Reverse Proxying #
Reverse proxying should be really easy.
- If you’re proxying to a subdomain, e.g
accounts.jellyf.in/, aproxy_passor equivalent is enough. - If you choose to use jfa-go’s IP logging, you’ll need to make sure the proxy passes in the correct IP.
X-Real-IPorX-Forwarded-Forwill work.- The nginx and IIS examples includes at least one of these headers. You’ll have to figure it out yourself for other proxies.
- Proxying to a subfolder is only supported for versions > 0.2.2.
- Versions > v0.3.0 don’t need the URL Base stripped, but should be proxied to
<jfa-go address>/<URL base>instead. - Make sure to set the URL base (“Reverse Proxy subfolder”) in Settings > General (
ui > url_basein config.ini). It should be the subfolder only, i.e./accounts. - If you’re placing it under the same subdomain as Jellyfin, make sure no CSP header is set for jfa-go’s subfolder (see example below for NGINX).
- Versions <= v0.3.0 require the proxy to strip the URL base.
- Versions > v0.3.0 don’t need the URL Base stripped, but should be proxied to
Below are some simple examples of reverse proxy configs.
NGINX (Subdomain) #
server {
listen 80;
server_name accounts.your.domain;
return 301 https://accounts.your.domain/;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name accounts.your.domain;
# put your SSL config here
location / {
proxy_pass http://localhost:8056; # change as you need
http2_push_preload on; # Should make the page load quicker.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
}
}
NGINX (Subfolder on /accounts Jellyfin subdomain)
#
Make sure to set your Reverse Proxy subfolder to /accounts in Settings > General.
credit to IngwiePhoenix.
server {
listen 80;
server_name jellyfin jellyfin.your.domain;
return 301 https://jellyfin.your.domain/;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jellyfin.your.domain;
# rest of your own config
location ^~ /accounts {
# No longer necessary on versions after v0.3.0
# rewrite ^/accounts/(.*) /$1 break;
# Remove the CSP header set for Jellyfin
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "";
proxy_pass http://localhost:8056/accounts; # Change as you need
# For versions <= v0.3.0
#proxy_pass http://localhost:8056; # Change as you need
http2_push_preload on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
}
}
Traefik (/jfa subfolder)
#
Taken from #53.
jfa-go:
# rest of your config
labels:
- "traefik.enable=true"
- "traefik.http.routers.jfa-go.rule=Host(`services.${DOMAIN}`) && PathPrefix(`/jfa`)"
- "traefik.http.routers.jfa-go.tls=true"
IIS (/accounts subfolder)
#
From #324, credit to kimboslice99.
This config is for the /accounts subfolder. To change, adjust the <action type="Rewrite"... line near the bottom to
<action type="Rewrite" url="http://localhost:8056/insert_subfolder_path_here/{R:1}" />
<?xml version="1.0" encoding="UTF-8"?>
<!--
config requires URL Rewrite and Application Request Routing + run these commands from an elevated PowerShell 5.1 prompt
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/proxy" -name "preserveHostHeader" -value "True"
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/rewrite/allowedServerVariables" -name "." -value @{name='HTTP_X_FORWARDED_PROTOCOL'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/rewrite/allowedServerVariables" -name "." -value @{name='HTTP_X_FORWARDED_PROTO'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/rewrite/allowedServerVariables" -name "." -value @{name='HTTP_X_REAL_IP'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/rewrite/allowedServerVariables" -name "." -value @{name='HTTP_X_FORWARDED_HOST'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/rewrite/allowedServerVariables" -name "." -value @{name='HTTP_X_FORWARDED_PORT'}
-->
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
</rule><!-- These rules add X-Forwarded-Protocol -->
<rule name="ForwardedHttps">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="On" />
</conditions>
<serverVariables>
<set name="HTTP_X_FORWARDED_PROTOCOL" value="https" />
<set name="HTTP_X_FORWARDED_PROTO" value="https" />
</serverVariables>
</rule>
<rule name="ForwardedHttp">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="Off" />
</conditions>
<serverVariables>
<set name="HTTP_X_FORWARDED_PROTOCOL" value="http" />
<set name="HTTP_X_FORWARDED_PROTO" value="http" />
</serverVariables>
</rule>
<rule name="jellyfinaccounts">
<match url="(.*)" />
<serverVariables>
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
<set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
</serverVariables>
<action type="Rewrite" url="http://localhost:8056/accounts/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>