How to Install Jellyfin Media Server on Debian 10

Jellyfin is an open-source media streaming system that allows you to manage and stream your media. It is a cross-platform and alternate to other applications such as Emby and Plex. With Jellyfin, you can organize and share your Media files, TV Shows, Music and Photos from the web-based interface. You can access those streamed media on your PC, Tablet, Phone, Roku and TV over the internet. Jellyfin automatically fetch metadata from TheMovieDB, OpenMovie, Rotten Tomatoes and TheTVDB database.

In this post, we will show you how to install Jellyfin media streaming server with Nginx as a reverse proxy on Debian 10.

Prerequisites

  • A server running Debian 10.
  • A valid domain name pointed with your server IP.
  • A root password is configured the server.

Getting Started

First, you will need to update your system packages with the latest version. You can update them with the following command:

apt-get update -y

Once all the packages are updated, install other required packages with the following command:

apt-get install apt-transport-https ca-certificates gnupg2 curl git -y

Once all the packages are installed, you can proceed to the next step.

Install Jellyfin

By default, the Jellyfin package is not included in the Debian 10 repository. So you will need to add the Jellyfin repository to your APT.

You can add it with the following command:

echo "deb [arch=$( dpkg --print-architecture )] https://repo.jellyfin.org/debian buster main" | tee /etc/apt/sources.list.d/jellyfin.list

Once the repository is added, add the GPG key with the following command:

wget -O - https://repo.jellyfin.org/jellyfin_team.gpg.key | apt-key add -

Next, update the repository and install Jellyfin with the following command:

apt-get update -y
apt-get install jellyfin -y

Once the Jellyfin has been installed, you can check the status of Jellyfin with the following command:

systemctl status jellyfin

You should get the following output:

? jellyfin.service - Jellyfin Media Server
   Loaded: loaded (/lib/systemd/system/jellyfin.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/jellyfin.service.d
           ??jellyfin.service.conf
   Active: active (running) since Mon 2021-03-22 08:27:42 UTC; 5min ago
 Main PID: 10192 (jellyfin)
    Tasks: 17 (limit: 4701)
   Memory: 113.9M
   CGroup: /system.slice/jellyfin.service
           ??10192 /usr/bin/jellyfin --webdir=/usr/share/jellyfin/web --restartpath=/usr/lib/jellyfin/restart.sh --ffmpeg=/usr/lib/jellyfin-ffm

Mar 22 08:27:45 debian10 jellyfin[10192]: [08:27:45] [WRN] 127.0.0.1/32: GetBindInterface: Loopback 127.0.0.1 returned.
Mar 22 08:27:45 debian10 jellyfin[10192]: [08:27:45] [INF] Executed all pre-startup entry points in 0:00:00.1545678
Mar 22 08:27:45 debian10 jellyfin[10192]: [08:27:45] [INF] Core startup complete
Mar 22 08:27:46 debian10 jellyfin[10192]: [08:27:46] [INF] Executed all post-startup entry points in 0:00:00.1976994
Mar 22 08:27:46 debian10 jellyfin[10192]: [08:27:46] [INF] Startup complete 0:00:03.6985068
Mar 22 08:27:48 debian10 jellyfin[10192]: [08:27:48] [INF] StartupTrigger fired for task: Update Plugins
Mar 22 08:27:48 debian10 jellyfin[10192]: [08:27:48] [INF] Queuing task PluginUpdateTask
Mar 22 08:27:48 debian10 jellyfin[10192]: [08:27:48] [INF] Executing Update Plugins
Mar 22 08:27:49 debian10 jellyfin[10192]: [08:27:49] [INF] Update Plugins Completed after 0 minute(s) and 0 seconds
Mar 22 08:27:49 debian10 jellyfin[10192]: [08:27:49] [INF] ExecuteQueuedTasks

At this point, Jellyfin is started and listening on port 8096. You can check it with the following command:

ss -antpl | grep 8096

Output:

LISTEN    0         128                0.0.0.0:8096             0.0.0.0:*        users:(("jellyfin",pid=10192,fd=289))                                          

Configure Nginx as a Reverse Proxy

Next, you will need to configure Nginx as a reverse proxy to access the Jellyfin on port 80.

First, install the Nginx package with the following command:

apt-get install nginx -y

Once installed, create a new Nginx configuration file with the following command:

nano /etc/nginx/conf.d/jellyfin.conf

Add the following lines:

server {
      listen 80;
      server_name jellyfin.example.com;

      access_log /var/log/nginx/jellyfin.access;
      error_log /var/log/nginx/jellyfin.error;

      set $jellyfin 127.0.0.1;

      location / {
          proxy_pass http://127.0.0.1:8096;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;

          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;

          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
          proxy_buffering off;
      }

      # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
      location ~ ^/web/$ {
          # Proxy main Jellyfin traffic
          proxy_pass http://$jellyfin:8096/web/index.html/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;
      }

      location /socket {
          # Proxy Jellyfin Websockets traffic
          proxy_pass http://$127.0.0.1:8096;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;
      }

        # Security / XSS Mitigation Headers
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
}

Save and close the file then verify the Nginx for any syntax error with the following command:

nginx -t

Output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next, restart the Nginx service to apply the changes:

systemctl reload nginx

Access Jellyfin

Now, open your web browser and access the Jellyfin web interface using the URL http://jellyfin.example.com. You will be redirected to the following page:

Jellyfin Media server

Select your language and click on the Next button. You should see the following page:

Set a username and password

Provide your username, password and click on the Next button. You should see the following page:

Media libraries

Click on the Next button. You should see the following page:

Language settings

Select your metadata language and click on the Next button. You should see the following page:

Configure remote access

Allow remote access and click on the Next button. Once the installation has been finished, you should see the following page:

Finish installtion

Click on the Finish button to finish the installation. You should see the Jellyfin login page:

sign in to Jellyfin

Provide your username, password and click on the Sign In button. You should see the Jellyfin dashboard in the following page:

Jellyfin Dashboard

Secure Jellyfin with Let's Encrypt SSL

Next, you will need to install the Certbot client package to install the manage the Let's Encrypt SSL. First, install the Certbot with the following command:

apt-get install python3-certbot-nginx -y

Once the installation is finished, run the following command to install the Let's Encrypt SSL on your website:

certbot --nginx -d jellyfin.example.com

You will be asked to provide a valid email address and accept the term of service as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jellyfin.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/jellyfin.conf

Next, choose whether or not to redirect HTTP traffic to HTTPS as shown bellow:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Type 2 and hit Enter to finish the installation. You should see the following output:

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/jellyfin.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://jellyfin.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=jellyfin.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jellyfin.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jellyfin.example.com/privkey.pem
   Your cert will expire on 2020-10-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

Now, your website is secured with Let's Encrypt SSL. You can access it securely using the URL https://jellyfin.example.com.

Conclusion

Congratulations! you have successfully installed Jellyfin on Debian 10 server. You can now easily share your media with your friends, family and other users.

Share this page:

Suggested articles

2 Comment(s)

Add comment

Comments

By: Paul at: 2021-08-10 14:42:14

HTTPS/SSL don't make a website secure. It just provides encryption of the packets.  If someone connects over the internet and guesses a password or knows an unpublished API into Jellyfin, they can do some harm.

Additionally, in most locations, "sharing media" commercial is illegal.

By: [email protected] at: 2021-08-10 23:28:39

There's also a docker container which I found quite easy to use