Beiträge von pcon

Think about a backup and restore for your data. You have Build a RAID 1 for your NAS. RAIDs are for continuity in working with the data but RAID doesn’t replace a backup and a restore for your data.

In the most cases home users don’t need a NAS for continuity in working. Your NAS System is not build redundancy. RAIDs can be a point that causes issues. So it make more sense for you NAS to use the HDD without a RAID System.

For a backup and restore you can use software like: Duplicaty, Borg Backup, ….

Here you can found another topic: My thoughts about... RAID

The easiest way is to ask Vodafone for an IPv4 or dual stack and hope that the boys and girls at Vodafone will change it.

Other options could be tunnels on a VPS or Cloudflare basis. But try the Vodafone option first as this is the best option if you want to get IPv4 and IPv6 on your internet connection.

He has configured WireGuard with the Fritz!Box (FB). Port forwarding and other stuff will be done automatically by the FB. He has written in #5 that the connection from the WireGuard connection from the external Laptop to the FB can be established.

- Connect with your Laptop to the internet via android phone hotspot.

- Start WireGuard wait that the WireGuard connection is established.

- Open your browser and type http://192.168.178.27:8096/ push enter and you will be connected to your internal Jellyfin.

How do you reach your Jellyfinn in your internal Network? It is:

http://192.168.178.27:8096

After you have initiate and established the WireGuard connection use the same internal ip address to connect to Jellyfin like:

http://192.168.xxx.xxx:8096

https access with Jellyfin:

You can upload a certificate to your Jellyfin instance and enable the https in Jellyfin. Now you can access the Jellyfin with https.

https://JellyfinIpAddres:8920/

Enable https port forwarding for on the Fritz!Box for the Jellyfin server.

The IPv6 DuckDNS domain name AAAA record must be the IPv6 Global Unicast address from the Jellyfin server. Is the Jellyfin running on a docker than the IPv6 Global Unicast address must be from the host of the Docker container. You can access Jellyfin from from the internet:

https://duckdnsDomainName:8920/

Another possibility and maybe much safer than a proxy or a https port forwarding is to set up a WireGuard VPN with the Fritz!Box. Here the guides from AVM to set up WireGuard with a Fritz!Box, computer, smartphone and tablet:

WireGuard-VPN zur FRITZ!Box am Computer einrichten

WireGuard-VPN zur FRITZ!Box am Smartphone oder Tablet einrichten

What for a wifi router do you use?

I understand your hesitation, sticking with established products that have a proven track record definitely offers peace of mind.

I think that it will be work. But if you want to go for new system when 4 x NVME are more mainstream and the cost of SSDs drops. Then this device: X86-P5 2x I226-V 2.5G Development NAS Motherboard can be a option. You have directly 4x NVMe exaptation Board.

You can use this tcpdump -n port 80

Terramaster OS relies on a Linux with its own overlay. An OMV could run on it. The F8 is a nice box, but so far there is nothing to be found that anyone has installed Linux on the F8 and it works without problems. 840 € for the F8 SSD Plus is too much for me if no other OS can be installed.

I have found this X86-P5 2x I226-V 2.5G Development NAS Motherboard 4*M2 NVME Kit Board Intel i3-N305 N100 DDR5 2x SATA 2x HDMI2.1 for for 330 €. You may also be interested in this box.

Zitat von Ionic

Maybe some of you doesn't understand correctly the problem.

Jellyfin, Swag and my router seem correctly configured, see all screenshots/configurations from previous and current post BUT the problem is that with the iOS Jellyfin client I can login to the server using HTTP link: why?

The screenshots looks OK. There is any security leak with the connection. I have set up a SWAG container and tested with Jellyfin. You can use the http connection in the app. The htpp will be redirected to https. In the app you see only http. Tested in a browser you can see that the http address is redirected to https.

You are asking for a tool to check it. You can use WireShark on your device or tcpdump on the server. With this tools you capture the network traffic and check if there connection are encrypted or not.

I understand and it makes sense for SWAG and the containers attached. I don't use SWAG. In my environment it is fine to have a network for each application. This separates the Docker containers. This can be a security benefit.

=======================================================================================================

FOR YOUR INFORMATION
The pueblo.uk.to was set up only for testing purposes and is no longer reachable. The DNS record is deleted .

have an nice day

Soma thanks for your tips. I have found the solution. It works with pueblo.uk.to. The solution is to change the server_name in the jellyfin.subdomain.conf from jellyfin to the external URL name.

Zitat

server {

listen 443 ssl;

listen [::]:443 ssl;

# server_name jellyfin.*;

server_name pueblo.uk.to;

include /config/nginx/ssl.conf;

Alles anzeigen

Zitat von Soma

As for the network, I never used the network_mode argument.

I rather use the samples I posted before.

Is there any explanation why you use your samples? At the end a new network will be create.

In Jellyfin http is not disabled. No Subdomain given only the test Domain.

Hear the config files and a screenshot of the Networks.

Swag YML

Zitat

---

version: "2.1"

services:

swag:

image: lscr.io/linuxserver/swag:latest

container_name: swag

network_mode: swag-net

cap_add:

- NET_ADMIN

environment:

- PUID=1000

- PGID=1000

- TZ=Europe/xxxxxx

- URL=pueblo.uk.to

# - SUBDOMAINS=j,

- VALIDATION=http

volumes:

- /var/lib/docker/volumes/swag_conf:/config

ports:

- 443:443

- 80:80

restart: unless-stopped

Alles anzeigen

Jellyfin YML

Zitat

---

version: "2.1"

services:

jellyfin:

image: lscr.io/linuxserver/jellyfin:latest

container_name: jellyfin

network_mode: swag-net

environment:

- PUID=1000

- PGID=1000

- TZ=Europe/xxxxx

volumes:

- /var/lib/docker/volumes/jellifinconf:/config

- /srv/dev-disk-by-uuid-96303f58-c4d2-4fbc-94a3-80a375567c58/media/series:/data/series

- /srv/dev-disk-by-uuid-96303f58-c4d2-4fbc-94a3-80a375567c58/media/movie:/data/movies

- /srv/dev-disk-by-uuid-96303f58-c4d2-4fbc-94a3-80a375567c58/media/Dreambox/movie:/data/dreammovies

- /srv/dev-disk-by-uuid-96303f58-c4d2-4fbc-94a3-80a375567c58/media/Dreambox/serien:/data/dreamseries

- /srv/dev-disk-by-uuid-3a7829ce-ebe2-448f-a760-9472df12c954/data/BackupPC04/cpizza/Musik:/data/music

- /srv/dev-disk-by-uuid-3a7829ce-ebe2-448f-a760-9472df12c954/Jellifin/cache:/data/cache

- /srv/dev-disk-by-uuid-3a7829ce-ebe2-448f-a760-9472df12c954/Jellifin/metadata:/data/metadata

ports:

- 8096:8096

- 8920:8920

devices:

- /dev/dri/renderD128:/dev/dri/renderD128

- /dev/dri/card0:/dev/dri/card0

restart: unless-stopped

Alles anzeigen

jellyfin.subdomain.conf

Zitat

# cat jellyfin.subdomain.conf

## Version 2024/08/22

# make sure that your jellyfin container is named jellyfin

# make sure that your dns has a cname set for jellyfin

# if jellyfin is running in bridge mode and the container is named "jellyfin", the below config should work as is

# if not, replace the line "set $upstream_app jellyfin;" with "set $upstream_app <containername>;"

# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of jellyfin

# in jellyfin settings, under "Advanced/Networking" add subdomain.mydomain.tld as a known proxy

server {

listen 443 ssl;

listen [::]:443 ssl;

server_name jellyfin.*;

include /config/nginx/ssl.conf;

client_max_body_size 0;

location / {

include /config/nginx/proxy.conf;

include /config/nginx/resolver.conf;

set $upstream_app jellyfin;

set $upstream_port 8096;

set $upstream_proto http;

proxy_pass $upstream_proto://$upstream_app:$upstream_port;

proxy_set_header Range $http_range;

proxy_set_header If-Range $http_if_range;

}

location ~ (/jellyfin)?/socket {

include /config/nginx/proxy.conf;

include /config/nginx/resolver.conf;

set $upstream_app jellyfin;

set $upstream_port 8096;

set $upstream_proto http;

proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

# Restrict access to /metrics

# https://jellyfin.org/docs/gene…oring/#prometheus-metrics

location /metrics {

allow 192.168.0.0/16;

allow 10.0.0.0/8;

allow 172.16.0.0/12;

allow 127.0.0.0/8;

deny all;

include /config/nginx/proxy.conf;

include /config/nginx/resolver.conf;

set $upstream_app jellyfin;

set $upstream_port 8096;

set $upstream_proto http;

proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

}

Alles anzeigen

To understand a problem, I have set up a swag container for Jellyfin. I only get the default SWAG page and not the Jellyfin website.

Jellyfin is up and running in locale network. Port forwarding on the Router is set. Certificate exists. jellyfin.subdomain.conf is enabled. network_mode: swag-net is set in both container and Portainer network is configured. Ping from SWAG container to Jellyfin also works.

Has anyone a tip for me?

Zitat von Ionic

Maybe application show HTTP but internally the connection was redirected to HTTPS

If you have only opened the https port on the Fritz!Box (FB). Then only https connection will be accepted on the FB WAN port, forwarded to the Swag reverse proxy, Swag to the upstream to Jellyfin on the http port. Jellyfin answer on the http request and send out http, Swag will get the http and forward https to FB, FB send https out.

Have you configuration like the 2 screenshot? Have you set something like "Independent Port Sharing" or "Open this device completely for internet sharing via xxx (exposed host)". is your configuration for IP4, IP6 or both.

I'm asking because I'm confused now and the router port setting and your setting in the Swag compose file are not clear to me. Can you please post the 2 screenshot from the FB for "permit Access"

            - VALIDATION=http
...
ports:      - 444:443      
            #- 81:80 #optional 

In the first post you wrote:

On the router I have enabled port forwarding of ports 80 and 443

Zitat von chente

Any connection from outside your network through a domain and a proxy (like swag in this case) will be encrypted. This is regardless of whether you can access that service via http on your local network.

This is correct if you have only configured https port for forwarding. Swag is a reverse proxy and can handle http and https connection from the internet it belongs to the configuration you do.

The 2 compose files and the config file look fine. Swag only uses the https ports 444:443 in the compose file and the upstream uses the http port 8096 to Jellyfin. With this configuration only https will run from the internet.

What is swag doing. From the router it gets the HTTPS (444:443) request and forwarded it as a http (8096) to the Jellyfin server.

the source is: | hostname = jellyfin.* | Port = 443 | Protocoll = HTTPS |
the destination is: | hostname = jellyfin (localhos) | Port = 8046 | Protocoll = HTTP |

In this case the Let’s Encrypt certificate will be managed automatically by the reverse proxy. You don’t have to interact with Jellyfin in terms of certificates at all. It will all be handled on the reverse proxy side. SWAG and Jellyfin are working correctly. In this scenario only https://jellyfin.* must be possible for connection from the internet to the Jellyfin server.

But this don't xplain why you can connect with http://jellyfin.* Maybe something is wrong on the router or the forwarding. You wrote:

Jellyfin standard ports 8096 and 8920 are blocked on my router and are not configured on its container (removed ports section).I don't know what router/firewall you are using, but normally ports aren't blocked, they are opened to forward port traffic to internal devices. Maybe you can show the configuration or a screenshot of the router conf.

I don't use swag as reverse proxy with Jellyfin. I have a self signed certificate on Jellyfin and have opened only the Jellyfin https Port 8920 on the router. So that only https connection from the outside will be passed to the Jellyfin webside. Maybe this a option for you it the issue can' be fixed.

Q1: No. ICY BOX IB-RD3640SU3 is an HDD/SSD USB / eSATA expansion device only. You can insert HDDs and connect to a PC and read/write data. Your HDDs are in RAID from the Synology device, I don't think there is any way to read the data in the ICY BOX.

Q2: Yes, You can build OMV on a RasPi.