How to Install Jellyfin Media Server on Debian 12

Jellyfin is free software for building a media server. It lets you collect, manage, and stream your media files from multiple devices or clients. Jellyfin is a free and self-hosted application that can be installed on your server, so you can create your own media server in your local environment, such as at home, and then allow multiple clients and devices to access all your media files.

Jellyfin is an alternative media file server to proprietary like Emby and Plex. It allows you to manage media files from any device and anywhere.

This guide will show you how to install the Jellyfin media server on Debian 12. You will install Jellyfin via a pre-built binary package and secure it with UFW (Uncomplicated Firewall), SSL/TLS certificates from Letsencrypt, and the Apache2 reverse proxy.

Prerequisites

To begin the process, ensure you have the following:

  • A Debian 12 server with 2 or 4 GB of memory.
  • A non-root user with administrator privileges.
  • A domain name pointed to the server IP address.

Adding Jellyfin Repository

The Jellyfin media server can be installed in many ways, manually or via a pre-built package that is available for most Linux distributions. In this first step, you will add the Jellyfin repository to your Debian server.

First, run the following apt command to install dependencies to your Debian machine.

sudo apt install apt-transport-https ca-certificates gnupg curl -y

install dependdencies

Once dependencies are installed, execute the following command to add the GPG key of the jellyfin repository, which will be stored at /etc/apt/keyrings/jellyfin.gpg.

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://repo.jellyfin.org/jellyfin_team.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/jellyfin.gpg

Now execute the command below to add the jellyfin repository to your Debian server. After executing the command, the repository file /etc/apt/sources.list.d/jellyfin.sources will be created.

cat <<EOF | sudo tee /etc/apt/sources.list.d/jellyfin.sources
Types: deb
URIs: https://repo.jellyfin.org/$( awk -F'=' '/^ID=/{ print $NF }' /etc/os-release )
Suites: $( awk -F'=' '/^VERSION_CODENAME=/{ print $NF }' /etc/os-release )
Components: main
Architectures: $( dpkg --print-architecture )
Signed-By: /etc/apt/keyrings/jellyfin.gpg
EOF

add repository

Lastly, update and refresh your Debian package index using the apt update command below.

sudo apt update

You should see the jellyfin repository added to the system repository list.

refresh repo

Installing and Managing Jellyfin

With the jellyfin repository added, you're ready to install the jellyfin media server. Complete these steps to install jellyfin and learn how to manage the jellyfin service via systemctl.

Execute the apt install command below to install the jellyfin media server. Type y for the confirmation and press ENTER to proceed.

sudo apt install jellyfin

install jellyfin

After installation, ensure the Jellyfin service is running and enabled using the command below.

sudo systemctl is-enabled jellyfin
sudo systemctl status jellyfin

If running, you should see the output active (running). When enabled, the output you should get is enabled. This means the Jellyfin will start automatically upon the system boot.

verify jellyfin

By default, Jellyfin is running in localhost with port 8096. Execute the ss command below to verify the ports list on your Debian system.

ss -tulpn

You can expect to see port 8096 is used by the Jellyfin media server.

checking jellyfin port

Lastly, run the following systemctl command to start, stop, or restart the Jellyfin service.

sudo systemctl start jellyfin
sudo systemctl stop jellyfin
sudo systemctl restart jellyfin

Security Settings with UFW

In the following section, you will secure your Jellyfin media server via UFW. You will install UFW and and then open HTTP and HTTPS protocols for client access. You must open HTTP and HTTPS protocols because you will be using Apache2 as a reverse proxy.

First, install UFW via the apt install command below.

sudo apt install ufw -y

install ufw

Once UFW installed, run the ufw command below to add the OpenSSH service, then start and enable UFW.

sudo ufw allow OpenSSH
sudo ufw enable

Type y when prompted and UFW should be running and enabled.

Now run the command below to add the WWW Full profile and verify the UFW status. The WWW Full profile will open both HTTP and HTTPS protocols on your Debian system.

sudo ufw allow "WWW Full"
sudo ufw status

The output should indicate that UFW is active with enabled OpenSSH and WWW Full profiles.

setup ufw

Installing and Configuring Apache2 as Reverse Proxy

In this guide, you will run the Jellyfin media server within Apache2 as a reverse proxy. You'll also secure your installation with SSL/TLS certificates generated via Certbot and Letsencrypt.

Now, complete the following tasks: install Apache2 and Certbot, generate SSL/TLS certificates, and create the Apache2 virtual host configuration for the Jellyfin media server.

Installing Apache2 and Certbot

First, run the following command to install the Apache2 web server and Certbot. Type y for the confirmation and press ENTER.

sudo apt install apache2 certbot

install apache2 certbot

After installation is finished, the apache2 service should be running and enabled by default. Verify it using the systemctl command below.

sudo systemctl is-enabled apache2
sudo systemctl status apache2

The output enabled indicates that the apache2 service will start automatically at boot. And the output active (running) indicates the status of the service is running.

checking apache2

Generating SSL/TLS Certificates with Certbot

Before generating SSL/TLS certificates, enable some Apache2 modules via the a2enmod command and restart the Apache2 service.

sudo a2enmod proxy proxy_http ssl proxy_wstunnel remoteip http2 headers
sudo systemctl restart apache2

Now run the following command to create a new directory /var/www/html/jellyfin/public_html and change the ownership to the www-data user and group. This directory will be used as a temporary web-root directory for generating SSL/TLS certificates.

sudo mkdir -p /var/www/html/jellyfin/public_html
sudo chown -R www-data:www-data /var/www/html/jellyfin/public_html

Next, run the certbot command below to generate new SSL/TLS certificates. Ensure to change the email address and domain name before executing the command.

sudo certbot certonly --agree-tos --email [email protected] --no-eff-email --webroot -w /var/www/html/jellyfin/public_html -d media.howtoforge.local

After the process, your SSL/TLS certificates will be available in /etc/letsencrypt/live/domain.com directory. The file fullchain.pem is the public key and the privkey.pem is the private key.

Configuring Apache2 as a Reverse Proxy

Create a new virtual host configuration /etc/apache2/sites-available/jellyfin.conf using the following nano editor command.

sudo nano /etc/apache2/sites-available/jellyfin.conf

Insert the configuration below and be sure to change the domain name, the path of SSL/TLS certificates, and the server IP address with your information. With this, you will set up Apache2 as a reverse proxy for the jellyfin media server that is running on port 8096.

<VirtualHost *:80>
    ServerName media.howtoforge.local

    # Comment to prevent HTTP to HTTPS redirect
    Redirect permanent / https://media.howtoforge.local/

    ErrorLog /var/log/apache2/media.howtoforge.local-error.log
    CustomLog /var/log/apache2/media.howtoforge.local-access.log combined
</VirtualHost>

# If you are not using an SSL certificate, replace the 'redirect'
# line above with all lines below starting with 'Proxy'
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName media.howtoforge.local
    # This folder exists just for certbot(You may have to create it, chown and chmod it to give apache permission to read it)
    DocumentRoot /var/www/html/jellyfin/public_html

    ProxyPreserveHost On

    # Letsencrypt's certbot will place a file in this folder when updating/verifying certs
    # This line will tell Apache to not to use the proxy for this folder.
    ProxyPass "/.well-known/" "!"

    # Tell Jellyfin to forward that requests came from TLS connections
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    ProxyPass "/socket" "ws://192.168.10.15:8096/socket"
    ProxyPassReverse "/socket" "ws://192.168.10.15:8096/socket"

    ProxyPass "/" "http://192.168.10.15:8096/"
    ProxyPassReverse "/" "http://192.168.10.15:8096/"

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/media.howtoforge.local/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/media.howtoforge.local/privkey.pem
    Protocols h2 http/1.1

    # Enable only strong encryption ciphers and prefer versions with Forward Secrecy
    SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
    SSLHonorCipherOrder on

    # Disable insecure SSL and TLS versions
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    ErrorLog /var/log/apache2/media.howtoforge.local-error.log
    CustomLog /var/log/apache2/media.howtoforge.local-access.log combined
</VirtualHost>
</IfModule>

Save the file and exit the editor when finished.

Next, run the a2ensite command below to activate the virtual host jellyfin.conf, then verify your Apache2 syntax.

sudo a2ensite jellyfin.conf
sudo apachectl configtest

If you've proper Apache2 syntax, you should get an output Syntax OK.

setup apache2

Now restart the apache2 service using the below command to apply the changes. Your jellyfin installation should be running and secured under the Apache2 reverse proxy.

sudo systemctl restart apache2

Lunch your web browser and visit the domain name of your Jellyfin installation, such as https://media.howtoforge.local/. If the configuration is successful, you should get the Jellyfin installation wizard like this:

welcome page

Jellyfin Media Server Installation

In the following step, you'll complete the Jellyfin media server configuration via the installation wizard.

First, select the default language for your Jellyfin installation and click Next.

default language

Now, create a new admin user for your Jellyfin installation. Input your username and password, then click Next.

setup user

For the media libraries, you can configure them later. Click Next to continue.

libraries

Select your preferred Metadata language for your libraries and click Next.

metadata language

Check the option Allow remote connections to enable remote access to your jellyfin media server. Also, you can enable port mapping by checking the option. Then, click Next.

allow remote connections

If your configuration is successful, you should get the message You're Done!. Click Finish to complete the jellyfin installation.

installation finished

Now, you should be redirected to the Jellyfin login page. Input your admin user and password for Jellyfin, then click Sign In.

login to jellyfin

If everything goes well, you should get the Jellyfin administration dashboard like this:

user dashboard

Lastly, click on the Dashboard menu in the Administration section. You should see detailed information about your Jellyfin media server installation:

administration dashboard

Conclusion

As a wrap-up of this guide, you have finished the installation of the Jellyfin media server on Debian 12 with Apache2 reverse proxy and SSL/TLS from Letsencrypt. You've also secured your jellyfin server with UFW and completed the basic configuration of the Jellyfin media server. You can create a new media library and upload your media files to Jellyfin.

Share this page:

0 Comment(s)