Android App Connection Issues via Reverse Proxy

[amingle4]

Describe the bug

I have my Jellyfin server setup behind an NGINX reverse proxy.

On my phone, through the web browser, I am able to access https://jellyfin.MYDOMAIN.com

When I go to Connect to Server in the Android app, it says it is "Unable to reach server".

Logcat is pasted below, but all it says is "HTTP request timed out" after 5 seconds. No errors or access requests are showing up in the NGINX reverse proxy logs for these requests, while I do see normal access requests in the logs when accessing via the web browser. It is almost as if requests through the app are not hitting the reverse proxy at all. Of note, I also use an internal DNS server to resolve my domain, so if the app is going external for DNS, that would be a problem (i.e. it will never resolve via an external DNS server).

This reverse proxy has been set up for awhile and is used for numerous other applications. In the reverse proxy setup, SSL is offloaded and uses a ZeroSSL certificate. I ran SSL check via testssl.sh (it is an internal-only site, so cannot check with SSL Labs), and nothing abnormal shows up.

Logs

Logcat

07-22 01:18:52.336 16030 16030 I ConnectFragment: checkServerUrlAndConnection https://jellyfin.<MYDOMAIN>.com
07-22 01:18:52.338 16030 16030 I ConnectFragment: Address candidates are [https://jellyfin.<MYDOMAIN>.com, https://jellyfin.<MYDOMAIN>.com:8096, https://jellyfin.<MYDOMAIN>.com:8920]
07-22 01:18:54.395  1260  2008 D MdnieScenarioControlService:  packageName : org.jellyfin.mobile    className : org.jellyfin.mobile.MainActivity
07-22 01:18:57.815 16030 16030 I ConnectFragment: No valid servers found, invalid candidates were: https://jellyfin.<MYDOMAIN>.com/Failure(org.jellyfin.sdk.api.client.exception.TimeoutException: HTTP request timed out), https://jellyfin.<MYDOMAIN>.com:8096/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!), https://jellyfin.<MYDOMAIN>.com:8920/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!)

Results of https://jellyfin.MYDOMAIN.com/system/info/public (The reverse proxy is set up to go Jellyfin via a standard HTTP connection - is that a conflict with the fact that the LocalAddress shown below is https? No certificate information is set up in Jellyfin.)

{"LocalAddress":"https://172.18.0.10:8920","ServerName":"jellyfin","Version":"10.8.1","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"3884546a3c324cd88ad1730c943afafe","StartupWizardCompleted":true}

Application version

2.4.4

Where did you install the app from?

Google Play

Device information

Samsung Galaxy S21

Android version

Android 12

Jellyfin server version

10.8.1

Which video player implementations does this bug apply to?

• [ ] Web player (default)
• [ ] Integrated player (ExoPlayer)
• [ ] External player (VLC, mpv, MX Player)

[nielsvanvelzen]

Of note, I also use an internal DNS server to resolve my domain, so if the app is going external for DNS, that would be a problem (i.e. it will never resolve via an external DNS server).

Did you configure you device to use this internal DNS server?

[amingle4]

Of note, I also use an internal DNS server to resolve my domain, so if the app is going external for DNS, that would be a problem (i.e. it will never resolve via an external DNS server).

Did you configure you device to use this internal DNS server?

Yes, that is done via the DHCP server. And this is proven to work on my phone since I can access the Jellyfin server via a web browser. I am just wondering if there's something off with how the Jellyfin Android app is trying to resolve the hostname.

[nielsvanvelzen]

The app uses our SDK (https://github.com/jellyfin/jellyfin-sdk-kotlin) for connection, the SDK uses the platform API's for networking (including DNS), we do not change this behavior.

[amingle4]

Thank you. That makes sense, and what I would have expected. So - something else is causing it to not find the host on the app although the device itself is able to find the host via a browser. Are there other logs I can pull that would help provide insight?

[gurudave]

I'm also having the same problem. Access to my jellyfin instance works fine in the web browser but the app just refuses to see it. Works fine over plain HTTP directly to the docker container, but fails as soon as I put the reverse proxy in front of it. Tried both nginx and traefik.

As in @amingle4's case, DNS is provided locally. SSL certificates are from Let's Encrypt and at least the browser is happy with them.

I can also pull logs and try suggestions if they would provide any guidance on tracking down the root cause.

[amingle4]

I realized after reading @gurudave's post - I didn't specify. I'm running this via Docker as well. So it seems like my setup is exactly the same.

[Charliecoop]

I'm having the same issue too when using my usual domain to login with Nginx and running via Docker. Seemed to happen with the latest version 10.8.1. Clients (including Android TV) that are already logged into the server work fine, however if I log out, I THINK I remember it saying a few times "connection refused"' when I try to login again. After reinstalling the app it says 'unable to connect' on Android TV and Android Phone.

Login via browser works fine tho. And the app works fine if I'm using the local IP address inside my local network.

When I use autodiscovery on the app I'm getting http://172.17.0.6:8096 appear which fails saying 'unable to connect'. I have to use real IP of the server (http://192.168.1.159:8096) to get in via the app.

[smomop]

I'm also having the same problem.But, everything is fine on my ios client.

[Charliecoop]

Might be helpful (devs): I've noticed that when using Chrome, Jellyfin loads slow generating slow http errors even when I'm connected to the home server via wifi. If I use the IP address, it's much faster. Happened around the same time this started happening.

[gurudave]

Hey guys, I think I found the cause (for me anyway, hopefully the same for you). As discussed in #571, android doesn't have the intermediate certificate for Let's Encrypt so it can't verify the TLS cert (which desktop browser can because it has the root and intermediate certs bundled). In traefik, the solution for me was to was the fullchain.cer file instead of the .cer file and then everything started working!

[amingle4]

I thought that might be it for me too, but best I can tell, I am actually using the full chain. (I use NGINX and ZeroSSL, so a slightly different setup, but came concept). The certificate file I am using in my NGINX config has 3 certificate sections - the main certificate, what I believe is the intermediate, and what I believe is the root certificate. But I'm struggling to verify this on an internal-only website, because all the tools people recommend to check SSL configuration are for external resources anyway. Unless someone knows of another option, I may need to temporarily make my website external-facing to check its configuration.

[amingle4]

I was able to run an SSL verification using OpenSSL (already installed on one of my servers): `sudo openssl s_client -verify 100 -CAfile -connect :

This did in fact throw an error: "verify error:num=2:unable to get issuer certificate"

So, I downloaded a new full chain certificate, and ran the OpenSSL verify again. The error went away, and I updated my NGINX configuration to that new certificate and restarted NGINX, but Jellyfin Android is still not happy.

@gurudave Do you have any SSL settings set within the Jellyfin server? I currently do not, so am basically treating the Jellyfin server as http-only.

[gurudave]

@amingle4 nothing in Jellyfin, it's also http only for me. I'm using traefik as my reverse proxy - found it to be a lot more intuitive than nginx (was using that before). FWIW, I'm using acme.sh to issue Let's Encrypt certs, and I dropped the "fullchain.cer" file it produced into my traefik config.

So I don't know if it might be an nginx peculiarity, but it was jellyfin that prompted me to try traefik after I couldn't figure out the nginx config. Might be worth giving traefik a shot? Feel free to message me if you need a hand with it.

[amingle4]

@gurudave That's all really helpful, thank you. I may need to take the time to make the switch. I'm using acme.sh with ZeroSSL and also had been using the fullchain.cer. So when I have time I'll try switching and seeing how it works. Lots of similarities between our setups so I should be able to get there.

[amingle4]

@gurudave I have been playing around with traefik and finally have a working setup. However, I am still encountering the same isuses with Jellyfin not connecting via the Android app. Would you be able to post some of your traefik configuration as it pertains to Jellyfin? There may be a setting I'm missing.

Looking at the traefik access logs, I do have one entry for Jellyfin with GET /System/Info/Public HTTP/1.1, so it does appear that the Android app is making it through the reverse proxy to Jellyfin.

[amingle4]

Some more data that may be of help (this is using traefik v2).

In my Docker instance, I mapped the Jellyfin port 8096 so I can access my Jellyfin instance directly via my server IP.

If I go to http://SERVERIP:8096/system/info/public => it loads very quickly and returns: {"LocalAddress":"http://172.18.0.9:8096","ServerName":"jellyfin","Version":"10.8.4","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"3884546a3c324cd88ad1730c943afafe","StartupWizardCompleted":true}

If I go to https://jellyfin.MYDOMAIN.com/system/info/public => it takes about 5 seconds to load and returns: {"LocalAddress":"https://172.18.0.9:8920","ServerName":"jellyfin","Version":"10.8.4","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"3884546a3c324cd88ad1730c943afafe","StartupWizardCompleted":true}

My Jellyfin server has https all disabled and has no certificate information loaded, so I am wondering if the returned https and port 8920 are part of the problem here. The reverse proxy should take care of all the SSL with the client and should communicate with Jellyfin strictly via http.

[Charliecoop]

I notice the direct ip of the server rather than the SSL is much faster as well. It's noticeable more around the settings page in jellyfin (browser version) because the page loads first and then it can be 5 seconds to populate the fields with the current setup.

On Sat, 27 Aug 2022, 17:17 amingle4, @.***> wrote:

Some more data that may be of help (this is using traefik v2).

In my Docker instance, I mapped the Jellyfin port 8096 so I can access my Jellyfin instance directly via my server IP.

If I go to http://:8096/system/info/public => it loads very quickly and returns: {"LocalAddress":"http://172.18.0.9:8006","ServerName":"jellyfin","Version":"10.8.4","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"3884546a3c324cd88ad1730c943afafe","StartupWizardCompleted":true}

If I go to https://jellyfin.MYDOMAIN.com/system/info/public => it takes about 5 seconds to load and returns: {"LocalAddress":"https://172.18.0.9:8920","ServerName":"jellyfin","Version":"10.8.4","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"3884546a3c324cd88ad1730c943afafe","StartupWizardCompleted":true}

My Jellyfin server has https all disabled and has no certificate information loaded, so I am wondering if the returned https and port 8920 are part of the problem here. The reverse proxy should take care of all the SSL with the client and should communicate with Jellyfin strictly via http.

— Reply to this email directly, view it on GitHub https://github.com/jellyfin/jellyfin-android/issues/742#issuecomment-1229221160, or unsubscribe https://github.com/notifications/unsubscribe-auth/AU3K5YBMIJ6KNMCATRGKDIDV3I5QXANCNFSM54KDJTCA . You are receiving this because you commented.Message ID: @.***>

[adamadavidson]

I've got the same issue, with Jellyfin installed via Docker and using Nginx Proxy Manager (also installed via Docker) as the reverse proxy. It only seems to be an issue with the Jellyfin Android app. As with the others that have posted, I can access the Jellyfin server via a local domain name on 2 different Android devices via a web browser but can't connect on either of them via the Android app using the same local domain name.

The iOS app is working fine with the proxy, and I can connect to and log into the Jellyfin server using the local domain name as expected. The Fire TV stick app is also working with the proxy and local domain name.

I use PiHole for DNS and have set up local DNS records to access the server via a domain name. In PiHole, I can see DNS requests from the Android devices to the local domain (but only when accessing via the browser), from the Fire TV stick and from the iOS device (when accessing via the app or the browser), but there are no DNS queries at all in PiHole from the Android device when trying to access via the Android app. It's almost as if the Android app isn't making a DNS query at all or isn't making one to the right place (but I don't know where it is making the request to). Private DNS is turned off on the Android devices (but turning it on makes no difference either).

PiHole DNS is set at a router level and is the only DNS server mentioned in the router's settings. All other services seem to be able resolve the local DNS domains fine (and the Android devices can do so when accessing the Jellyfin server via a browser)..

[Charliecoop]

I can't test on iOS but I'm using Docker, Nginx Proxy Manager (via Docker) as reverse proxy and PiHole and having the same issues here in regards to Android App not working on the phone or the TV version fails too (unless it's already logged in) but browser sessions via something like Chrome are fine.

[adamadavidson]

To add to my earlier post, I also have Wireguard VPN set up (again as a Docker container) on the server. If I connect via Wireguard while not connected to my local network, I can the connect to the Jellyfish server via the Android app using my local domain name through the VPN tunnel.

I can only assume it's something to do with Docker/host networking, as Wireguard, Jellyfish, Pihole and Nginx Proxy Manager are all on the same Docker Network - so can easily communicate with each other.

Connecting via the Android app while on WiFi at home (without a Wireguard connection) means I'm on a local IP address but not within the Docker network that all the containers are on.

Not sure if this helps anyone diagnose the issue or just adds confusion!

[Charliecoop]

Hey guys,

I think I found a fix for this! Fingers crossed it works for you, please try and post here to let me know.

What I use: I use Open Media Vault, Portainer, Nginx Proxy Manager, Jellyfin. What happend: After updating the Jellyfin server to a recent version (maybe 10.8.2 or 10.8.3), it would always fail when trying to login to the server using the Jellyfin app. Existing logins would work fine until they were logged out. My most recent line of thought that fixed it for me: I visited https://hub.docker.com/r/linuxserver/jellyfin (which is the docker install I use) and I looked at the docker compose. I noticed it showed something under docker-usage that I swear wasn't there before:

version: "2.1" services: jellyfin: image: lscr.io/linuxserver/jellyfin:latest container_name: jellyfin environment:

• PUID=1000
• PGID=1000
• TZ=Europe/London
• JELLYFIN_PublishedServerUrl=192.168.0.5 #optional

That 'JELLYFIN_PublishedServerUrl' looked kinda relivant to the conersations and comments from people in this chat. I went into Portainer and added in that bit and used the IP address of my home server where Portainer/Jellyfin and all my servers run from (I didn't specify the port). I added this single line to the environment variables (see below) and voila it started working! You will need to use the IP address of the LAN server address which is likely different for you:

JELLYFIN_PublishedServerUrl=192.168.1.159

What else this fixed: This fixed the Android App but it also fixed other issues...

• Messages in the log saying the server is slow to answer seem to have gone away (I should test this more though).
• Browsing Jellyfin via my browser (I've only ever used Chrome), seems to be much faster. Often clicking on 'settings' would load right away but then I'd have to wait 5-10 seconds for the settings to be populated with my user specific settings. It seems to be instant now (less than a second).

I'm kinda excited it's working after this single environment variable and really hope this fixes most/everyone else. Try this out and let me know (and others) in this thread if this fixes the issue for you.

[amingle4]

Yes, that looks to have done the trick for me too! Thank you for finding that. I haven't done a ton of testing, but the Android app now connects to the server. So that's a huge improvement.

[Sithrazer]

I've had this issue for a while and I think I have some new insights. This might get a little extraneous, but I think it's all relevant.

I just did a refresh on my home server switching from an entirely ubuntu-server based roll-my-own to truenas scale. Previously I used nginx for a reverse proxy, now using traefik on truenas. I could connect to jellyfin with a web browser from my pc, phone, and tablet, but the phone and tablet would get the 'unable to reach server' error when using the app.

When using the truecharts version of the docker images, traefik autoconfigures the reverse proxy based on network settings you configure when installing other app images. Truecharts provides a guided installer for jellyfin that includes a option for a "published udp autodiscovery url" and a box to enter other environment variables for the docker instance. I tried putting my servers url in with both methods and neither solved the issue for me.

What did work was to use 'simple' instead of 'clusterIP' for the networking service type in the guided installer. 'clusterIP' enforces the use of the subdomain name (jellyfin.servername.lan) and disallowing reaching the service by URL:PORT. 'simple' allows reaching the service by any combination of subdomain, url, and port number.

After connecting with the app and going back to the server selection screen "http: //jellyfin.servername.lan:8096" was pre-filled in the server selection box despite having entered the domain name without the port number.

It looks like the app is having an issue when it's not allowed to use a port number.

I don't know enough about nginx or traefik to figure out a test config for the reverse proxy to confirm this. Maybe if any of you guys can see if your proxy is allowing or denying attempted connections that use a port number?

Just for the record, here's my current working config docker log showing my env variables and the lack of JELLYFIN_PublishedServerUrl. _2022-09-07 05:11:48.933126+00:00[01:11:48] [INF] [1] Main: Jellyfin version: 10.8.4 2022-09-07 05:11:48.946980+00:00[01:11:48] [INF] [1] Main: Environment Variables: ["[JELLYFIN_CONFIG_DIR, /config/config]", "[JELLYFIN_DATA_DIR, /config]", "[DOTNET_SYSTEM_GLOBALIZATION_INVARIANT, 1]", "[JELLYFIN_WEB_DIR, /jellyfin/jellyfin-web]", "[JELLYFIN_CACHE_DIR, /cache]", "[JELLYFIN_LOG_DIR, /config/log]", "[JELLYFINFFMPEG, /usr/lib/jellyfin-ffmpeg/ffmpeg]"]

edit: I also see the 'slow http response' entries in my logs for browser connections in all configs, but I see fewer of them in my log after getting this workaround going.

2022-09-07 06:14:30.885166+00:00[02:14:30] [WRN] [56] Jellyfin.Server.Middleware.ResponseTimeMiddleware: Slow HTTP Response from https: //jellyfin.obfuscated.lan/Items/8757e83b98d6701739ab7758d46c4d19/Images/Primary?maxWidth=1440&tag=da0e3d1bb014483d7318c22d7496e696&quality=90 to 192.168.x.xx in 0:00:00.8417134 with Status Code 200

[adamadavidson]

Well, my fix proved to be simple (and embarrassingly something I should have checked first!). Like @Charliecoop, I use the linuxserver image for Jellyfin, but I already had the "JELLYFIN_PublishedServerUrl" variable set to my custom domain name. I tried changing the variable to the IP address of the server (as per Charlie's fix at https://github.com/jellyfin/jellyfin-android/issues/742#issuecomment-1236189304) but that didn't fix it for me.

What did fix it was going back and doing my port mappings properly. Because I was using Nginx Proxy Manager, I hadn't declared any ports in my docker-compose.yml as I (wrongly) assumed that NPM would deal with all the redirects when the custom domain name was called. But as soon as I declared my ports as "8096:8096" (and double-checked port 8096 was open on the server firewall), things seemed to work as expected - the Android app logs in using my custom domain, as does the Fire TV app, and I can also access via a browser as before.

Putting this here in the hope that it saves someone else the time I wasted looking for a "fix" when I should have just declared the ports properly in the first place!

For completeness, here is my docker-compose.yml (in case that helps anyone else):

version: "3.9"
services:
  jellyfin:
    image: linuxserver/jellyfin
    container_name: jellyfin
    hostname: jellyfin
    ports:
      - "8096:8096"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - JELLYFIN_PublishedServerUrl=https://MYDOMAIN.com
    volumes:
      - ./config:/config
      - ./cache:/cache
      - /data:/media
    restart: "unless-stopped"

[nayutune]

I spent more than a week trying to understand why this would happen for me, none of the solutions worked for me as in my case i was running natively on Windows.

Details: Jellyfin is on localhost Nginx (with entirely self-signed fullchain.crt) is proxy. and all of this is behind WireGuard with no domain name.

Opening 8096 directly and making Jellyfin accessible did make it work, but the moment you would lock it down behind proxy - The result is that it worked via the browser on android but the moment i tried to use an app it would get stuck loading for about 5 seconds and then would fail. The logcat wasn't giving anything useful apart from "Unknown error occurred".

Solution: My issue turned out to be.. I was using "modern" protocols in my Nginx config. If you grabbed your Nginx config off of somewhere that only features protocol "TLSv1.3" - it won't work with android versions below 10. Go take a look at https://ssl-config.mozilla.org for reference. I swapped out my "ssl_protocols" and "ssl_ciphers" to "intermediate" configuration suggested by Mozilla's SSL config generator, restarted Nginx. and it finally connects as it should.

Other things worth noting: Make sure firewall is not blocking connections. Make sure your WireGuard port is actually forwarded and it connects properly. If you are using self-signed certificates - don't forget to install a CA certificate on the device you are connecting from.

(Jan 31/2023 Edit): If you are connecting with a VPN on a device that uses AFWall(or another firewall) with separated permissions: You need to allow VPN AND Ethernet connections for the android client itself. Otherwise you will get into weird edge-cases where it logged you in at some point, but on another week will tell you that it can't reach the server all of sudden once the cache gets cleaned. (You want to clean the cache of an app through android app settings to ensure stability after every firewall adjustment.) Explanation: When you press "Connect" - VPN is likely only used at first to establish a basic connection. After that it's using Ethernet to connect because it's probably just a Web URL, which is likely why you might have noticed that it transitions out of the "server select" to an empty screen.. only to drop you back into a "server select" screen with an error.

[Maxr1998]

These are some good suggestions, thanks for posting them.

Maybe we should collect all the steps into a troubleshooting guide in the repo.

[bill-mcgonigle]

the solution for me was to was the fullchain.cer file instead of the .cer file and then everything started working!

This helped me along - there's no forgiveness in the SSL configuration for the client, at least on FireTV. In my case, jellyfin.iot.example.com does not match on *.example.com, so I needed to expand my letsencrypt cert to include *.iot.example.com.

What I learned along the way is to make cURL happy and then Jellyfin works:

$ curl https://jellyfin.iot.example.com/jellyfin/system/info/public
curl: (60) SSL: no alternative certificate subject name matches target host name 'jellyfin.iot.example.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ # EXPAND CERT
$ curl https://jellyfin.iot.example.com/jellyfin/system/info/public
$

[neilzone]

I too am having this issue, and none of the helpful suggestions so far have worked.

I am not using docker, but rather the "official" Debian jellyfin repo, and installation via apt. It is version Jellyfin.Server 10.8.7.0. It has nginx in front of it.

On the Android side, I am using the official Android client, v2.4.4, on Android 13.

On Android, I can connect and use it in the browser (Firefox), and I can, via a terminal emulator on the handset, successfully curl the URL, without certificate issues.

But I get the same outcome using the app as others here: a few seconds of waiting, and then an error message saying Tried 3 candidates for input, without success.

Looking at the nginx logs on the server, there is nothing when using the app. In other words, no (logged, at least) traffic hits the server. But when I use curl on my phone, I see entries in the logs, as expected.

If, in the Android app, I use http://ip.address.of.server:80, then I get an entry in the nginx logs - there is traffic - but the same error. If I use https/:443, no traffic (which could be a certificate issue).

[gaming09]

Charliecoop

HOURS AND HOURS AND HOURS of logs, this variable wasn't in my docker image. Thank you 10000x

and 100% browsing is faster and the slow http response in my logs is gone. Honestly I was pulling my hair out over this, trying to migrate my parents connection remotely. Thank you! @JF team please sticky this somewhere

[akynr]

I too am having this issue, and none of the helpful suggestions so far have worked.

I am not using docker, but rather the "official" Debian jellyfin repo, and installation via apt. It is version Jellyfin.Server 10.8.7.0. It has nginx in front of it.

On the Android side, I am using the official Android client, v2.4.4, on Android 13.

Dear @neilzone I do have the same setup as you, and since now had the same issues.

As far as I understand the problem lies at the TLS 1.2 compatibility. What I did:

adding intermediate config from https://ssl-config.mozilla.org to my jellyfin nginx-conf.

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

But changing the ssl_prefer_server_ciphers from off to on.

ssl_prefer_server_ciphers on;

This specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols. See also here https://community.letsencrypt.org/

This should do the trick. Now it should work both for android and browser (FF, Chrome). You can check your SSL configuration afterwards here https://www.ssllabs.com/ssltest.

[neilzone]

As far as I understand the problem lies at the TLS 1.2 compatibility.

How interesting. Thanks for taking the time to reply.

For no reason that I can discern, my Android client just started working one day. No server-side (e.g. nginx TLS) changes by me...

[misacek007]

Having the very same problem, Jellyfin being run behind caddy proxy in a container and Android app not connecting while browser connection worked on the same device correctly. I have --published-server-url=https://outside-domain set for Jellyfin and see it in "Choose server" on Android app.

Android app started connectiong correctly after switching off Nebulo app which forces dns-over-https dns resolution with AdGuard enabled. Not sure why it caused the problem.

[Weedalf]

I have exactly the same issue.

I using Nginx as reverse Proxy and TLD https://subdomain.example.com . Im running the official Jellyfin Docker. And I using Letsencrypt.

I cannot fix this issue. Https with reverse proxy not work for me.

Things I tried: I setup env JELLYFIN_PublishedServerUrl=192.168.x.x or subdomain.example.com => doesent matter, no change https://www.ssllabs.com/ssltest I got A+ but only DNS CAA no https://ssl-config.mozilla.org/ NgInx SSL-config intermediate with ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on;

[aidans2000]

Hopefully this will help someone in this thread - I'm using NGINX to point a subdomain to the jellyfin server app standalone (no docker container), I resolved my android app issue by fixing the incomplete certificate error reported by SSL Lab's SSL test. This was resolved for me by changing my NGINX config to use a fullchain instead of just a certificate in the ssl_certificate configuration.

1) Cloudflare DNS is set to direct a subdomain to my public IP, no passthrough, enforce SSL 2) NGINX forwards requests from my subdomain to localhost:8920 (jellyfin ssl port) 3) NGINX uses a ssl_certificate=fullchain.pem and ssl_certificate_key=privkey.pem generated by certify the web (certbot gui for windows) 4) In the jellyfin server app I had to add the pkcs#12.pfx certificate generated by certify the web (certbot gui for windows). I did not configure any additional settings, bindings, or custom domains. Only enable SSL and add the certificate path.

[321Kami]

I have the same issue with OpenVPN on my phone and Jellyfin behind reverse proxy. Will try workarounds from here later this week and let you know the results.

[321Kami]

Seems like when I clean the data and cache in the app I can connect via openvpn without issues - it's a workaround but at least it's working. I have to do it every time I'm switching between WiFi and OpenVPN

[bacsom]

I also had the same problem, but the SSL Test site suggested by Weedalf was very helpful. My ISP also provides an IPv6 address, but during the test, the site only gave an A+ result for IPv4, and I received an "unable to connect to the server" error for IPv6. If IPv6 is not essential, the solution is to disable it in the Synology DDNS interface. However, if you need IPv6, you must add the port and the specific address to the exceptions in your firewall (in my case, in my router, which is an ASUS AC86U). Now the SSL test runs successfully, and the previously non-functional application works over IPv6 just fine.

My system: Synology 920+, running Jellyfin in a linuxserver docker container with reversed proxy. The suggested PublishedServer option is active.

[BloodyIron]

This might be helpful to some here : https://github.com/jellyfin/jellyfin/issues/8457#issuecomment-1668745260

[SDShannonS]

I too have had this issue for months. Did some more troubleshooting on it today to no avail but I did discover one thing. At least in my instance, it doesn't seem to have anything directly to do with the reverse proxy, but rather the DDNS that the reverse proxy utilizes.

In frustration, I decided to just open up port 8096 in the firewall, forwarding it to the NAS on which Jellyfin runs, figuring that was riskier than running it through a reverse proxy but, oh well. But the problem persists. That tells me it's not a problem with the reverse proxy configuration at all since I'm completely bypassing the reverse proxy but still getting the same problem.

In the Jellyfin app, if I put in the DDNS hostname, I get the same problem. In fact, if I try connecting directly by (external) IP address, I get the same problem. Still, I can connect on my phone via Chrome browser window but the Jellyfin app refuses to connect.

So what in the world is the Jellyfin app doing to try to reach the Jellyfin server that it fails even when given the direct IP address?

[habeebtc]

I've been facing a similar issue @SDShannonS on Windows with NGINX proxy. I initially suspected that the issue was the /system/info/public was handing out the private IP of the server, instead of the Public TLS protected hostname/ip.

The solution for the public/private IP for Docker is to set the JELLYFIN_PublishedServerUrl variable, which I believe changes the LocalAddress that the system API provides. This is what I get on Jellyfin Windows without docker or anything:

{"LocalAddress":"http://192.168.2.155:8096","ServerName":"LILNASX","Version":"10.8.9","ProductName":"Jellyfin Server","OperatingSystem":"Windows","Id":"67825c83e4f44877a5bb4a79dcde06f7","StartupWizardCompleted":true}

I have gotten this LocalAddress to show the correct URI, by reading through the source enough to discover that the variable for this gets set by the command line option:

jellyfin.exe --published-server-url https://my.domain.com

After this I tested the public endpoint (mostly from inside my network, but didn't seem to change the results), and what I found was this:

The Windows and LG WebOS clients, both can connect to my reverse proxy if I am using an external port of 443. But the Android client only seems to want to work with the SSL port of 8920. I reverted the --published-server-url parameter after confirming it didn't help.

So to summarize my setup:

• Port forwarding on router to NGINX proxy on 8920
• NGINX proxy with TLS cert listening on 8920
• NGINX forwarding to the non-TLS port of 8096

Maybe someone should log an issue against the Android client? I had a look at the code, but can't eyeball where the issue is - seems like someone will need to trace through it with log entries or a debugger.

[GlassedSilver]

Maybe someone should log an issue against the Android client?

That is this issue, isn't it? And it's been unfixed for one and a half years. I don't see how a fresh new issue would elevate the urgency, but I might have misunderstood something.

[JManch]

I noticed this issue did not occur on the first launch of the app. I could successfully add my server and login but after closing the app, all subsequent logins failed. I was able to login again if I cleared the app's storage.

I had a look at the logs using adb and noticed that on failed login attempts the app attempts to connect to localhost:

WebView : tryReconnect: http://127.0.0.1:8096|https://jellyfin.my.domain,

I've narrowed down the problem to the (deprecated but still being used?) JavaScript client API. Specifically these lines cause the issue: https://github.com/jellyfin-archive/jellyfin-apiclient-javascript/blob/0595869949a6da0b9e62f6a2c4a4e349f5282109/src/connectionManager.js#L621-L632

I've patched my Jellyfin web-server to remove those lines and my Android client works perfectly now. This isn't a proper fix as it probably breaks some other functionality that I'm not aware of. Since I only access my Jellyfin server through a reverse proxy, losing the localhost access doesn't affect me. Hopefully this helps find a proper fix.

[nielsvanvelzen]

I noticed this issue did not occur on the first launch of the app. I could successfully add my server and login but after closing the app, all subsequent logins failed. I was able to login again if I cleared the app's storage.

I had a look at the logs using adb and noticed that on failed login attempts the app attempts to connect to localhost:

WebView : tryReconnect: http://127.0.0.1:8096|https://jellyfin.my.domain,

I've narrowed down the problem to the (deprecated but still being used?) JavaScript client API. Specifically these lines cause the issue: jellyfin-archive/jellyfin-apiclient-javascript@0595869/src/connectionManager.js#L621-L632

I've patched my Jellyfin web-server to remove those lines and my Android client works perfectly now. This isn't a proper fix as it probably breaks some other functionality that I'm not aware of. Since I only access my Jellyfin server through a reverse proxy, losing the localhost access doesn't affect me. Hopefully this helps find a proper fix.

Or you could just update to 10.9.3

[GlassedSilver]

I noticed this issue did not occur on the first launch of the app. I could successfully add my server and login but after closing the app, all subsequent logins failed. I was able to login again if I cleared the app's storage.

I had a look at the logs using adb and noticed that on failed login attempts the app attempts to connect to localhost:

WebView : tryReconnect: http://127.0.0.1:8096|https://jellyfin.my.domain,

I've narrowed down the problem to the (deprecated but still being used?) JavaScript client API. Specifically these lines cause the issue: https://github.com/jellyfin-archive/jellyfin-apiclient-javascript/blob/0595869949a6da0b9e62f6a2c4a4e349f5282109/src/connectionManager.js#L621-L632

I've patched my Jellyfin web-server to remove those lines and my Android client works perfectly now. This isn't a proper fix as it probably breaks some other functionality that I'm not aware of. Since I only access my Jellyfin server through a reverse proxy, losing the localhost access doesn't affect me. Hopefully this helps find a proper fix.

If I'm not mistaken the local webserver is just the UI running locally rather than being provided by the server.

That UI then accesses all endpoints on the server.

[JManch]

Or you could just update to 10.9.3

Oops I was running 10.9.2. Looks like https://github.com/jellyfin/jellyfin-web/pull/5566 fixed my problem. Thanks!

[lucacataldo]

Hey all, I'm also having issues running behind a reverse proxy (using Caddy) after updating the server to 10.9.x.

I'm able to connect via Chrome & Firefox on my Pixel 7 using https (provided by Caddy, without any issues. However, when I enter the exact same address (that used to previously work prior to an upgrade to 10.9.2 initially) I get an "Unable to reach server" error and a list of attempted addresses including the address accessible via browser on that device.

I've tried:

• Updating to Android client 2.6.1 and server 10.9.6
  • NOTE: When visiting the admin dashboard in browser after the upgrade to 10.9.6 I initially saw a Jellyfin Client version of 10.9.2 but after a restart and refresh I'm now seeing 10.9.6 throughout. I cleared app data and reinstalled the app on android after this to try and ensure the cache was busted
• Connecting while on the local network to the server via the non-SSL port using the local IP via the Android App
  • ✅ This works
• Connecting via browser on the same device as the Android App using the exact same address entered into the Android app's "Connect" screen
  • ✅ This works - with no SSL warnings or issues
• Disabling / enabling ipv6 in the admin dashboard
  • No effect, issue persists