Proper network configuration is essential for accessing your Jellyfin server locally and remotely. This guide covers network settings, port configuration, SSL/TLS setup, and reverse proxy integration.
Network Configuration File Jellyfin stores network settings in network.xml within the config directory:
/var/lib/jellyfin/config/network.xml
Port Configuration Jellyfin uses the following default ports:
Default HTTP port: 8096 < InternalHttpPort > 8096 </ InternalHttpPort > < PublicHttpPort > 8096 </ PublicHttpPort >
InternalHttpPort: Port the server listens on internally (default: 8096)PublicHttpPort: Port advertised for external access (default: 8096) Default HTTPS port: 8920 < InternalHttpsPort > 8920 </ InternalHttpsPort > < PublicHttpsPort > 8920 </ PublicHttpsPort >
InternalHttpsPort: Internal HTTPS port (default: 8920)PublicHttpsPort: Public HTTPS port (default: 8920) Public and internal ports can differ when using port forwarding or reverse proxy.
Base URL Configuration If hosting Jellyfin at a subpath (e.g., behind a reverse proxy), configure the base URL:
< BaseUrl > /jellyfin </ BaseUrl >
Understanding Base URL
The base URL is automatically normalized:
Leading / is added if missing
Trailing / is removed
Empty values default to root path
Reverse Proxy Example
If accessing Jellyfin at https://example.com/jellyfin: < BaseUrl > /jellyfin </ BaseUrl >
Root Path
For root path hosting (https://jellyfin.example.com): SSL/TLS Configuration Enabling HTTPS
Enable HTTPS
Set the HTTPS flag in network configuration: < EnableHttps > true </ EnableHttps >
Certificate Configuration
Provide path to SSL certificate and password: < CertificatePath > /etc/jellyfin/ssl/jellyfin.pfx </ CertificatePath > < CertificatePassword > your-certificate-password </ CertificatePassword >
The certificate must be in PFX (PKCS#12) format.
Force HTTPS (Optional)
Redirect all HTTP requests to HTTPS: < RequireHttps > true </ RequireHttps >
Generating SSL Certificates Self-Signed Certificate
Let's Encrypt (Certbot)
# Generate a self-signed certificate openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes # Convert to PFX format openssl pkcs12 -export -out jellyfin.pfx -inkey key.pem -in cert.pem
For production environments, use a reverse proxy like Nginx or Caddy to handle SSL termination instead of Jellyfin’s built-in HTTPS.
Network Binding IP Version Support < EnableIPv4 > true </ EnableIPv4 > < EnableIPv6 > false </ EnableIPv6 >
Control which IP protocols are enabled.
Bind Addresses Specify which network interfaces Jellyfin should bind to:
< LocalNetworkAddresses > < string > 192.168.1.100 </ string > < string > 10.0.0.50 </ string > </ LocalNetworkAddresses >
Leave empty to bind to all available interfaces.
Virtual Interface Filtering < IgnoreVirtualInterfaces > true </ IgnoreVirtualInterfaces > < VirtualInterfaceNames > < string > veth </ string > < string > docker </ string > < string > br- </ string > </ VirtualInterfaceNames >
Ignore virtual interfaces created by Docker, VMs, or containers.
LAN Configuration Local Network Subnets Define which IP ranges are considered local:
< LocalNetworkSubnets > < string > 192.168.1.0/24 </ string > < string > 10.0.0.0/8 </ string > < string > 172.16.0.0/12 </ string > </ LocalNetworkSubnets >
Automatic Detection
If not specified, Jellyfin automatically detects local networks.
Custom Subnets
Explicitly define subnets for:
Complex network topologies
VPN access
Multiple VLANs
CIDR Notation
Use CIDR notation (e.g., 192.168.1.0/24) to specify network ranges.
Remote Access Enable Remote Access < EnableRemoteAccess > true </ EnableRemoteAccess >
Allow connections from outside the local network.
Auto Discovery < AutoDiscovery > true </ AutoDiscovery >
Enable automatic discovery by clients on the local network.
UPnP-based port forwarding is no longer supported. Use manual port forwarding or a reverse proxy instead.
Published Server URI Automatically determine server URI from HTTP requests: < EnablePublishedServerUriByRequest > false </ EnablePublishedServerUriByRequest >
Disabled by default for security.
Advertise different URIs for specific subnets: < PublishedServerUriBySubnet > < string > 192.168.1.0/24=http://192.168.1.100:8096 </ string > < string > 10.0.0.0/8=http://10.0.0.50:8096 </ string > </ PublishedServerUriBySubnet >
IP Filtering Remote IP Filter Control which remote IPs can access the server:
< RemoteIPFilter > < string > 203.0.113.0/24 </ string > < string > 198.51.100.50 </ string > </ RemoteIPFilter > < IsRemoteIPFilterBlacklist > false </ IsRemoteIPFilterBlacklist >
Whitelist Mode
Blacklist Mode
IsRemoteIPFilterBlacklist=false: Only allow listed IPs< RemoteIPFilter > < string > 203.0.113.0/24 </ string > </ RemoteIPFilter > < IsRemoteIPFilterBlacklist > false </ IsRemoteIPFilterBlacklist >
IsRemoteIPFilterBlacklist=true: Block listed IPs< RemoteIPFilter > < string > 198.51.100.0/24 </ string > </ RemoteIPFilter > < IsRemoteIPFilterBlacklist > true </ IsRemoteIPFilterBlacklist >
Reverse Proxy Configuration Known Proxies Register reverse proxy IPs for proper forwarding:
< KnownProxies > < string > 172.17.0.1 </ string > < string > 192.168.1.1 </ string > </ KnownProxies >
Jellyfin trusts X-Forwarded-For and X-Real-IP headers from known proxies.
Nginx Configuration server { listen 80 ; server_name jellyfin.example.com; return 301 https://$ host $ request_uri ; } server { listen 443 ssl http2; server_name jellyfin.example.com; ssl_certificate /etc/ssl/certs/jellyfin.crt; ssl_certificate_key /etc/ssl/private/jellyfin.key; location / { proxy_pass http://localhost:8096; proxy_set_header Host $ host ; proxy_set_header X-Real-IP $ remote_addr ; proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $ scheme ; proxy_set_header X-Forwarded-Protocol $ scheme ; proxy_set_header X-Forwarded-Host $ http_host ; # Disable buffering for better streaming proxy_buffering off ; } # WebSocket support location /socket { proxy_pass http://localhost:8096; proxy_http_version 1.1 ; proxy_set_header Upgrade $ http_upgrade ; proxy_set_header Connection "upgrade" ; proxy_set_header Host $ host ; proxy_set_header X-Real-IP $ remote_addr ; proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $ scheme ; } }
Apache Configuration < VirtualHost *:80 > ServerName jellyfin.example.com Redirect permanent / https://jellyfin.example.com/ </ VirtualHost > < VirtualHost *:443 > ServerName jellyfin.example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/jellyfin.crt SSLCertificateKeyFile /etc/ssl/private/jellyfin.key ProxyPreserveHost On ProxyPass / http://localhost: 8096 / ProxyPassReverse / http://localhost: 8096 / RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port " 443 " # WebSocket support RewriteEngine On RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/?(.*) "ws://localhost:8096/$1" [P,L] </ VirtualHost >
Caddy Configuration jellyfin.example.com { reverse_proxy localhost:8096 }
Caddy automatically handles HTTPS certificates via Let’s Encrypt.
Traefik Configuration http : routers : jellyfin : rule : "Host(`jellyfin.example.com`)" entryPoints : - websecure service : jellyfin tls : certResolver : letsencrypt services : jellyfin : loadBalancer : servers : - url : "http://localhost:8096"
Firewall Configuration UFW (Ubuntu)
firewalld (CentOS/RHEL)
iptables
sudo ufw allow 8096/tcp sudo ufw allow 8920/tcp sudo ufw reload
sudo firewall-cmd --permanent --add-port=8096/tcp sudo firewall-cmd --permanent --add-port=8920/tcp sudo firewall-cmd --reload
sudo iptables -A INPUT -p tcp --dport 8096 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 8920 -j ACCEPT sudo iptables-save > /etc/iptables/rules.v4
Docker Networking When running Jellyfin in Docker:
docker-compose.yml
Docker Run
Bridge Network
services : jellyfin : image : jellyfin/jellyfin:latest container_name : jellyfin network_mode : host volumes : - /path/to/config:/config - /path/to/media:/media environment : - TZ=America/New_York restart : unless-stopped
Using network_mode: host provides better performance and automatic discovery but requires the host network stack.
Troubleshooting
Cannot Access Remotely
Check:
EnableRemoteAccess is trueFirewall allows traffic on configured ports
Router port forwarding is configured
Public IP address is correct
HTTPS Not Working
Verify:
Certificate path is correct and accessible
Certificate is in PFX format
Certificate password is correct
Ports 8920 (or custom HTTPS port) are open
Reverse Proxy Issues
Ensure:
Base URL matches proxy configuration
Proxy IP is in KnownProxies
WebSocket support is enabled
Headers are properly forwarded
Auto Discovery Not Working
Enable AutoDiscovery in network.xml
Check firewall allows UDP broadcast
Verify client and server are on same network
Best Practices
Use Reverse Proxy Let Nginx, Caddy, or Traefik handle SSL/TLS termination for better security and easier certificate management.
Secure Remote Access Use VPN or properly configured reverse proxy with strong authentication for remote access.
Limit Exposure Use IP filtering to restrict access to known networks or IP ranges.
Monitor Logs Regularly check network logs for suspicious access attempts.
Next Steps
Transcoding Setup Configure media transcoding and quality settings
Hardware Acceleration Enable GPU acceleration for better performance
