There is a new version of this tutorial available for Debian 12 (Bookworm).

How to Install Jellyfin Media Server on Debian 11

Jellyfin is a free and open-source media streaming application that organizes, manages, and shares digital media files to networked devices. It allows you to stream the uploaded media files to your PC, Laptop, Mobile, and Roku. It provides an interactive web interface to manage all your photos, videos, and music. If you are looking for an alternative solution for Plex and Netflix, Jellyfin is the best option.

Features

  • Free, open-source, and cross-platform
  • Supports hardware acceleration of video encoding/decoding using FFMpeg
  • Allow you to fetch metadata from TheTVDB and TheMovieDB
  • No playback limit on mobile apps

This post will show you how to install Jellyfin media streaming application with Nginx and Let's Encrypt SSL on Debian 11.

Prerequisites

  • A server running Debian 11.
  • A valid domain name pointed with your server IP.
  • A root password is configured on the server.

Install Jellyfin

Before starting, you will need to add the Jellyfin repository to the APT. To do so, first install the required dependencies using the following command:

apt-get install apt-transport-https ca-certificates gnupg2 curl git -y

Once all the dependencies are installed, add the GPG key and repository with the following command:

wget -O - https://repo.jellyfin.org/jellyfin_team.gpg.key | apt-key add -
echo "deb [arch=$( dpkg --print-architecture )] https://repo.jellyfin.org/debian bullseye main" | tee /etc/apt/sources.list.d/jellyfin.list

Next, update the repository and install the Jellyfin using the following command:

apt-get update -y
apt-get install jellyfin -y

Once the Jellyfin has been installed, you can verify the status of the Jellyfin using the following command:

systemctl status jellyfin

You will get the following output:

? jellyfin.service - Jellyfin Media Server
     Loaded: loaded (/lib/systemd/system/jellyfin.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/jellyfin.service.d
             ??jellyfin.service.conf
     Active: active (running) since Fri 2022-02-04 03:48:50 UTC; 9s ago
   Main PID: 4989 (jellyfin)
      Tasks: 19 (limit: 2341)
     Memory: 85.0M
        CPU: 4.069s
     CGroup: /system.slice/jellyfin.service
             ??4989 /usr/bin/jellyfin --webdir=/usr/share/jellyfin/web --restartpath=/usr/lib/jellyfin/restart.sh --ffmpeg=/usr/lib/jellyfin->

Feb 04 03:48:56 debian11 jellyfin[4989]: [03:48:56] [INF] ServerId: 809b343f6da845699dd6447e1bb4f061
Feb 04 03:48:56 debian11 jellyfin[4989]: [03:48:56] [INF] Registering publisher for urn:schemas-upnp-org:device:MediaServer:1 on 127.0.0.1/32
Feb 04 03:48:56 debian11 jellyfin[4989]: [03:48:56] [WRN] 127.0.0.1/32: GetBindInterface: Loopback 127.0.0.1 returned.
Feb 04 03:48:56 debian11 jellyfin[4989]: [03:48:56] [INF] Executed all pre-startup entry points in 0:00:00.2808517
Feb 04 03:48:56 debian11 jellyfin[4989]: [03:48:56] [INF] Core startup complete
Feb 04 03:48:57 debian11 jellyfin[4989]: [03:48:57] [INF] Executed all post-startup entry points in 0:00:00.2169291
Feb 04 03:48:57 debian11 jellyfin[4989]: [03:48:57] [INF] Startup complete 0:00:06.7385186
Feb 04 03:48:59 debian11 jellyfin[4989]: [03:48:59] [INF] StartupTrigger fired for task: Update Plugins
Feb 04 03:48:59 debian11 jellyfin[4989]: [03:48:59] [INF] Queuing task PluginUpdateTask
Feb 04 03:48:59 debian11 jellyfin[4989]: [03:48:59] [INF] Executing Update Plugins

By default, Jellyfin listens on port 8096. You can check it with the following command:

ss -antpl | grep 8096

You will get the following output:

LISTEN 0      512          0.0.0.0:8096      0.0.0.0:*    users:(("jellyfin",pid=4989,fd=289))

Configure Nginx as a Reverse Proxy for Jellyfin

Next, you will need to install and configure the Nginx as a reverse proxy for Jellyfin. First, install the Nginx with the following command:

apt-get install nginx -y

Next, create an Nginx virtual host configuration file with the following command:

nano /etc/nginx/conf.d/jellyfin.conf

Add the following lines:

server {
      listen 80;
      server_name jellyfin.example.com;

      access_log /var/log/nginx/jellyfin.access;
      error_log /var/log/nginx/jellyfin.error;

    resolver 127.0.0.1 valid=30;

    # Security / XSS Mitigation Headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";


    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://localhost:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://localhost:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://localhost:8096/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

Save and close the file then verify the Nginx for any syntax error.

nginx -t

You will get the following output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Finally, restart the Nginx to apply the changes:

systemctl reload nginx

To check the status of the Nginx uses the following command:

systemctl status nginx

You should see the following output:

? nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-02-04 03:49:27 UTC; 55s ago
       Docs: man:nginx(8)
    Process: 6314 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 6315 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 6454 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
   Main PID: 6395 (nginx)
      Tasks: 2 (limit: 2341)
     Memory: 2.8M
        CPU: 66ms
     CGroup: /system.slice/nginx.service
             ??6395 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
             ??6455 nginx: worker process

Feb 04 03:49:27 debian11 systemd[1]: Starting A high performance web server and a reverse proxy server...
Feb 04 03:49:27 debian11 systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Feb 04 03:49:27 debian11 systemd[1]: Started A high performance web server and a reverse proxy server.
Feb 04 03:50:17 debian11 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Feb 04 03:50:17 debian11 systemd[1]: Reloaded A high performance web server and a reverse proxy server.

Access Jellyfin Web Interface

Now, open your web browser and access the Jellyfin web interface using the URL http://jellyfin.example.com. You will be redirected to the following page:

Select your language and click on the Next button. You should see the following page:

Provide your admin user, password and click on the Next button. You should see the following page:

Click on the Next button. You should see the following page:

Select your metadata language and click on the Next button. You should see the following page:

Select your preferred option and click on the Next button. Once the Jellyfin has been installed, you should see the following page:

Click on the Finish button. You will be redirected to the Jellyfin login page:

Provide your admin username, password, and click on the Sign In button. You should see the Jellyfin dashboard on the following page:

Secure Jellyfin with Let's Encrypt

Next, you will need to install the Certbot client package to install and manage the Let's Encrypt SSL.

First, install the Certbot with the following command:

apt-get install certbot python3-certbot-nginx -y

Once the installation is finished, run the following command to install the Let's Encrypt SSL on your website:

certbot --nginx -d jellyfin.example.com

You will be asked to provide a valid email address and accept the term of service as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jellyfin.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/jellyfin.conf

Next, choose whether or not to redirect HTTP traffic to HTTPS as shown below:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Type 2 and hit Enter to finish the installation. You should see the following output:

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/jellyfin.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://jellyfin.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=jellyfin.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jellyfin.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jellyfin.example.com/privkey.pem
   Your cert will expire on 2022-05-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

Conclusion

Congratulations! you have successfully installed Jellyfin with Nginx and Let's Encrypt SSL on Debian 11. You can now start uploading your media and stream them from mobile devices.

Share this page:

1 Comment(s)