SOLVED: Nginx http2 issues

[Grass]

So I am using Ubuntu server to run Jellyfin with Nginx, LetsEncrypt and DuckDNS. I got it fully working in Ubuntu server 22.04 and when I upgraded it to 24.04, it broke Nginx (same http2 config file issue) so I reinstalled my OS as well as the other services, yet face the same issue.
When I try to connect to my DuckDNS URL, I get a 502 bad gateway page from Nginx.

When I run sudo nginx -t it says

Code:

2024/09/01 07:34:45 [warn] 1725#1725: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2024/09/01 07:34:45 [emerg] 1725#1725: unknown directive "http2" in /etc/nginx/conf.d/jellyfin.conf:12
nginx: configuration file /etc/nginx/nginx.conf test failed

When I disable that line it reads below, but it still is a bad gateway.

Code:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

 

when I don't use the sudo in front of it it reads (but this is not an issue right?)

Code:

2024/09/01 07:36:04 [warn] 1741#1741: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2024/09/01 07:36:04 [emerg] 1741#1741: cannot load certificate "/etc/letsencrypt/live/REDACTED.duckdns.org/fullchain.pem": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/letsencrypt/live/ REDACTED.duckdns.org/fullchain.pem, r) error:10080002:BIO routines::system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

  

I used the documentation for the jellyfin.conf file at https://jellyfin.org/docs/general/networking/nginx

here is my jellyfin.conf file

server {
    server_name REDACTED.duckdns.org;

    # Uncomment to redirect HTTP to HTTPS
    # return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name REDACTED.duckdns.org;

    ## The default client_max_body_size is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
    # ssl_protocols TLSv1.3 TLSv1.2;

    # use a variable to store the upstream proxy
    # in this example we are using a hostname which is resolved via DNS
    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g set $jellyfin 127.0.0.1)
    set $jellyfin jellyfin;
    resolver 127.0.0.1 valid=30s;

    ssl_certificate /etc/letsencrypt/live/ REDACTED.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ REDACTED.duckdns.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl_trusted_certificate /etc/letsencrypt/live/ REDACTED.duckdns.org/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security / XSS Mitigation Headers
    # NOTE: X-Frame-Options may cause issues with the webOS app
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";

    # COOP/COEP. Disable if you use external plugins/images/assets
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;

    location = / {
        #return 302 http://$host/web/;
        return 302 https://$host/web/;
    }

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$jellyfin:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

Any help would be greatly appreciated! I have been at this for hours

[TheDreadPirate]

Change this

Code:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name REDACTED.duckdns.org;

to

Code:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name REDACTED.duckdns.org;

[mcarlton00]

Be aware that http2 will also cause some weird breakages in certain clients, in case you run into issues you may want to try disabling it.

[TheDreadPirate]

BUT, your setup should have worked if http2 was installed. Run this command to make sure that the http2 module is installed.

Code:

strings /usr/sbin/nginx | grep http2

If nginx isn't at /usr/sbin, try /usr/bin.

---

Upon reading more documentation, the "http2 on" line may be OBE? Researching more. I will update our docs if needed.

[TheDreadPirate]

Looks like it is the other way around.

What version of Nginx are you running?

[Grass]

Looks like it is the other way around.
What version of Nginx are you running?

nginx version: nginx/1.24.0 (Ubuntu)

My output for that command

http2_idle_timeout
http2_recv_timeout
http2_max_header_size
http2_max_field_size
http2_max_requests
http2_recv_buffer_size
http2_pool_size
http2_max_concurrent_streams
http2_max_concurrent_pushes
http2_body_preread_size
http2_streams_index_size
http2_chunk_size
http2_push_preload
http2_push
http2
http2 push resource
http2 pushing:%ui limit:%ui
http2 table size update: 0
http2 push header: "%V: %V"
http2 header filter
http2 push resources
http2 parse link: "%V"
http2 send chain: %p
http2 flood detected
http2 state connection error
http2 preface verified
http2 lingering close handler
http2 read handler
init http2 connection
http2 send SETTINGS frame
http2 write event timed out
http2 write handler
skipping http2 DATA frame
http2 preread buffer overflow
unknown http2 stream
http2 header: ":%V: %V"
http2 header: "%V: %V"
http2 %s string, len:%i
skipping http2 HEADERS frame
http2 get indexed %s: %ui
http2 close stream handler
http2 request line: "%V"
http2 run request handler
http2 setting %ui:%ui
http2:%ui adjusted window: %z
http2 SETTINGS frame
http2 frame skip %uz of %uz
http2 frame skip %uz
http2 PING frame
http2 table add: "%V: %V"
http2 process request body
no space in http2 body buffer
http2 body update chains
http2 request body recv %uz
http2 request body rest %O
http2 negative window update
http2 idle handler
http2 huffman decoding error at state %d: bad code 0x%Xd
http2 huffman decoding error: incomplete code 0x%Xd
http2:%ui create HEADERS frame %p: len:%uz fin:%ui
http2 push header: ":method: GET"
http2 push header: ":path: %V"
http2 push header: ":scheme: %V"
http2:%ui create PUSH_PROMISE frame %p: sid:%ui len:%uz
http2 output header: ":status: %03ui"
http2 output header: "server: %s"
http2 output header: "server: nginx"
http2 output header: "date: %V"
http2 output header: "content-type: %V"
http2 output header: "content-length: %O"
http2 output header: "last-modified: %*s"
http2 output header: "location: %V"
http2 output header: "vary: Accept-Encoding"
http2 output header: "%*s: %V"
http2:%ui HEADERS frame %p was sent partially
http2:%ui HEADERS frame %p was sent
http2:%ui PUSH_PROMISE frame %p was sent partially
http2:%ui PUSH_PROMISE frame %p was sent
http2:%ui DATA frame %p was sent partially
http2:%ui DATA frame %p was sent
http2:%ui windows: conn:%uz stream:%z
http2 output trailer: "%*s: %V"
http2:%ui create DATA frame %p: len:%uz flags:%ui
http2 frame type:%ui f:%Xd l:%uz sid:%ui
http2 frame out: %p sid:%ui bl:%d len:%uz
http2 frame sent: %p sid:%ui bl:%d len:%uz
http2 HEADERS frame sid:%ui depends on %ui excl:%ui weight:%ui
http2 new hpack table size: %uz was:%uz
http2 send WINDOW_UPDATE frame sid:%ui, window:%uz
http2 send RST_STREAM frame sid:%ui, status:%ui
http2 send GOAWAY frame: last sid %ui, error %ui
http2 close stream %ui, queued %ui, processing %ui, pushing %ui
http2 retry close stream handler
http2 push stream sid:%ui depends on %ui excl:0 weight:16
http2 frame complete pos:%p end:%p
http2 frame state save pos:%p end:%p handler:%p
http2 PRIORITY frame sid:%ui depends on %ui excl:%ui weight:%ui
http2 RST_STREAM frame, sid:%ui status:%ui
http2 WINDOW_UPDATE frame sid:%ui window:%uz
http2 GOAWAY frame: last sid %ui, error %ui
http2 table account: %uz free:%uz
http2 read client request body handler
http2 read unbuffered request body
http2 handle connection handler
the http2 chunk size cannot be zero
upstream sent too large http2 frame: %uz
upstream sent http2 frame with too long padding: %d in frame %uz
upstream sent invalid http2 table index: %ui
upstream sent invalid http2 dynamic table size update: %ui
upstream sent http2 table index with continuation flag
upstream sent zero http2 header name length
upstream sent too large http2 header name length
upstream sent too large http2 header value length
upstream sent truncated http2 header
upstream sent unexpected http2 frame: %d
upstream sent too short http2 frame
no connection data found for keepalive http2 connection

[TheDreadPirate]

Weird.  Did you try my suggestion from my last post?  I know this works on my system.  Also running 24.04 and the same version of Nginx.

Change this

Code:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name REDACTED.duckdns.org;

to

Code:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name REDACTED.duckdns.org;

[Grass]

snip

I assume http2 is enabled by default? I saw your command but I don't know if the output indicates if it is enabled. After searching, I could not figure out how to enable it.

I tried you suggestion and the config file is ok according to nginx -v. But I am still getting this page after trying to access

https://REDACTED.duckdns.org/web/  (not the real web address btw)

and I am getting this page

502 Bad Gateway

---

nginx/1.24.0 (Ubuntu)

since it is not giving me a error, I assume my ddns is working so it must be a permission issue, or some way I installed/messed up Jellyfin and Nginx
but Jellyfin works if I access it on my local network through port 8096.

I have also tried disabling my firewall. No dice.

Would I get a bad gateway if I messed up the SSL keys? I think I set it up right...

[TheDreadPirate]

Bad gateway means that Nginx couldn't reach the upstream service/host (Jellyfin)

Comment out this block.

Code:

location = / {
        #return 302 http://$host/web/;
        return 302 https://$host/web/;
    }

Also, you shouldn't be adding "/web/" to the end of the Jellyfin URL.

[Grass]

snip

The provided nginx conf file in documentation was adding the /web for me when I typed in the base URL

I tried your solution and it did not affect my results.

Could my issue have something to do with my jellyfin hostname?

(this)

Code:

set $jellyfin jellyfin;
resolver 127.0.0.1 valid=30s;