@Novasty (fixing an MC thing rn)
server_name jellyfin.whatever.here
I have it this far.
# Uncomment the commented sections after you have acquired a SSL Certificate
server {
listen 80;
listen [::]:80;
server_name jf.mydomain.com;
# Uncomment to redirect HTTP to HTTPS
# return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jf.mydomain.com;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
set $jellyfin 10.0.12.2;
#ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#add_header Strict-Transport-Security "max-age=31536000" always;
#ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
#ssl_stapling on;
#ssl_stapling_verify on;
# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
I have yet to do the https encryption. My goal is to get it to passthrough first. I had it working with a previous config somewhat. Syncplay was not working though. I researched and this is the nginx site config I require. I just haven’t setup https.
If you have this far, have you not just tested it?
you cant pass 443 ssl without a cert defined in this or the master nginx.conf
so i have ssl technically working. but i get a output when reloading nginx
nginx: [warn] conflicting server name “jf.aeg.com” on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name “jf.aeg.com” on [::]:443, ignored
nginx: [warn] conflicting server name “jf.aeg.com” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “jf.aeg.com” on [::]:80,ignored
I only have one in sites-enabled
son of a bitch. it works. i just needed to clear my browser cache.
1 Like
I was struggling getting dynmap to work again. I forgot I changed the port, so i didnt allow it in ufw.
1 Like
its not a subdomain. it is main domain. it works again but i had to allow ufw port for the new port on server box (here where i live) not on linode. dynmap and jellyfin work!
So you aren’t proxy passing it from your linode to your home
I am, but ufw on the minecraft server block all incoming connections to the port. I had to allow tcp port for dynmap to allow the nginx to work. it kept timing out.
Basically, my house has ufw, it was not letting the nginx on linode end to connect to my minecraft dynmap isntance.
aeg.com is dynmap and jf.aeg.com is jellyfin. I am going to move dynmap to dynmap.aeg.com at some point. but that is not for tonight.
Remember 8096 was my dynmap port originally. So when I enabled jellyfin I had to change dynmap’s port.
screw transcoding. there is actually a native app for windows and linux for jellyfin. i.e. can direct play!
LOL
Jellyfin for all the jank it can be is much better than plex
1 Like
Now, to uninstall plex from my server box. yay. will do that tomorrow.
So I don’t proxy Jellyfin behind Nginx, I do so behind HAProxy. You really don’t need to pass much, just :8086 where ever you SSL terminate.
I.E here is my config
### Frontends
frontend main
mode http
bind :443 ssl crt /etc/letsencrypt/live/covalent.space/fullcert.pem
# set https forward
acl https ssl_fc
http-request set-header X-Forwarded-Protocol https if https
# Add a X-Forwarded-For containing the client IP address if none were already present
acl h_xff_exists req.hdr(X-Forwarded-For) -m found
http-request add-header X-Forwarded-For %[src] unless h_xff_exists
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# tv (jellyfin)
acl host_tv hdr(host) -i tv.covalent.space
use_backend tv if host_tv HTTP
### Backends
# jellyfin
backend tv
mode http
server tv prod-tv-001.{{ grains['domain'] }}:8096 check inter 1s
Then on your host make sure the firewall has the relevant ports opened. Here’s a screenshot of mine. Note: TCP or UDP is important for service discovery on your local network.
There are a couple of manually installed packages you need to install to get it working properly. Don’t bother with jellyfin-ffmpeg as their custom version strips out a lot of the hardware acceleration or other codec libs you need for proper playback on stuff. It slims it down to only support libre stuff; which is noble and all but if you actually want to get your media to play on smart tvs and mobile devices et all you’re better served by just downloading ffpmeg from a third party repository.
A 5700xt is severe overkill for ffmpeg hardware acceleration. I have a lowly Quadro P600 that I paid $110 for and it it can do 3 simultaneous NVENC streams at once, though it could probably do far more. Unless you have true 4k rips (most bluray rips are just really high quality 1080p), I only use ~256MB of ram per ffmpeg process.
I would suggest getting the cheapest low-power device that is capable of running hardware acceleration for your desired number of users since this thing will be on 24/7. My Quadro only sips 25 Watts.
Craft computing use P400’s and they work just fine.
The only thing it still sucks at is timeline scubing/skipping around for content which is not direct play. So if it has to convert the content beforehand this has mixed results.
Looking forward to v10.8 for sure.
1 Like
They are starting to get aggressive about moving stuff to priced tiers according to rumblings and stripping the community/base version. I hope that doesn’t happen but people can get greedy