‍

Jellyfin is a powerful and free media server that allows you to manage and stream your media files from multiple devices or clients. It provides an alternative to proprietary media servers like Emby and Plex, giving you complete control over your media collection. In this guide, we will walk you through the process of installing Jellyfin on a Debian 12 server, securing it with UFW (Uncomplicated Firewall), SSL/TLS certificates from Letsencrypt, and setting up Apache2 as a reverse proxy.

Prerequisites

Before we begin, make sure you have the following:

• A Debian 12 server with 2 or 4 GB of memory.
• A non-root user with administrator privileges.
• A domain name pointed to the server’s IP address.

Adding Jellyfin Repository

To install Jellyfin, we first need to add the Jellyfin repository to our Debian server. This can be done by following these steps:

1. Install the necessary dependencies by running the following command:

   sudo apt install apt-transport-https ca-certificates gnupg curl -y

2. Next, add the GPG key of the Jellyfin repository by executing the following command:

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://repo.jellyfin.org/jellyfin_team.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/jellyfin.gpg

3. Now, add the Jellyfin repository to your Debian server by running the command below:

at <<EOF | sudo tee /etc/apt/sources.list.d/jellyfin.sources
Types: deb
URIs: https://repo.jellyfin.org/$( awk -F'=' '/^ID=/{ print $NF }' /etc/os-release )
Suites: $( awk -F'=' '/^VERSION_CODENAME=/{ print $NF }' /etc/os-release )
Components: main
Architectures: $( dpkg --print-architecture )
Signed-By: /etc/apt/keyrings/jellyfin.gpg
EOF

4. Finally, update your Debian package index to include the Jellyfin repository:

   sudo apt update

Installing and Managing Jellyfin

Now that we have added the Jellyfin repository, we can proceed with the installation of the Jellyfin media server. Follow these steps to install Jellyfin and learn how to manage the Jellyfin service:

1. Install Jellyfin by running the following command:

   sudo apt install jellyfin

2. After the installation is complete, check if the Jellyfin service is running and enabled:

   sudo systemctl is-enabled jellyfin
   sudo systemctl status jellyfin

The output should indicate that the service is enabled and running.

3. By default, Jellyfin runs on localhost with port 8096. You can verify this by checking the ports list on your Debian system:

   ss -tulpn

Port 8096 should be used by the Jellyfin media server.

4. You can start, stop, or restart the Jellyfin service using the following commands:

   sudo systemctl start jellyfin
   sudo systemctl stop jellyfin
   sudo systemctl restart jellyfin

Now that Jellyfin is installed and running, let’s move on to securing it with UFW.

Security Settings with UFW

In this section, we will secure the Jellyfin media server using UFW (Uncomplicated Firewall) and open the necessary ports for client access. To do this, follow these steps:

1. Install UFW by running the following command:

   sudo apt install ufw -y

2. Once UFW is installed, add the OpenSSH service to the firewall and start and enable UFW:

   sudo ufw allow OpenSSH
   sudo ufw enable

Type “y” when prompted and UFW should be running and enabled.

3. Add the “WWW Full” profile to allow HTTP and HTTPS protocols on your Debian system:

   sudo ufw allow "WWW Full"

4. To verify the status of UFW, run the following command:

   sudo ufw status

The output should indicate that UFW is active and the OpenSSH and WWW Full profiles are enabled.

With UFW configured, let’s proceed to set up Apache2 as a reverse proxy for Jellyfin.

Installing and Configuring Apache2 as Reverse Proxy

To run Jellyfin within Apache2 as a reverse proxy and secure the installation with SSL/TLS certificates, follow these steps:

1. Install Apache2 and Certbot by running the following command:

   sudo apt install apache2 certbot

2. After the installation is complete, check if the Apache2 service is running and enabled:

   sudo systemctl is-enabled apache2
   sudo systemctl status apache2

The output should indicate that the service is enabled and running.

3. Before generating SSL/TLS certificates with Certbot, enable the necessary Apache2 modules and restart the Apache2 service:

   sudo a2enmod proxy proxy_http ssl proxy_wstunnel remoteip http2 headers
   sudo systemctl restart apache2

4. Create a new directory for the temporary web-root and change its ownership:

   sudo mkdir -p /var/www/html/jellyfin/public_html
   sudo chown -R www-data:www-data /var/www/html/jellyfin/public_html

5. Generate new SSL/TLS certificates using Certbot. Replace the email address and domain name with your own information:

 sudo certbot certonly --agree-tos --email test@example.com --no-eff-email --webroot-w /var/www/html/jellyfin/public_html -d media.example.com

After the process, your SSL/TLS certificates will be available in the /etc/letsencrypt/live/example.com directory.

6. Create a new virtual host configuration for Jellyfin by running the following command:

   sudo nano /etc/apache2/sites-available/jellyfin.conf

7. Insert the following configuration, replacing the placeholders with your own information:

<VirtualHost *:80>
    ServerName media.example.io

    # Comment to prevent HTTP to HTTPS redirect
    Redirect permanent / https://media.example.io/

    ErrorLog /var/log/apache2/media.example.io-error.log
    CustomLog /var/log/apache2/media.example.io-access.log combined
</VirtualHost>

# If you are not using an SSL certificate, replace the 'redirect'
# line above with all lines below starting with 'Proxy'
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName media.example.io
    # This folder exists just for certbot(You may have to create it, chown and chmod it to give apache permission to read it)
    DocumentRoot /var/www/html/jellyfin/public_html

    ProxyPreserveHost On

    # Letsencrypt's certbot will place a file in this folder when updating/verifying certs
    # This line will tell Apache to not to use the proxy for this folder.
    ProxyPass "/.well-known/" "!"

    # Tell Jellyfin to forward that requests came from TLS connections
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    ProxyPass "/socket" "ws://192.168.10.15:8096/socket"
    ProxyPassReverse "/socket" "ws://192.168.10.15:8096/socket"

    ProxyPass "/" "http://192.168.10.15:8096/"
    ProxyPassReverse "/" "http://192.168.10.15:8096/"

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/media.example.io/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/media.example.io/privkey.pem
    Protocols h2 http/1.1

    # Enable only strong encryption ciphers and prefer versions with Forward Secrecy
    SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
    SSLHonorCipherOrder on

    # Disable insecure SSL and TLS versions
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    ErrorLog /var/log/apache2/media.example.io-error.log
    CustomLog /var/log/apache2/media.example.io-access.log combined
</VirtualHost>
</IfModule>

8. Save the file and exit the editor.
9. Enable the virtual host configuration and verify Apache2 syntax:

   sudo a2ensite jellyfin.conf
   sudo apachectl configtest

If the syntax is correct, you should see “Syntax OK” as the output.

10. Restart the Apache2 service to apply the changes:

    sudo systemctl restart apache2

With Apache2 configured as a reverse proxy, let’s move on to the final steps of the installation process.

Completing the Jellyfin Installation

1. Open your web browser and visit the domain name of your Jellyfin installation. For example, https://media.example.com/.
2. If the configuration is successful, you should see the Jellyfin installation wizard.
3. Select the default language for your Jellyfin installation and click “Next”.
4. Create a new admin user for your Jellyfin installation by entering your desired username and password. Click “Next”.
5. Configure your media libraries later or click “Next” to proceed.
6. Select your preferred Metadata language for your libraries and click “Next”.
7. Enable remote connections and port mapping if desired, then click “Next”.
8. If the configuration is successful, you should see the message “You’re Done!”. Click “Finish” to complete the Jellyfin installation.
9. You will be redirected to the Jellyfin login page. Enter your admin username and password, then click “Sign In”.
10. If everything goes well, you should see the Jellyfin administration dashboard.
11. To access the Jellyfin dashboard later, click on the “Dashboard” menu in the Administration section.

Congratulations! You have successfully installed Jellyfin on Debian 12 with Apache2 as a reverse proxy and SSL/TLS encryption. You can now start managing and streaming your media files from multiple devices.

In conclusion, Jellyfin offers a free and self-hosted solution for building your own media server. With its easy installation process and powerful features, Jellyfin provides a convenient way to access and manage your media files. By following the steps outlined in this guide, you can create a reliable and secure media server for your personal use.

For reliable and high-performance hosting solutions for your Jellyfin media server, consider Shape.host’s SSD Linux VPS services. With their scalable and secure cloud hosting options, you can ensure optimal performance and accessibility for your media files. Shape.host’s SSD Linux VPS is the perfect choice for hosting your Jellyfin media server and providing an exceptional streaming experience to your users.

Christian Wells