have a NPM docker as reverse proxy for my web services exposed to internet, configured with SSL via a Lets Encrypt certificate with a wildcard for my domain (*.domain.com).

Everything works great if I try to access securely Jellyfin via a web browser or the windows app (https://jellyfin.domain.com:443), but I cannot access on android based app which is precisely the one I am interested in (androidTV user).

I have read that could be something related to Jellyfin rejecting the self created SSL certificate via Lets Encrypt, but I have tried to configure the access on my proxy via http (no SSL) and it is inaccessible aswell (http://jellyfin.domain.com:80), so I am pretty lost about why on the android app it is not working.

In the offical support web it states that Jellyfin is prepared to be run behind a reverse proxy (https://jellyfin.org/docs/general/networking/).

Anyone has any hint?

Thanks in advance.

[xaque]

I'm not sure if this is going to be any help or anything, but have you tried just the domain name without the ports? I have no issue using the android client using a reverse proxy (caddy), but I don't enter in any ports, just the domain url.

[TheDreadPirate]

I'm still trying to figure out subdomains myself, can't help there.

But I just wanted to add that LetsEncrypt produces legit certs with a legit certificate authority. So unless your Android TV is waaaaaay out of date, it should view your cert as legit.

[Javier Fernandez Romeo]

I'm not sure if this is going to be any help or anything, but have you tried just the domain name without the ports? I have no issue using the android client using a reverse proxy (caddy), but I don't enter in any ports, just the domain url.

Yeah. For simplicity I did not specify that I am not using a subdomain (jellyfin.domain.org) but a sub-subdomain (jellyfin.domain.duckdns.org), and I am not using the default ports (80/http and 443/https) but custom ones (8080/http and 4443/https) so I have to enter the ports where the proxy is listening.

So my Jellyfin server is discoverable on:

• http://jellyfin.domain.ducksdns.org:8080
  
• https://jellyfin.domain.duckdns.org:4443
  

On a web browser and in the windows app it works like a charm, but not in the android app. I am currently direct playing on my chrome tab on my androidTV until I figure out why it does not work on the android app.

I have web sockets enabled on nginx-proxy-manager in case it helps.

Thank you.

I'm still trying to figure out subdomains myself, can't help there.

But I just wanted to add that LetsEncrypt produces legit certs with a legit certificate authority.  So unless your Android TV is waaaaaay out of date, it should view your cert as legit.

It's an Nvidia Shield Pro 2019 on latest firmware so I guess it is updated.

Thank you.

[hsj]

Is your Android device still connected to the same wifi or lan where the NAS is connected to?

If so, try and connect to a server outside of the NAS network.

I just did a test and couldn't connect to my https://'domain name':8090 (DNS reverse proxy) while still on wifi. Only to my https://'nas ip adress':8096 (local jellyfin access on Nas)
Turned off the wifi and went to mobile data and it was the other way around.

The reverse proxy only works outside the network I guess.

[goerdi]

Hi !

Why are you using the custom ports ? The sense of a reverse proxy is to use the "Standard" ones.
I'm using jellyfin through apache reverse proxy with a regular subdomain of my domain (as a vhost) so i would need jellyfin only running on localhost interface because apache is running on the same machine....

Ciao Gerd

[TheDreadPirate]

Hi !

Why are you using the custom ports ? The sense of a reverse proxy is to use the "Standard" ones.
I'm using jellyfin through apache reverse proxy with a regular subdomain of my domain (as a vhost) so i would need jellyfin only running on localhost interface because apache is running on the same machine....

Ciao Gerd

I use custom ports to obfuscate my server from scanning services like Shodan and from low effort script kiddies.  My router supports rsyslog so I send the router logs to my server.  On my server I setup fail2ban to read the router logs, which includes when the router blocks unsolicited accesses on ports that aren't open.  If one of these scanning services or script kiddies happens to hit my actual Jellyfin port it will have already been blocked on the server's firewall by fail2ban.