Unable to login to Jellyfin through NGINX #712

Closed
opened 2026-02-06 20:02:05 +03:00 by OVERLORD · 5 comments
Owner

Originally created by @Verequies on GitHub (May 26, 2019).

Describe the bug:
Unable to login to Jellyfin when connecting through NGINX, connecting directly to the IP works, however I would rather not expose that..

To Reproduce:
Try to login through NGINX.

Expected behavior:
You're successfully logged in.

Logs:
You receive this message when trying to login:
"Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again."

In the browser console this is reported:
/emby/Users/authenticatebyname:1 Failed to load resource: the server responded with a status of 400 ()

System:

  • OS: Arch Linux
  • Browser: All
  • Jellyfin Version: 10.3.3
  • Reverse proxy: NGINX
Originally created by @Verequies on GitHub (May 26, 2019). **Describe the bug:** Unable to login to Jellyfin when connecting through NGINX, connecting directly to the IP works, however I would rather not expose that.. **To Reproduce:** Try to login through NGINX. **Expected behavior:** You're successfully logged in. **Logs:** You receive this message when trying to login: `"Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again."` In the browser console this is reported: `/emby/Users/authenticatebyname:1 Failed to load resource: the server responded with a status of 400 ()` **System:** - OS: Arch Linux - Browser: All - Jellyfin Version: 10.3.3 - Reverse proxy: NGINX
OVERLORD added the bug label 2026-02-06 20:02:05 +03:00
Author
Owner

@DrPandemic commented on GitHub (May 26, 2019):

Could you share your NGINX config please? This might help someone find the problem.

@DrPandemic commented on GitHub (May 26, 2019): Could you share your NGINX config please? This might help someone find the problem.
Author
Owner

@Verequies commented on GitHub (May 26, 2019):

I was running 10.2.2 before this with the same config and all was well. Just been messing around a bunch with it and narrowed it down to my websocket parameters.

For some reason Jellyfin doesn't like:

#Main NGINX file
map $http_upgrade $connection_upgrade {

     default upgrade;
    ''      close;
}

# Socket parameters file
proxy_set_header       Upgrade $http_upgrade;
proxy_set_header       Connection "upgrade";

However its required for the websockets to work. If comment out those header lines, reload nginx, login, uncomment them, reload, and refresh. You can see the websockets connect without 404.

However I then notice another error:

apiclientcore.js?v=10.3.3:58 POST https://media.example.com/emby/Sessions/Capabilities/Full 400

This is my server block:

# Jellyfin
server {

        listen                  *:443 http2 ssl;

        ssl_certificate         /path/to/example.com/ssl/fullchain.pem;
        ssl_certificate_key     /path/to/example.com/ssl/privkey.pem;
        ssl_trusted_certificate /path/to/example.com/ssl/fullchain.pem;

        include                 /path/to/example.com/config/ssl_params;

        server_name             media.example.com;

        location / {

                proxy_pass      http://jellyfin;
                include         /path/to/example.com/config/socket_params;

        }
}

This is my ssl_params:

ssl_session_cache               shared:SSL:10m;
ssl_session_timeout             10m;
ssl_session_tickets             off;

ssl_protocols                   TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers       on;
ssl_ecdh_curve                  secp521r1:secp384r1;
ssl_ciphers                     "ECDHE+ECDSA+CHACHA20:ECDHE+ECDSA+AESGCM:!AES128";

ssl_stapling                    on;
ssl_stapling_verify             on;

resolver                        1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout                5s;

add_header                      Expect-CT "enforce; max-age=2592000; report-uri=\"https://report.example.com\"" always;
add_header                      Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

And this is my socket_params:

proxy_http_version      1.1;
proxy_set_header        Upgrade $http_upgrade;
proxy_set_header        Connection "upgrade";
proxy_read_timeout      10s;
proxy_redirect          off;
proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;
@Verequies commented on GitHub (May 26, 2019): I was running 10.2.2 before this with the same config and all was well. Just been messing around a bunch with it and narrowed it down to my websocket parameters. For some reason Jellyfin doesn't like: ``` #Main NGINX file map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Socket parameters file proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ``` However its required for the websockets to work. If comment out those header lines, reload nginx, login, uncomment them, reload, and refresh. You can see the websockets connect without 404. However I then notice another error: ``` apiclientcore.js?v=10.3.3:58 POST https://media.example.com/emby/Sessions/Capabilities/Full 400 ``` This is my server block: ``` # Jellyfin server { listen *:443 http2 ssl; ssl_certificate /path/to/example.com/ssl/fullchain.pem; ssl_certificate_key /path/to/example.com/ssl/privkey.pem; ssl_trusted_certificate /path/to/example.com/ssl/fullchain.pem; include /path/to/example.com/config/ssl_params; server_name media.example.com; location / { proxy_pass http://jellyfin; include /path/to/example.com/config/socket_params; } } ``` This is my `ssl_params`: ``` ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp521r1:secp384r1; ssl_ciphers "ECDHE+ECDSA+CHACHA20:ECDHE+ECDSA+AESGCM:!AES128"; ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 5s; add_header Expect-CT "enforce; max-age=2592000; report-uri=\"https://report.example.com\"" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; ``` And this is my `socket_params`: ``` proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 10s; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ```
Author
Owner

@speedfreak01 commented on GitHub (May 29, 2019):

Do you have location /embywebsocket { } configured?

Make sure your config is the same as the docs, https://jellyfin.readthedocs.io/en/latest/administrator-docs/reverse-proxy/#nginx
That worked for me.

@speedfreak01 commented on GitHub (May 29, 2019): Do you have `location /embywebsocket { } ` configured? Make sure your config is the same as the docs, https://jellyfin.readthedocs.io/en/latest/administrator-docs/reverse-proxy/#nginx That worked for me.
Author
Owner

@Verequies commented on GitHub (May 30, 2019):

@speedfreak01 Thanks heaps! I did not realise there was updated documentation. I had assumed it was a bug since everything was fine with 10.2.2.

@Verequies commented on GitHub (May 30, 2019): @speedfreak01 Thanks heaps! I did not realise there was updated documentation. I had assumed it was a bug since everything was fine with 10.2.2.
Author
Owner

@zuosc commented on GitHub (Aug 6, 2019):

I have the same problem. My Jellyfin version is 10.3.7

this is my Nginx config

server {
        listen 443 ssl ;
        listen  [::]:443  ssl ;

        server_name  jellyfin.xxxxxxx.cn;
        client_max_body_size 1024000M;
	add_header Strict-Transport-Security "max-age=31536000" always;

        ssl_certificate     /etc/nginx/cer/*.xxxx.cn.cer;
        ssl_certificate_key  /etc/nginx/cer/*.xxxxx.cn.key;

        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;



        location / {
                # WebScoket Support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header   X-Forwarded-Proto $scheme;
		proxy_set_header   X-Forwarded-Protocol $scheme;
		proxy_set_header   X-Forwarded-Host $http_host;
                proxy_set_header   Host $http_host;
                proxy_pass         http://192.168.100.100:8096;
    	}


	location /embywebsocket {
		# Proxy Jellyfin Websockets traffic
		proxy_pass http://192.168.100.100:8096;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Protocol $scheme;
		proxy_set_header X-Forwarded-Host $http_host;
	}
}

@DrPandemic


OK, I find this:
https://github.com/jellyfin/jellyfin/issues/1266

remove

 # WebScoket Support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

Everything is ok

@zuosc commented on GitHub (Aug 6, 2019): I have the same problem. My Jellyfin version is 10.3.7 this is my Nginx config ``` server { listen 443 ssl ; listen [::]:443 ssl ; server_name jellyfin.xxxxxxx.cn; client_max_body_size 1024000M; add_header Strict-Transport-Security "max-age=31536000" always; ssl_certificate /etc/nginx/cer/*.xxxx.cn.cer; ssl_certificate_key /etc/nginx/cer/*.xxxxx.cn.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { # WebScoket Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Host $http_host; proxy_pass http://192.168.100.100:8096; } location /embywebsocket { # Proxy Jellyfin Websockets traffic proxy_pass http://192.168.100.100:8096; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; } } ``` @DrPandemic ------------------------------------------------- OK, I find this: https://github.com/jellyfin/jellyfin/issues/1266 remove ``` # WebScoket Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ``` Everything is ok
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#712