How to Install Jellyfin Media Server on Debian 12, 11 or 10

In the ever-evolving landscape of digital media management, Jellyfin Media Server emerges as a formidable contender. For those leveraging Debian systems, integrating Jellyfin can significantly enhance your multimedia experience. This guide is tailored to demonstrate how to install Jellyfin Media Server on Debian 12 Bookworm, Debian 11 Bullseye, or Debian 10 Buster, ensuring you have an efficient and user-centric media server.

Jellyfin’s Noteworthy Features:

• Unwavering Control: With Jellyfin, you’re in the driver’s seat. Say goodbye to unwanted tracking or data collection. Your media, your rules.
• Community-Driven Development: Being open-source, Jellyfin thrives on community contributions. This collaborative approach guarantees continuous improvements and timely security patches.
• Zero Costs: Jellyfin is devoid of hidden charges or premium tiers. Every feature is accessible without any financial commitments.
• Broad Device Support: Jellyfin’s adaptability is commendable. Whether using a smartphone, smart TV, or a web browser, Jellyfin ensures a seamless streaming experience.
• Intuitive User Interface: Navigating through Jellyfin is a breeze, thanks to its user-friendly design, which facilitates effortless media management and access.
• Tailored Experience: Jellyfin’s customization options are vast. From interface personalization to user management and parental controls, Jellyfin caters to diverse user needs.

On the technical front, Jellyfin’s dependency on FFmpeg 5, a renowned multimedia software suite, is pivotal. While this suite is essential for Jellyfin’s functionality, Debian 11 Bullseye and Debian 10 Buster users can breathe easily, as Jellyfin’s repositories provide the necessary compiled upgrades for these Debian versions.

Having highlighted Jellyfin Media Server’s distinct advantages, the subsequent sections of this guide will delve into its installation process on Debian systems.

Install Jellyfin Media Server on Debian 12, 11, or 10 via APT

Step 1: Refreshing Debian System Before Jellyfin Installation

Starting on a clean slate ensures optimal compatibility with Jellyfin. Consequently, the first step is to update the Debian system, aligning all packages to their latest versions. This act minimizes the chance of encountering compatibility issues during the installation process.

Invoke the terminal and input:

sudo apt update && sudo apt upgrade

This dual command will refresh all existing packages, ensuring an updated system.

Step 2: Install Required Jellyfin Installation Packages

Next on our checklist is to acquire the necessary packages vital for Jellyfin’s successful installation. The packages can vary based on the Debian version and distribution in use.

Access the terminal and run:

sudo apt install software-properties-common apt-transport-https ca-certificates curl -y

This command will download several critical packages:

• apt-transport-https allows Debian to fetch packages securely over HTTPS.
• ca-certificates stores SSL certificates, verifying the authenticity of the websites from which packages are downloaded.
• curl is a command-line tool that allows files to be downloaded from the internet.

Step 3: Import Jellyfin Media Server APT Repositories

Jellyfin Media Server isn’t available in the default repository. Thus, we must import the Jellyfin GPG key and repository to install. This step verifies the authenticity of the Jellyfin package.

Begin by importing the GPG key. In the terminal, run:

curl -fsSL https://repo.jellyfin.org/debian/jellyfin_team.gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/jellyfin.gpg > /dev/null

Following the import of the GPG key, the Jellyfin repository needs to be added. You have a choice between the stable and unstable versions. While the stable version offers a well-tested, reliable experience, the unstable version allows access to the latest, albeit less tested, features.

Stable Jellyfin Version, run:

echo "deb [arch=$( dpkg --print-architecture ) signed-by=/usr/share/keyrings/jellyfin.gpg] https://repo.jellyfin.org/debian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/jellyfin.list

Unstable Jellyfin Version, run:

echo "deb [arch=$( dpkg --print-architecture ) signed-by=/usr/share/keyrings/jellyfin.gpg] https://repo.jellyfin.org/debian $(lsb_release -cs) unstable" | sudo tee /etc/apt/sources.list.d/jellyfin.list

To update your system with the newly added repository, run the following:

sudo apt update

After executing this command, the system’s repository listing will be updated, ensuring recognition of the Jellyfin Media Server.

Step 4: Install Jellyfin Media Server via APT Command

Having imported the Jellyfin repository and GPG key, it’s time to move forward with installing the Jellyfin Media Server. The process is straightforward and completed with a simple command:

sudo apt install jellyfin jellyfin-ffmpeg5 jellyfin-server jellyfin-web

The command above directs the system to fetch and install the Jellyfin package from the repository we added earlier. Upon successful execution, the Jellyfin service will be installed and automatically start running on your Debian system.

To confirm that the Jellyfin service is operational and running as expected, execute the following command:

systemctl status jellyfin

The output of this command will provide the current status of the Jellyfin service. A successful installation will indicate an “active” or “running” status. If, for some reason, the Jellyfin service is not running, you can manually start it with the following:

sudo systemctl start jellyfin

For a smooth user experience, it is recommended to set Jellyfin to start automatically upon system boot. This way, your media server will be ready anytime you boot up your system.

Use the following command to enable the Jellyfin service to start on boot:

sudo systemctl enable jellyfin

At this juncture, the Jellyfin Media Server should be successfully installed and set to run automatically during system boot. You can now use Jellyfin to organize, manage, and stream your media content in a customized and efficient way.

Initial Setup of Jellyfin Media Server on Debian 12, 11 or 10

Once the Jellyfin Media Server installation is completed, the journey towards shaping your personalized media center begins. The following guidelines will walk you through the initial configuration of the Jellyfin Media Server.

Step 1: Accessing the Jellyfin Web UI

First, to bring the Jellyfin server into action, you need to access its Web User Interface (Web UI). To do so, open your preferred web browser and navigate to the IP address of your Debian server, suffixed by the default Jellyfin port 8096.

For instance, if you are accessing the Jellyfin server on the machine where it’s installed, you can type the following URL in your browser’s address bar:

http://127.0.0.1:8096

Upon hitting enter, you’ll be greeted by the Jellyfin welcome screen, marking the commencement of the initial server setup process.

Remember to replace 127.0.0.1 with the actual IP address of your server if you’re accessing the Jellyfin server from a different machine.

Step 2: Setting the Jellyfin Media Server Display Language

During the initial setup of your Jellyfin server, the first task is to choose your preferred display language for the Jellyfin interface.

After selecting, hit the “Next ->” button to advance to the subsequent step.

Step 3: Creating a Jellyfin Media Server Administrative Account

Next, you’ll be guided to create a username and password for your Jellyfin account. This account will provide administrative privileges on the Jellyfin server, empowering you to manage media libraries and user accounts and tweak server settings.

Craft a strong and unique password incorporating uppercase and lowercase letters, numbers, and symbols to ensure robust security for your Jellyfin server.

Once you’ve set up your username and password, click the “Next ->” button to proceed.

Step 4: Configuring Jellyfin Media Libraries

The fourth step in the Jellyfin server setup is the configuration of your media libraries. Media libraries are where you add and organize your media content on Jellyfin. You can establish multiple libraries for different media types, such as movies, TV shows, and music.

Add your media files to these libraries to sort and display your media content on Jellyfin. This can be accomplished by clicking the large “+” or “Add Media Library” button from the Jellyfin dashboard.

Step 5: Adding Media Content to Jellyfin Media Server

Adding your media content to Jellyfin is straightforward. Once you’ve selected the “Add Media Library” button, you can designate the media type you wish to add, such as movies, TV shows, or music. Follow the prompts to incorporate your media folder. Additionally, you can specify the metadata language for your media content. The metadata language provides supplementary information such as episode descriptions, actor bios, and album artwork.

Once you’ve added your media libraries, you can proceed to the next step by clicking the “Next ->” button.

Step 6: Setting Metadata Language on Jellyfin Media Server

The subsequent screen is the Metadata Language screen, where you can pick your preferred language for the metadata of your media content. The metadata enriches your media content with additional information, including cast and crew details, plot summaries, and reviews.

Step 7: Configuring Jellyfin Media Server Remote Access

The next step in setting up the Jellyfin server is enabling remote access. This feature lets you access your media from anywhere with an internet connection.

To set this up:

1. Enable remote connections to your Jellyfin server.
2. Turn on automatic port mapping. This ensures incoming traffic routes correctly to your Jellyfin server for continuous streaming.

If you have no desire for remote access, disable it.

If you’re unfamiliar with the concept, automatic port mapping redirects network traffic from one port to another. This is key for securing your media content, ensuring that only authorized traffic reaches your media files and network.

Once you have decided what is required for your remote access setup, click the “Next ->” button to proceed.

Step 8: Completing the Initial Setup

Having reached this point, you’re just one click away from finishing the initial setup of your Jellyfin server. After completing the above steps, the following screen will confirm that the installation process is over and your server is ready for action.

Step 9: Logging into the Jellyfin Server

After the setup, it’s time to step into your media server. Navigate to the Jellyfin Web UI, and enter the username and password you set up during the initial configuration.

Hit the “Sign in” button and dive into your personal media world.

Step 10: Explore the Jellyfin Media Server Dashboard

The dashboard is your command center once you log into your Jellyfin server. From here, you can manage your media libraries and user accounts and tweak server settings. Here are a few operations that you can carry out from the dashboard:

• Adding More Media Content: You can continually enrich your Jellyfin server by adding more media content. To do so, click the “Add Media Library” button and select the media type you want to add, such as movies, TV shows, or music. You’ll need to provide the necessary information, such as the library’s name, the location of the media files, and any specific settings for the media type.
• Configuring Customizations: To further enhance your viewing experience, Jellyfin allows you to customize the look and feel of your server. Configure customizations such as themes, language, and metadata by clicking on the “Dashboard” button and then selecting “General” or “Display” settings to make changes.
• Managing Users: As an administrator, you can manage access to your media content by adding, removing, and modifying user accounts. To carry out these operations, click on the “Users” button on the dashboard, then select “Add User” or “Edit User”.

Troubleshooting: How to Reset Jellyfin Media Server Initial Setup

There may be times when you encounter issues during the initial setup of your Jellyfin media server, or perhaps you wish to redo the setup for other reasons. Thankfully, resetting the setup process is a relatively uncomplicated procedure. By changing the IsStartupWizardCompleted value in the system.xml file and subsequently restarting the Jellyfin server, you can start the setup process anew.

Let’s dive into the step-by-step guide on how to achieve this:

Step 1: Accessing the system.xml File

To access the system.xml file, we will utilize a built-in Linux command-line text editor called nano. Nano is a friendly, easy-to-use text editor installed on most Linux distributions by default. The command to open system.xml using nano is as follows:

sudo nano /etc/jellyfin/system.xml

Executing this command opens the system.xml file in the nano text editor, allowing you to make alterations to the file.

Step 2: Modifying the ‘IsStartupWizardCompleted’ Value

Within the system.xml file, you’ll find a value named IsStartupWizardCompleted. This value is pivotal in whether the setup wizard appears when you access the Jellyfin Web UI. It essentially acts as a toggle, with ‘true’ indicating that the setup has been completed and ‘false’ implying that it hasn’t.

Here is what the value looks like when the setup is marked as completed:

<IsStartupWizardCompleted>true</IsStartupWizardCompleted>

To reset the setup process, you’ll need to change this value to false. To do this, replace the line with the following:

<IsStartupWizardCompleted>false</IsStartupWizardCompleted>

Once you’ve made this change, it tells the Jellyfin server that the initial setup is incomplete, enabling you to start over from the beginning.

Step 3: Restarting the Jellyfin Server

With the necessary changes made to system.xml, it’s crucial to ensure these changes take effect. This can be done by restarting the Jellyfin server with the following command:

sudo systemctl restart jellyfin

This command tells the systemd utility, a system and service manager in Linux, to stop and then start the Jellyfin server again. Systemd then implements the changes we made in system.xml.

Step 4: Initiating the Setup Process Again

Once you’ve restarted the Jellyfin server, you are ready to restart the setup process. You can do this by navigating to the Jellyfin Web UI via http://127.0.0.1:8096. From here, you can proceed with the setup process as if it were your first time setting up Jellyfin.

Setup Permissions for Jellyfin Media Drives on Debian 12, 11, or 10

Establishing the appropriate permissions is one key step in configuring your Jellyfin media server on your Debian system. This gives Jellyfin the necessary access to read and manage your media directories.

Unlike the traditional chown and chgrp commands in Linux change the ownership of files and directories; we’ll be using the setfacl command. The setfacl command provides more granular control over access permissions, which is useful when managing complex applications like Jellyfin.

Step 1: Installing the ACL Package

The Access Control List (ACL) package in Linux enhances the permission model, and it’s necessary for using the setfacl command. To ensure you have it installed, you can use the apt package manager with the following command:

sudo apt install acl -y

The sudo prefix runs the command with superuser permissions, apt is the package manager used to install, update, or remove software on Debian, and install acl is the instruction to install the ACL package.

Step 2: Granting Jellyfin Access to Media Directories

Once you’ve ensured that ACL is installed, you can grant Jellyfin the necessary permissions to access your media directory and subdirectories. The following command applies the permissions recursively, using the -R flag, which ensures all subdirectories and files within are also updated:

sudo setfacl -R -m u:jellyfin:rx /media/mymediadrive

In this command, setfacl is setting the access control list, -R applies the command recursively, -m modifies the ACL, u:jellyfin:rx grants the user ‘jellyfin’ read (r) and execute (x) permissions, and /media/mymediadrive is the path to your media directory.

Step 3: Assigning Permissions to Individual Files or Directories

In cases where you need to assign permissions to individual media directories or files, the command is slightly different.

The -R recursive flag is omitted, as shown below:

sudo setfacl -m u:jellyfin:rx /media/mymediadrive/example-name-of-file-or-directory

Additional Jellyfin Media Permission Command Examples

If you want to modify the permissions for multiple directories at once, you can do so by listing them one after the other, separated by spaces:

sudo setfacl -m u:jellyfin:rx /media/mymediadrive/dir1 /media/mymediadrive/dir2 /media/mymediadrive/dir3

Or, if you want to remove a specific permission, you can do so using the -x flag, followed by the user and the permission:

sudo setfacl -x u:jellyfin:r /media/mymediadrive

This command removes the read permission for Jellyfin on the specified directory.

To summarize this section, the setfacl command provides versatile control over permissions for your Jellyfin server. By properly setting up permissions for your media directories, you ensure the smooth operation of your Jellyfin server.

Further Commands For Jellyfin Media Server on Debian 12, 11, or 10

Let’s delve deeper into the configuration of your Jellyfin media server on your Debian system. This section will cover setting up a Secure Shell (SSH) tunnel for remote access and configuring the UFW firewall for managing network traffic. Both steps are essential for enhancing the functionality and security of your media server.

Setup SSH for Remote Access

SSH, or Secure Shell, is a network protocol that provides a secure way to access a remote computer. It is beneficial if you intend to access your Debian Jellyfin media server from a different location.

Step 1: Install SSH Server for Jellyfin Access

Installing an SSH server on your Debian machine is the first step towards remote access. Execute the following command in your terminal to install the openssh-server package:

sudo apt install openssh-server

Here, the sudo command is used to execute the command with superuser permissions. The apt install command is the package manager used on Debian to manage software installations, and openssh-server is the package we are installing.

Step 2: Connecting to Jellyfin Media Server via SSH Tunnel

After successfully installing the SSH server, you can connect to your Jellyfin media server remotely. You can create an SSH tunnel using your server’s IP address. Replace {server-ip-address} with your actual server’s IP address in the following command:

ssh {server-ip-address} -L 8096:localhost:8096

The SSH command initiates a secure connection to the server, and the -L flag binds a local port (the first 8096) to an IP address and port on the remote server (localhost:8096). In other words, it forwards connections from your local machine to the remote server.

Step 3: Accessing Jellyfin Media Server through SSH Tunnel

With the SSH tunnel created, you can now access the Jellyfin Media Server through this URL in your web browser:

http://localhost:8096/web/index.html#/wizardstart.html

The http://localhost:8096/web address redirects HTTP requests to the remote server. Once the initial setup is complete, you can access your Jellyfin media server by replacing {server-ip-address} with your remote server IP address at https://{server-ip-address}:8096.

Installation and Configuration of the UFW Firewall

UFW, or Uncomplicated Firewall, is a user-friendly front-end for managing iptables firewall rules. It’s essential for controlling incoming and outgoing network traffic on your Debian server.

Step 1: Enabling the UFW Firewall

UFW is not enabled by default in Debian, so you must enable it manually. To turn on the UFW firewall, enter the following command in your terminal:

sudo apt install ufw
sudo ufw enable

Step 2: Allowing Incoming Traffic on Port 8096

After activating the UFW firewall, you must allow incoming traffic on port 8096, as the Jellyfin Media Server requires this to function correctly. Execute the following command to open port 8096:

sudo ufw allow 8096

This instruction lets incoming traffic pass through port 8096, ensuring the Jellyfin Media Server can operate without hitches.

Setup Jellyfin Apache or Nginx as a Reverse Proxy on Debian 12, 11, or 10

Configuring a Reverse Proxy with Apache for Jellyfin

To make your Jellyfin Media Server accessible remotely, utilizing a reverse proxy is often the most effective method. Let’s explore how to set up Apache as a reverse proxy on your Debian system.

Step 1: Installing Apache Web Server

Installing the Apache web server on your Debian system is crucial. Run the following command to accomplish this:

sudo apt install apache2 -y

By default, Apache should be activated. However, if for some reason it isn’t, you can manually start it by issuing the command:

sudo systemctl start apache2

Step 2: Enabling Necessary Apache Modules

Subsequently, it’s time to enable the required modules. Execute the following command to do so:

sudo a2enmod proxy proxy_http headers proxy_wstunnel

Step 3: Creating a Virtual Host Configuration File

Now, create a new virtual host configuration file for Jellyfin with this command:

sudo nano /etc/apache2/sites-available/jellyfin.conf

This will enable you to edit your virtual host configuration using the nano text editor.

Step 4: Setting Up a Subdomain and Configuring the Virtual Host

To set up a subdomain, you need an active domain name. Numerous online services like NameCheap and Cloudflare allow you to purchase domain names. Once your subdomain is set up, you can configure your Apache virtual host. The following configuration should be added to your newly created jellyfin.conf file:

<VirtualHost *:80>
    ServerName jellyfin.example.com

    Redirect permanent / https://jellyfin.example.com

    ErrorLog /var/log/apache2/jellyfin-error.log
    CustomLog /var/log/apache2/jellyfin-access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName jellyfin.example.com

    DocumentRoot /var/www/html/jellyfin/public_html

    ProxyPreserveHost On

    ProxyPass "/socket" "ws://localhost:8096/socket"
    ProxyPassReverse "/socket" "ws://localhost:8096/socket"

    ProxyPass "/" "http://localhost:8096/"
    ProxyPassReverse "/" "http://localhost:8096/"

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/jellyfin.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/jellyfin.example.com/privkey.pem
    Protocols h2 http/1.1

    SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
    SSLHonorCipherOrder on

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    ErrorLog /var/log/apache2/jellyfin-error.log
    CustomLog /var/log/apache2/jellyfin-access.log combined
</VirtualHost>
</IfModule>

After editing, save the file by pressing CTRL+O and exit using CTRL+X.

Step 5: Validating the Apache Configuration

Before enabling the virtual host, it’s crucial to validate that there are no mistakes in your Apache configuration. Execute the following command to perform a dry run:

To use Apache as a reverse proxy, you need to enable the module with the following command:

sudo apache2ctl configtest

This command creates a symbolic link from the sites-available directory to the sites-enabled directory, thus enabling Apache to serve the virtual host.

Step 6: Enabling the Virtual Host

Once you’ve confirmed no errors in the configuration, it’s time to enable the virtual host. This can be achieved by issuing the following command:

sudo a2ensite jellyfin.conf

This command creates a symbolic link from the sites-available directory to the sites-enabled directory, thus enabling Apache to serve the virtual host.

Step 7: Restarting Apache

After enabling the virtual host, the final step is to restart the Apache service to reflect the changes. Use the following command to do so:

sudo systemctl restart apache2

This command stops the Apache service, applies the new virtual host settings, and restarts the service to load the updated configuration.

Setting Up Nginx as a Reverse Proxy for Your Jellyfin Media Server

Setting up a reverse proxy for your Jellyfin media server using Nginx entails several steps. Here, we deeply dive into the process, breaking it into manageable pieces to ensure clarity and facilitate comprehension.

Nginx is a high-performance web server recognized for its stability, rich feature set, and low resource consumption. Configuring it as a reverse proxy for Jellyfin allows you to access your media server remotely.

Step 1: Installing Nginx

Start by installing Nginx with the following command:

sudo apt install nginx

This command installs Nginx using the apt package management system. sudo elevates the permissions, ensuring the command is executed with administrative privileges.

Step 2: Starting the Nginx Service

Once Nginx has been installed, you can start the Nginx service using the following command:

sudo systemctl start nginx

systemctl is a command-line utility that allows you to control the systemd system and service manager, which is responsible for maintaining and controlling the Debian operating system. The start command initializes the Nginx service.

Step 3: Ensuring Nginx is Enabled

To verify that Nginx starts automatically at boot, execute the following command:

sudo systemctl enable nginx

If executed correctly, the system should synchronize the state of the Nginx service with the SysV service script and ensure that Nginx is enabled at boot.

Step 4: Checking the Status of Nginx

To confirm that Nginx is functioning correctly, use the following command:

systemctl status nginx

The status command provides a snapshot of the current state of the Nginx service, including whether it is running or not.

Step 5: Configuring Nginx as a Reverse Proxy

Once Nginx is up and running, proceed to create a new server block file at /etc/nginx/conf.d/jellyfin.conf. This configuration file is where you specify the settings for your reverse proxy.

You can create and edit this file using a text editor such as nano. Use the following command to open the file in nano:

sudo nano /etc/nginx/conf.d/jellyfin.conf

Step 6: Setting Up a Server Block File

A server block file defines a server in Nginx and its configurations. The essential elements you should consider while setting up a server block file are:

• The listen directive: Sets the IP address and port that Nginx listens on. For this example, port 80 is used.
• The server_name directive: Sets the domain name or names that Nginx responds to. Replace jellyfin.example.com with your domain name.
• The access_log and error_log directives: Define the locations for the access and error logs.
• The location directives: Define how Nginx should handle incoming requests. They configure the proxy_pass directive, which forwards requests from Nginx to Jellyfin.

Here’s an example of what the server block file might look like:

server {
    listen 80;
    server_name jellyfin.example.com;

    access_log /var/log/nginx/jellyfin.access;
    error_log /var/log/nginx/jellyfin.error;

    set $jellyfin jellyfin;
    resolver 127.0.0.1 valid=30;

    # Security / XSS Mitigation Headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    location = / {
        return 302 https://$host/web/;
    }

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://$jellyfin:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://$jellyfin:8096/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

To save this file, press CTRL+O and to exit the nano editor, press CTRL+X. The directives provided in the server block file above help Nginx understand how to route incoming requests to Jellyfin, effectively serving as a reverse proxy.

Step 7: Verifying Your Nginx Configuration

Before proceeding, verifying that your Nginx configuration is error-free is paramount. This is accomplished by executing a dry run using the following command:

sudo nginx -t

The -t option in this command tests the configuration file for syntax errors and other issues. If everything is in order, the output should confirm that the configuration file is fine and the test is successful.

Step 8: Reloading the Nginx Service

You’ll need to reload the service to enforce the changes you’ve made to Nginx. This is accomplished by executing the following command:

sudo systemctl reload nginx

Step 9: Accessing Your Jellyfin Media Server

After configuring Nginx as a reverse proxy for Jellyfin, you can access your Jellyfin Media Server remotely. First, ensure your domain and DNS records point to your server’s IP address.

Once you set up the domain and DNS correctly, access the Jellyfin Media Server at the address you provided in the server block, for instance, jellyfin.example.com. Nginx directs incoming requests to Jellyfin’s web interface, allowing easy access to your media library.

It’s highly recommended to secure your connection with an SSL certificate, which encrypts the data transferred between the client and server. This can be crucial for protecting sensitive data.

Step 10: Secure Your Server with Let’s Encrypt SSL Free Certificate

Securing your server with an SSL (Secure Sockets Layer) certificate is a significant step in ensuring your data’s integrity and confidentiality. SSL certificates facilitate an encrypted connection between the server and the client, protecting sensitive data from being intercepted in transit. Let’s Encrypt provides free SSL certificates, making securing your server straightforward and accessible.

Understanding Certbot and Let’s Encrypt

Let’s Encrypt utilizes agent software to automate obtaining and renewing SSL certificates. One such agent is Certbot, an open-source tool the Electronic Frontier Foundation developed. Certbot facilitates the issuance and renewal of SSL certificates and configures your web server to use them.

Depending on your web server software, you must install a specific Certbot package. If your server runs Apache, you’ll need python3-certbot-apache, and for Nginx, you’ll need python3-certbot-nginx.

Installing Certbot for Apache:

Use the following command to install the Certbot Apache package:

sudo apt install python3-certbot-apache

Installing Certbot for Nginx:

Alternatively, if you’re running an Nginx server, use this command to install the Certbot Nginx package:

sudo apt install python3-certbot-nginx

Running Certbot to Obtain a Let’s Encrypt SSL Certificate

After installing the appropriate Certbot package, you can run Certbot to create and install an SSL certificate. You’ll need to specify the web server software in use with an option, either --apache or --nginx.

The Certbot command also accepts other options like --agree-tos, --redirect, --hsts, and --staple-ocsp. These options instruct Certbot to accept the terms of service, set up 301 redirects, add a Strict-Transport-Security header, and enable OCSP Stapling, respectively, all of which contribute to a more secure setup.

Remember to replace the placeholder email and domain name in the below commands with your email and domain.

If you’re running an Apache server, use the following command:

sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d yourdomain.com

For an Nginx server, use this command:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d yourdomain.com

Once Certbot successfully generates an SSL certificate and configures your server to use it, your server’s connection will be secure, and your website will be accessible via HTTPS.

Automating SSL Certificate Renewal with Cron

By default, Let’s Encrypt SSL certificates are valid for 90 days. To avoid service disruption, it’s recommended to set up an automated renewal process. Certbot provides a command to renew certificates, which can be scheduled to run regularly using cron, a job scheduler in Unix-like operating systems.

Testing Certificate Renewal:

Before scheduling the certificate renewal, ensure that the renewal process works correctly by performing a dry run:

sudo certbot renew --dry-run

Scheduling Certificate Renewal:

If the dry run is successful, you can schedule certificate renewals. Open the crontab file in edit mode using the following command:

sudo crontab -e

Then, add the following line at the end of the file to schedule a daily check for certificate renewal at 2:30 AM:

30 2 * * * /usr/bin/certbot renew --quiet

By saving and exiting the file, you establish an automated process where the cron checks daily for necessary certificate renewals. The --quiet option ensures that cron runs this task silently unless an error occurs.

After completing these steps, you’ve effectively enhanced the security of your server by implementing Let’s Encrypt SSL certificates. You’ve also automated their renewal process, ensuring a continuous encrypted connection between your server and its clients.

Additional Commands For Jellyfin Media Server on Debian 12, 11, or 10

Proper maintenance is key When dealing with software hosted on a server. Maintenance includes regular updates and, sometimes, software removal. This section covers how to update and remove the Jellyfin Media Server from your Debian system using APT, the Advanced Packaging Tool, which is essential to managing software on Debian-based systems.

Update Jellyfin Media Server on Debian

Keeping your Jellyfin Media Server up-to-date is essential for benefiting from the latest features, security updates, and bug fixes. Since Jellyfin is packaged as a standard Debian package, you can use APT to manage its updates.

Checking for Available Updates

First, update your local package index with the latest information about available packages and their versions. This process involves the APT tool querying the remote repositories configured on your Debian system to see if the installed packages have newer versions.

Run the following command to update the package index:

sudo apt update

Upgrade Jellyfin Media Server

If the apt update command indicates that a newer version of Jellyfin is available, upgrade the package using the apt upgrade command:

sudo apt upgrade

The apt upgrade command upgrades all upgradable packages on your system. It handles dependencies intelligently, ensuring that the system stays consistent.

Remove Jellyfin Media Server From Debian

There might be situations when you no longer need the Jellyfin Media Server on your Debian system. In that case, you can uninstall it.

Uninstalling Jellyfin

Use the following command to uninstall Jellyfin:

sudo apt remove jellyfin

This command instructs APT to remove the Jellyfin package from the system while keeping the configuration files, allowing you to re-install it in the future without losing your settings.

Removing the Jellyfin Repository

To prevent future updates or accidental re-installations of Jellyfin, removing the Jellyfin repository from your system is recommended. The repository configuration for Jellyfin resides in the /etc/apt/sources.list.d/ directory.

Use the following command to remove the Jellyfin repository:

sudo rm /etc/apt/sources.list.d/jellyfin.list

After running this command, your system will no longer have information about the Jellyfin repository. Consequently, it won’t check for or retrieve updates for Jellyfin during future update checks.

Wrapping Up the Jellyfin Server Installation

We’ve journeyed through setting up a Jellyfin Media Server on a Debian-based system. This included installing Jellyfin, setting up a reverse proxy with Apache or Nginx, securing the server with Let’s Encrypt SSL certificates, and maintaining Jellyfin with simple APT commands. Each step we’ve taken was instrumental in delivering a secure and user-friendly media server. Understanding and maintaining these practices is essential as they form the core components for delivering secure and quality media content to your audience.

This guide’s objectives were to streamline your Jellyfin Media Server deployment and arm you with the knowledge required for its effective administration. However, the learning journey doesn’t end here. As the technology landscape continually evolves, so do the strategies and techniques for server administration and security. Stay informed, and remember that a well-administered server is the backbone of a seamless and engaging media experience.