SOLVED: Can't access Jellyfin with my subdomain (NGINX)

[CelianGdfrd]

Hi, I'm trying to install Jellyfin on my Ubuntu server.

ip_address:8096 works, but I can't access Jellyfin with the reverse proxy I've setup.

My Nginx config :

Code:

server {
    server_name REDACTED;

    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/REDACTED/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/REDACTED/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    # Nginx versions prior to 1.25
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;

    # Nginx versions 1.25+
    #listen 443 ssl;
    #listen [::]:443 ssl;
    #http2 on;

    server_name REDACTED;

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Comment next line to allow TLSv1.0 and TLSv1.1 if you have very old clients
    ssl_protocols TLSv1.3 TLSv1.2;

#    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
#    include /etc/letsencrypt/options-ssl-nginx.conf;
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#    ssl_trusted_certificate /etc/letsencrypt/live/example.org/chain.pem;

    # use a variable to store the upstream proxy
    set $jellyfin 127.0.0.1;
    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";

    # Permissions policy. May cause issues with some clients
    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media>

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.c>

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}
server {
    if ($host = REDACTED) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
#    server_name REDACTED;
    return 404; # managed by Certbot


}

Firefox console tells me that my subdomain leads to a ns_error_redirect_loop, not sure how to deal with this. Nginx Log indicates nothing.

I can provide additionnal information if needed. Thank you very much by advance.

[bitmap]

Your first server block you're listening on 443 to redirect to HTTPS. That should be listening on 80, not 443. Check out the config in the docs.

https://jellyfin.org/docs/general/networking/nginx/

[CelianGdfrd]

Your first server block you're listening on 443 to redirect to HTTPS. That should be listening on 80, not 443. Check out the config in the docs.

https://jellyfin.org/docs/general/networking/nginx/

Thank you ! That seems to work. I guess certbot broke my .conf file.

But now my subdomain redirects me to another service, not Jellyfin. I guess that's because I didn't specify a root directory in the conf file. Is there any way to do this ? I don't even know where the Jellyfin root directory lands with the install script.

[bitmap]

From the config:

Code:

location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

It's a location block for the root. You also don't seem to be listening on 443 in the main server block, which might be why you're not getting the right service -- it can't hear the doorbell.

Here's my config, which is only slightly different from the example in the docs:

Code:

server {
    listen 80;
    server_name jellyfin.*;

    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    #http2 on;

    server_name jellyfin.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 60M;

    set $jellyfin 192.168.1.3;
    
    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
    add_header Origin-Agent-Cluster "?1" always;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app $jellyfin;
        set $upstream_port 8096;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }
    

    location ~ (/jellyfin)?/socket {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app $jellyfin;
        set $upstream_port 8096;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

[CelianGdfrd]

Alright, that's how the top of my .conf file looks now :

Code:

server {
    server_name REDACTED;

    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;

    listen [::]:80 ssl; # managed by Certbot
    listen 80 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/REDACTED/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/REDACTED/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    # Nginx versions prior to 1.25
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/REDACTED/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/REDACTED/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

And everything works !

Thank you so much for your help !