SOLVED: Reverse Proxy

[teledyn]

I followed the instructions on https://jellyfin.org/docs/general/networking/apache and Jellyfin works fine from the LAN, but using Firefox or the Android app from outside, it says the server is not found, if I connect to the same url from the LAN (where the IP will be dnsmasq'd as local) the app works, but if I then switch off wifi, it times out.

I have apache and jellyfin on the same machine and have used both the LAN IP and 127.0.0.1 as the SERVER_IP in the apache config, and have added the LAN IP and the public IP to KnownProxies in jellyfin.conf (together and separately). My apache2 site config is identical to the networking/apache, only changes are hostname and SERVER_IP, and my certbot certificates are fine. I also tried port-forwarding 8096 to the jellyfin machine, but still no remote access.

In the logs I see:

Code:

[Mon Aug 19 18:19:17.753566 2024] [proxy:error] [pid 618922:tid 618953] (111)Connection refused: AH00957: http: attempt to connect to 192.168.0.13:8096 (192.168.0.13:8096) failed
[Mon Aug 19 18:19:17.753816 2024] [proxy_http:error] [pid 618922:tid 618953] [remote 72.143.201.81:58788] AH01114: HTTP: failed to make connection to backend: 192.168.0.13

with this using the example conf:

Code:

ProxyPass "/socket" "ws://192.168.0.13:8096/socket"
   ProxyPassReverse "/socket" "ws://192.168.0.13:8096/socket"

   ProxyPass "/" "http://192.168.0.13:8096/"
   ProxyPassReverse "/" "http://192.168.0.13:8096/"

which works fine on the LAN.

Is there some other essential step?

[goerdi]

hi !

Are you using an extra virtual host for jellyfin ? or only the base URL ?

Ciao Gerd

[TheDreadPirate]

Can you share the full apache config? Censor the domain name.

[teledyn]

Can you share the full apache config?  Censor the domain name.

If I censor the domain name, I believe it will read absolutely identical to the example given in networking/apache but I've attached it.

---

hi !

Are you using an extra virtual host for jellyfin ? or only the base URL ?

Ciao Gerd

I am not sure what you mean by extra virtual hosts, but yes, this is a virtual host sharing apache with four other virtual hosts. Are you thinking that some of the communications from Jellyfin may be referring to itself only as an IP and so any requests coming in would go to the Apache default?

[teledyn]

To clarify my setup here, I have an RPI 4B+ that is running dnsmasq and apache2; this unit has no firewall itself, but it is behind a Hitron router that forwards ports 80 and 443 to the RPI. All domains will appear as LAN IPs within the lan (because dnsmasq is the nameserver) and as the router's IP to the outside world. I have Wordpress, Icecast2 and Nextcloud running on this setup without issue, Pixelfed too although I believe its trouble not accepting follows' Stories is a postgresql issue, and Mobilizon which also seems to function fine (the software itself is clunky). This is all running under Debian12 and using PHP8.3-FPM.

In the networking.xml I have tried the IP of the apache machine (same as the jellyfin machine) and the public IP of the router, and both, as the KnownProxies. One my android phone off Wifi, I get the Server Unavalable, I switch on Wifi and reload, and it logs in no problem.

[goerdi]

Hi !

I have it similar except
ProxyPass "/socket" "ws/127.0.0.1:8096/socket"
ProxyPassReverse "/socket" "ws/127.0.0.1:8096/socket"

ProxyPass "/" "http://127.0.0.1:8096/"
ProxyPassReverse "/" "http://127.0.0.1:8096/"

in jellyfin network setup i do not have any other entries as default

Ciao Gerd

[TheDreadPirate]

Oh, wow. Almost a 1-to-1 copy and paste of our docs, minus your domain. Ok.

Did you install the extra apache modules?

Code:

sudo a2enmod proxy proxy_http ssl proxy_wstunnel remoteip http2 headers

[teledyn]

Oh, wow.  Almost a 1-to-1 copy and paste of our docs, minus your domain.  Ok.

Did you install the extra apache modules?

Code:

sudo a2enmod proxy proxy_http ssl proxy_wstunnel remoteip http2 headers

Here's the whole list:

Code:

$ ls --color=never /etc/apache2/mods-enabled/
access_compat.load    deflate.conf              mpm_event.conf       reqtimeout.conf
alias.conf            deflate.load              mpm_event.load       reqtimeout.load
alias.load            dir.conf                  negotiation.conf     rewrite.load
auth_basic.load       dir.load                  negotiation.load     setenvif.conf
authn_core.load       env.load                  proxy_balancer.conf  setenvif.load
authn_file.load       filter.load               proxy_balancer.load  slotmem_shm.load
authnz_external.load  headers.load              proxy.conf           socache_shmcb.load
authz_core.load       http2.conf                proxy_fcgi.load      ssl.conf
authz_host.load       http2.load                proxy_http.load      ssl.load
authz_user.load       lbmethod_byrequests.load  proxy.load           status.conf
autoindex.conf        mime.conf                 proxy_wstunnel.load  status.load
autoindex.load        mime.load                 remoteip.load        unique_id.load

[TheDreadPirate]

Can you show us the contents of /etc/jellyfin/networking.xml?

[teledyn]

Here again, very trivial changes from the default:

Code:

<?xml version="1.0" encoding="utf-8"?>
<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <BaseUrl>/</BaseUrl>
  <EnableHttps>true</EnableHttps>
  <RequireHttps>false</RequireHttps>
  <CertificatePath>
        /etc/letsencrypt/live/domain.tld/fullchain.pem
  </CertificatePath>
  <InternalHttpPort>8096</InternalHttpPort>
  <InternalHttpsPort>8920</InternalHttpsPort>
  <PublicHttpPort>8096</PublicHttpPort>
  <PublicHttpsPort>8920</PublicHttpsPort>
  <AutoDiscovery>true</AutoDiscovery>
  <EnableUPnP>true</EnableUPnP>
  <EnableIPv4>true</EnableIPv4>
  <EnableIPv6>false</EnableIPv6>
  <EnableRemoteAccess>false</EnableRemoteAccess>
  <LocalNetworkSubnets>
  <string>192.168.0.0/24</string>
  </LocalNetworkSubnets>
  <LocalNetworkAddresses />
  <KnownProxies>
  <string>192.168.0.13</string>
  <string>173.230.163.232</string>
  </KnownProxies>
  <IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
  <VirtualInterfaceNames>
    <string>veth</string>
  </VirtualInterfaceNames>
  <EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
  <PublishedServerUriBySubnet />
  <RemoteIPFilter />
  <IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
</NetworkConfiguration>