SOLVED: Nginx reverse proxy issue with Safari on iPhone solved

[ThomasPGH]

I thought others might be interested in this too.

I installed/configured a reverse proxy with nginx for my Jellyfin server. Everything worked fine right from the start apart from sending a "Stream URL" to an iPhone with Safari browser.

I used the configuration at https://jellyfin.org/docs/general/networking/nginx/ as a starting point. However, compared to an Apache reverse proxy for Jellyfin, Safari on the iPhone wouldn't play a video sent via "Copy Stream URL". Safari gives you the options "View" and "Download". "View" doesn't work with the default nginx configuration from above link.

I commented out the following lines:

Code:

# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
#add_header X-Frame-Options "SAMEORIGIN";
#add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
#add_header X-Content-Type-Options "nosniff";
# COOP/COEP. Disable if you use external plugins/images/assets
#add_header Cross-Origin-Opener-Policy "same-origin" always;
#add_header Cross-Origin-Embedder-Policy "require-corp" always;
#add_header Cross-Origin-Resource-Policy "same-origin" always;
# Permissions policy. May cause issues on some clients
#add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

Wenn these lines are commented out the "View" button in Safari on an iPhone works again.

I hope someone finds this helpful. Since I'm not a web developer I have no clue what these lines do but without them response headers between Apache and nginx reverse proxies look very similar (compared with web developer tools in Firefox enabled), and the "View" button in Safari works.

[TheDreadPirate]

Can you share the rest of your nginx config? Redact any domain names.

[ThomasPGH]

Can you share the rest of your nginx config?  Redact any domain names.

I'm still in the wake of tidying up and a trial and error phase.
At the moment I split everything up in three nested config files.

I'm natively on Windows (no docker or similar). The (external) reverse proxies are on Apache with ISPConfig, which is easy because the config at https://jellyfin.org/docs/general/networking/apache is pretty much ready to be just copied in ISPConfig's "Option" tab.

The nginx config was necessary because I used Let's Encrypt's certbot to obtain certificates for the domains that directly point to the Jellyfin server's IP address. There's pre-compiled nginx binaries for Windows but no officially supported Windows binaries for Apache, hence the switch to nginx for the internal reverse proxy.