Login

Lexx · 2025-04-12, 07:42 PM

So I followed the guide here: https://www.youtube.com/watch?v=AEyhpuWeiTk

Right now Jellyfin doesn't have HTTPS enabled. And when I browse through the internet to my jellyfin instance hosted on duckdns, the browser shows it's HTTP without encryption.

So the question is, how do I encrypt it from here? Unfortunately there doesn't seem to be any step by steps for this process that I could find. Certbot dropped Windows support over a year ago. Right now I've installed Certify and don't know what I'm doing.

Followup question: Anyone know how to get Jellyfin to watch port 80 instead of 8096? I'd like that to be the default here, to have jellyfin working on 80 and force https on requests.

TheDreadPirate · 2025-04-12, 09:49 PM

What address did you use? http://yourDomain.duckdns.org:8096? Or https://yourDomain.duckdns.org?

What does your caddy file look like?

Lexx · 2025-04-13, 01:43 AM

:8096 and the caddy file is:

subdomain.duckdns.org {
reverse_proxy 127.0.0.1:8096
}

Straight copying the tutorial.

TheDreadPirate · 2025-04-13, 02:09 AM

You should NOT be using port 8096 when trying to connect through Caddy. Caddy listens on 80 and 443.

https://subdomain.duckdns.org

And nothing else.

Lexx · 2025-04-13, 05:24 PM

Then considering jellyfin uses 8096 by default, and I want 8920/443 anyway, how do I fix this?

subdomain.duckdns.org without :8096 does resolve. which is funny because subdomain.duckdns.org:8096 also resolves.

So..how do I then secure it? I'm trying to implement ssl.

Lexx

ok, and what's weirder is that if I access remotely via subdomain.duckdns.org it shows secure (https) but if I access via subdomian.duckdns.org:8096 it's insecure.

At what point in this process is SSL getting added? the duckdns to caddy step? And followup, how do I disable the insecure port 8096 access?

TheDreadPirate · 2025-04-13, 07:46 PM

If you go to port 8096 you are bypassing Caddy. Port 8096 is Jellyfin's http port. When you omit the port, just about all browsers will default to https on port 443, which is the port Caddy listens on. When going through Caddy on port 443 that is when the connection is encrypted.

Further more, you should NOT be port forwarding 8096 to avoid the possibility of remote connections going directly to Jellyfin unencrypted http port. You do not need to port forward since Caddy will be handling external connections. And you do not need to port forward for local clients to be able to access port 8096.

Additionally, you do not need to port forward port 80. This, again, avoids the possibility of unencrypted external connections. Caddy does not need the port for certificate requests.

Lexx · (This post was last modified: 2025-04-14, 04:54 PM by Lexx.)

So after some testing, I got things to work:
-my router needs port 443 forwarded only.
-jellyfin needs no https enabled or setup
-my caddyfile:
subdomain.duckdns.org {
reverse_proxy 127.0.0.1:8096
}

without the :8096 it doesn't work. So, from what I understand:
(internet) - browser or app tries to access subdomain.duckdns.org (without port argument). This defaults to port 443 requested (invisibly).
this request goes to duckdns name server, which looks up my IP in its record and sends the request to my IP
My router sees the request on port 443, and forwards it through to my server.
my server, running caddy as a reverse proxy, sees this request and forwards *everything*? to localhost on port 8096.
Jellyfin server receives the request, forwarded to port 8096, and stripped of the secure layer, and responds.

The SSL layer is happening between caddy and the client user, as far as jellyfin is concerned it's a plaintext unencrypted session.

Is that understanding correct?

TheDreadPirate · 2025-04-14, 06:06 PM

That is correct.

One thing you do need to set is the "Known proxies" setting in Jellyfin.

Dashboard > Networking > Known proxies.

Put 127.0.0.1, save, restart jellyfin. This field is required starting with 10.10.7. Even if the same host running Jellyfin is the proxy.

Otherwise remote clients will appear as 127.0.0.1 in your logs and any bit rate limits you've set won't be applied.

Secret_Agent_Super_Dragon · 2025-04-15, 12:05 AM

(2025-04-14, 06:06 PM)TheDreadPirate Wrote: That is correct.

One thing you do need to set is the "Known proxies" setting in Jellyfin.

Dashboard > Networking > Known proxies.

Put 127.0.0.1, save, restart jellyfin. This field is required starting with 10.10.7. Even if the same host running Jellyfin is the proxy.

Otherwise remote clients will appear as 127.0.0.1 in your logs and any bit rate limits you've set won't be applied.

Oh man, is this the answer to the long winded thread I just posted?

https://forum.jellyfin.org/t-windows-cad...eam-limits

Login

Username/Email:
Password:


Or login with a social network below

Login

Username/Email:
Password:


Or login with a social network below

SOLVED: Windows + Caddy + DuckDNS - how do I setup SSL?