SOLVED: Reaching Jellyfin Externally with Different Port

[isat32196]

Hello!

I've made some changes to my setup and I now seem to have an issue with connecting to Jellyfin from outside my network. The setup I have is as follows:

Computer OS: Running Ubuntu 22.04.5 LTS

Reverse Proxy: Nginx 1.18.0

Firewall: UFW

Jellyfin Server Version: 10.9.11

What's Changed:

When I first setup my "server" pc, I was having issues with Nginx being able to look at ports 80 and 443, and ended up port forwarding all incoming traffic on my router from 80 and 443 to higher level ports, and then had Nginx monitor those ports. This worked fine, though I was recently talking with a coworker who mentioned that might not be great for security, and suggested I do it sort of in the reverse - take an external higher level port (say, 30,000) and forward it to 443 internally (recommending that I try to only use HTTPS rather than HTTP). I made that change, made some changes to Nginx, and realized UFW was turned off on my computer. After troubleshooting and eventually resetting that, I was able to give Nginx permissions to monitor the ports.

Currently, the other programs I have running on my computer (FoundryVTT and Freshrss) are reachable externally by using a domain setup via DDNS. So, Foundry for example, is now reachable from https://foundry.domain.net:30000 (changed for obvious reasons). The only one that is not working is Jellyfin, and I can't quite figure out why.

When I try to connect to jellyfin via https://jellyfin.domain.net:30000 , it just sort of times out. I do notice that the web address changes to end with /web/#/, so I believe it's making it at least to nginx, however Jellyfin itself seems to be having a problem? I should mention too internally Jellyfin works fine.

I've tried editing the Nginx configuration so Jellyfin is also monitoring port 80 HTTP traffic, in case it had to for some reason, and that also isn't working. I tried port forwarding a higher level external port (say, 30100) to internal port 80, and connecting via that instead of 30000, but still no good. I've tried disabling ufw, and still doesn't work. I'm a little lost at what else to try.

Below is my current Nginx configuration for Jellyfin, with sensitive information changed:

Code:

#Jellyfin

server {
    listen 80;
    listen [::]:80;
    server_name jellyfin.website.net www.jellyfin.website.net;


    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    # Nginx versions prior to 1.25
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name jellyfin.website.net www.jellyfin.website.net;

    # The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
    # ssl_protocols TLSv1.3 TLSv1.2;

    # use a variable to store the upstream proxy
    # in this example we are using a hostname which is resolved via DNS
    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
    set $jellyfin 127.0.0.1;
    resolver 127.0.0.1 valid=30s;

    ssl_certificate ssl certificate location;
    ssl_certificate_key ssl certificate key location;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl_trusted_certificate ssl trusted certificate location;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security / XSS Mitigation Headers
    # NOTE: X-Frame-Options may cause issues with the webOS app
    # add_header X-Frame-Options "SAMEORIGIN";
    # add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
    # add_header X-Content-Type-Options "nosniff";

    # COOP/COEP. Disable if you use external plugins/images/assets
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;

    # Permissions policy. May cause issues on some clients
  # add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Tell browsers to use per-origin process isolation
    add_header Origin-Agent-Cluster "?1" always;


    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    # NOTE: The default CSP headers may cause issues with the webOS app
    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

    location = / {
        return 302 http://$host/web/;
        #return 302 https://$host/web/;
    }

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://127.0.0.1:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://127.0.0.1:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://127.0.0.1:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

[TheDreadPirate]

Remove this section

Code:

location = / {
        return 302 http://$host/web/;
        #return 302 https://$host/web/;
    }

It is redirecting everything to http port 80.

[isat32196]

Hot damn! That was it! Thank you so much!