-
-
Save mnordin/8d8d4e298733924f6afd06072566bbcb to your computer and use it in GitHub Desktop.
Secure Jellyfin (nginx) with dynamic whitelisted IP addresses
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| foo.example.com | |
| bar.example.com | |
| baz.example.com |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| file=/etc/nginx/conf.d/dyndnsip.inc | |
| ddns=$(cat ddns) | |
| # Clear previously allowed IPs | |
| : > $file | |
| for dns in $ddns | |
| do | |
| ip=$(nslookup $dns | awk -F"Address: " 'NF==2 {print $2}' | tail -1) | |
| if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then | |
| echo "allow ${ip};" >> $file | |
| else | |
| echo "${dns} could not be resolved to a valid ip ($ip)" | |
| fi | |
| done | |
| # Reload the config | |
| nginx -s reload |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 443 ssl; | |
| listen [::]:443 ssl; | |
| include /etc/nginx/conf.d/dyndnsip.inc; | |
| # Client with fixed ips can be added here | |
| allow 1.2.3.4; | |
| deny all; | |
| […] | |
| } |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First of, this solution is taken pretty much directly from https://mangolassi.it/topic/15267/how-to-allow-site-access-in-nginx-by-ddns-instead-of-by-ip.
Some of my remote clients are assigned dynamic IP addresses. Instead of using the Jellyfin settings for this, I opted to secure it directly in nginx instead. This should make the system a bit more secure since no one outside of my whitelist is even touching the Jellyfin server at all.
(Make sure you have the remote IP address filter blank, since Jellyfin won't be responsible for this anymore)Some things to consider:
nslookupinstead of something simpler likedigfor the ip lookup.ddnsfile syntax is very limited and you should only have one address per line.chmod +x getddnsyour script and add it to the crontab. I run it twice a day.swagcontainer must have internet access to do the lookups.