How to Install Jellyfin Media Server with Nginx on Ubuntu 20.04

Jellyfin is a free and open-source media streaming solution that allows you to host your own media server. It can be installed on Linux, Windows, and macOS. You can manage your media such as movies, TV shows, music, and photos, and share them across multiple devices using Jellyfin. It also provides applications for Android, Android TV, and Amazon Fire TV. It offers several features including, Supports DLNA, No playback limit, Fetch metadata automatically from TheTVDB, TheMovieDB, and Rotten Tomatoes, Automatic recordings, Supports hardware acceleration, and many more.

In this tutorial, we will explain how to install and set up a media server with Jellyfin on Ubuntu 20.04.

Prerequisites

  • A server running Ubuntu 20.04.
  • A valid domain name pointed with your server IP.
  • A root password is configured the server.

Getting Started

Before starting, update your system packages using the following command:

apt-get update -y

Once all the packages are updated, install other required dependencies with the following command:

apt-get install apt-transport-https ca-certificates gnupg2 -y

After installing all the dependencies, you can proceed to the next step.

Install Jellyfin

By default, the Jellyfin package is not available in the Ubuntu 20.04 default repository. So you will need to add the Jellyfin repository to your system. First, download and add the GPG key with the following command:

wget -O - https://repo.jellyfin.org/jellyfin_team.gpg.key | apt-key add -

Once the GPG key is added, add the Jellyfin repository to the APT with the following command:

echo "deb [arch=$( dpkg --print-architecture )] https://repo.jellyfin.org/ubuntu focal main" | tee /etc/apt/sources.list.d/jellyfin.list

Next, update the repository cache and install the Jellyfin with the following command:

apt-get update -y
apt-get install jellyfin -y

After installing Jellyfin, you can verify the status of the Jellyfin service with the following command:

systemctl status jellyfin

You should get the following output:

? jellyfin.service - Jellyfin Media Server
     Loaded: loaded (/lib/systemd/system/jellyfin.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/jellyfin.service.d
             ??jellyfin.service.conf
     Active: active (running) since Sun 2020-12-27 06:15:40 UTC; 58s ago
   Main PID: 8454 (jellyfin)
      Tasks: 16 (limit: 4691)
     Memory: 92.3M
     CGroup: /system.slice/jellyfin.service
             ??8454 /usr/bin/jellyfin --webdir=/usr/share/jellyfin/web --restartpath=/usr/lib/jellyfin/restart.sh --ffmpeg=/usr/lib/jellyfin-f>

Dec 27 06:15:48 ubuntu2004 jellyfin[8454]: [06:15:48] [INF] Registering publisher for urn:schemas-upnp-org:device:MediaServer:1 on 104.245.33.>
Dec 27 06:15:48 ubuntu2004 jellyfin[8454]: [06:15:48] [INF] Executed all pre-startup entry points in 0:00:00.6715621
Dec 27 06:15:48 ubuntu2004 jellyfin[8454]: [06:15:48] [INF] Core startup complete
Dec 27 06:15:48 ubuntu2004 jellyfin[8454]: [06:15:48] [INF] Executed all post-startup entry points in 0:00:00.3885698
Dec 27 06:15:48 ubuntu2004 jellyfin[8454]: [06:15:48] [INF] Startup complete 0:00:08.0109863
Dec 27 06:15:50 ubuntu2004 jellyfin[8454]: [06:15:50] [INF] StartupTrigger fired for task: Update Plugins
Dec 27 06:15:50 ubuntu2004 jellyfin[8454]: [06:15:50] [INF] Queueing task PluginUpdateTask
Dec 27 06:15:50 ubuntu2004 jellyfin[8454]: [06:15:50] [INF] Executing Update Plugins
Dec 27 06:15:50 ubuntu2004 jellyfin[8454]: [06:15:50] [INF] Update Plugins Completed after 0 minute(s) and 0 seconds
Dec 27 06:15:51 ubuntu2004 jellyfin[8454]: [06:15:51] [INF] ExecuteQueuedTasks

By default, Jellyfin listens on port 8096. You can verify it with the following command:

ss -antpl | grep 8096

You should get the following output:

LISTEN    0         512                      *:8096                   *:*        users:(("jellyfin",pid=8454,fd=285))                                           

At this point, Jellyfin is installed and running. You can now proceed to the next step.

Configure Nginx as a Reverse Proxy

Next, it is recommended to configure Nginx as a reverse proxy for Jellyfin. To do so, first, install the Nginx web server with the following command:

apt-get install nginx -y

Once the Nginx is installed, create a new Nginx virtual host configuration file:

nano /etc/nginx/conf.d/jellyfin.conf

Add the following lines:

server {
      listen 80;
      server_name jellyfin.yourdomain.com;

      access_log /var/log/nginx/jellyfin.access;
      error_log /var/log/nginx/jellyfin.error;

      set $jellyfin 127.0.0.1;

      location / {
          proxy_pass http://127.0.0.1:8096;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;

          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;

          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
          proxy_buffering off;
      }

      # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
      location ~ ^/web/$ {
          # Proxy main Jellyfin traffic
          proxy_pass http://$jellyfin:8096/web/index.html/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;
      }

      location /socket {
          # Proxy Jellyfin Websockets traffic
          proxy_pass http://$127.0.0.1:8096;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Protocol $scheme;
          proxy_set_header X-Forwarded-Host $http_host;
      }

        # Security / XSS Mitigation Headers
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";

}

Save and close the file when you are finished. Then, verify the Nginx for any syntax error with the following command:

nginx -t

If everything is fine, you should get the following output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next, restart the Nginx service to apply the configuration changes:

systemctl restart nginx

You can also verify the status of the Nginx with the following command:

systemctl status nginx

You should see the following output:

? nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2020-12-27 06:18:13 UTC; 6s ago
       Docs: man:nginx(8)
    Process: 9865 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 9879 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 9883 (nginx)
      Tasks: 3 (limit: 4691)
     Memory: 3.6M
     CGroup: /system.slice/nginx.service
             ??9883 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
             ??9884 nginx: worker process
             ??9885 nginx: worker process

Dec 27 06:18:13 ubuntu2004 systemd[1]: Starting A high performance web server and a reverse proxy server...
Dec 27 06:18:13 ubuntu2004 systemd[1]: Started A high performance web server and a reverse proxy server.

At this point, Nginx is installed and configured to serve Jellyfin. You can now proceed to the next step.

Access Jellyfin Web UI

Now, open your web browser and access the Jellyfin web UI using the URL http://jellyfin.yourdomain.com. You will be redirected to the following screen:

Select your language and click on the Next button. You should see the following screen:

Providing your admin username, password and click on the Next button. You should see the following screen:

Click on the Next button. You should see the following screen:

Select your metadata language and country then click on the Next button. You should see the following screen:

Select your desired option and click on the Next button. You should see the following screen:

Click on the Finish button. You should see the Jellyfin login page:

Provide your username, password and click on the Sign In button. You should see the Jellyfin dashboard in the following screen:

You can now add your media to the library and access it over the internet.

Secure Jellyfin with Let's Encrypt

Next, you will need to install the Certbot client package to install the manage the Let's Encrypt SSL. First, install the Certbot with the following command:

apt-get install python3-certbot-nginx -y

Once the installation is finished, run the following command to install the Let's Encrypt SSL on your website:

certbot --nginx -d jellyfin.yourdomain.com

You will be asked to provide a valid email address and accept the term of service as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jellyfin.yourdomain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/jellyfin.conf

Next, choose whether or not to redirect HTTP traffic to HTTPS as shown bellow:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Type 2 and hit Enter to finish the installation. You should see the following output:

Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/jellyfin.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://jellyfin.yourdomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=jellyfin.yourdomain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jellyfin.yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jellyfin.yourdomain.com/privkey.pem
   Your cert will expire on 2020-10-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

Now, your website is secured with Let's Encrypt SSL. You can access it securely using the URL https://jellyfin.yourdomain.com.

Conclusion

Congratulations! you have successfully installed and configured Jellyfin with Nginx and Let's Encrypt SSL on Ubuntu 20.04 server. You can now stream your media and access it from the web browser or using the Jellyfin application. Feel free to ask me if you have any questions.

Share this page:

Suggested articles

2 Comment(s)

Add comment

Comments

By: Steve Mode at: 2022-02-11 20:14:47

I love my Jellyfin server. It does all sorts of great things and doesn't phone home -ever- like most of the competition does (cough Plex/Embly... ).  There are many things that are just a little off, especially if you want to use the web interface without a mouse.  It isn't possible.  The C# guys are 100% mousers and the UI demands this.  It is really sad that PgUp/PgDn don't work in the TV Guide grid.  Setting recordings to "record all" doesn't work consistently. and IPTV channels

cannot be recorded because ffmpeg doesn't deal with m38u streams correctly.  OTA HDHR support is very good, however and the matching of local content to metadata is much better than what Plex provides.

 HTTPS doesn't really secure anything. It just ensures that no MiTM attack happens (assuming many things).  Ref: https://www.youtube.com/watch?v=eRWbNno4sN4 - summar:

TLS Doesn’t Do Any Of These Things

 

Add Security Block Intruders Keep Your Credit Card Secret Stop Password Theft

 

What TLS Does

 

Encrypt traffic between client and server Identify server, client, or both Nothing more.

 

By: Bob at: 2022-03-30 17:19:53

Hi ! I'm trying to set up my jellyfin server to do just that and I'm in need of a few complimentary explanations (I don't know anything about netwotks...). For the domain name : I don't really know where to redirect it, is it my_public_ip:8096 and on my router I forward the port 8096 or should it be the ports for http / https. And in the Nginx configuration shoul I switch 127.0.0.1 to my_local_server_ip ? In any case thank you for that guide wich is a god send in a sea of contradictory solutions :)