2025-07-24, 07:10 PM
currently have Jellyfin installed in an Ubuntu 22.04 lxc container on Proxmox. I've assigned 4 cores and 4GB of RAM to the container. It's installed on a nve disk. I installed it according to the official Jellyfin guide, although I've done countless tests. What's happening, or what I've noticed is that after a reboot of Jellyfin, nginx, or lxc itself, things load quickly. After a while of testing, they take a while to load, even when starting a movie on both the PC and the TV. I have this whole scenario on LAN. I haven't implemented it for network users yet because I've noticed these problems, so everything is still here on my server, my PC, and my phone. I have a DMZ installed, and Jellyfin is behind the DMZ on a route. I've assigned it 40MB of network bandwidth just for local testing. My PC and phone both have 20MB each to play a file locally. When I check the traffic on these devices after a service restart, they have good speeds, even reaching 20MB sometimes, or even that much because it manages to play everything faster. But after a while, or after pausing, updating, or refreshing the website (because I load everything through the web client), everything starts to slow down. When I start a movie, it takes a long time, sometimes it doesn't even start and I have to refresh the website. Other times, the video loads at 10MB, but other times it doesn't even go over 1MB. All of that is local, there's no access from outside. Jellyfin only has internet access so it can update its metadata. Any ideas? I'll post my nginx configuration.
server {
# Nginx versions prior to 1.25
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
#http2 on;
server_name flix.skynet.cu;
## The default
client_max_body_size 20M;
# Comment next line to allow TLSv1.0 and TLSv1.1 if you have very old clients
ssl_protocols TLSv1.3 TLSv1.2;
#ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/example.org/chain.pem;
# use a variable to store the upstream proxy
set $flix 127.0.0.1;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$flix:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$flix:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
server {
listen 80;
listen [::]:80;
server_name flix.skynet.cu;
return 301 https://$host$request_uri;
}
server {
# Nginx versions prior to 1.25
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
#http2 on;
server_name flix.skynet.cu;
## The default
client_max_body_size is 1M, this might not be enough for some posters, etc.client_max_body_size 20M;
# Comment next line to allow TLSv1.0 and TLSv1.1 if you have very old clients
ssl_protocols TLSv1.3 TLSv1.2;
#ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/example.org/chain.pem;
# use a variable to store the upstream proxy
set $flix 127.0.0.1;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$flix:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$flix:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
server {
listen 80;
listen [::]:80;
server_name flix.skynet.cu;
return 301 https://$host$request_uri;
}