You can make your Jellyfin accessible anywhere over HTTPS using Caddy as a reverse proxy. It also manages your TLS certificates for you.
This tutorial assumes you have Jellyfin installed already and are familiar with domain names, the command line, etc. You can host it at home or on a hosting service, but there are more steps if you're at home. This tutorial is a simplified version of this tutorial at the Caddy wiki and made specific for Jellyfin.
This tutorial assumes IPv4 but you're welcome to use IPv6 if you can.
Public IP required
First, check with your ISP to ensure you have a public IP address. It can be static or dynamic, but if it's dynamic I'll show you later how to update your DNS records when it changes.
If you're on a hosting service, you probably already have a public IP (but sometimes they cost extra).
If you do not have an ISP or know who they are (e.g. your apartment complex manages your Internet for you), contact your network administrator.
If your ISP uses CGNAT (carrier-grade NAT), you do not have a public IP address. In that case, you will need to exit this tutorial and use something like Ngrok, or my personal favorite: Tailscale.
Configure your domain
Make sure your domain's DNS records point to your current IP address. This means an A record with the value being the IPv4 address of your Jellyfin host. You can use AAAA for IPv6.
If you have a dynamic IP address, then I highly recommend that you choose a DNS provider with an API for managing DNS records. This way, Caddy can update your DNS records for you when your IP changes (explained below).
Configure Jellyfin
The minimal configuration to make this work is as follows:
In your Jellyfin Administration area, go to the Networking page. Then check the box that says "Allow remote connections to this server." Save changes.
That should be all you need to start. However...
If you are serving Jellyfin alongside other apps or endpoints on your domain, you may want to serve Jellyfin in a subfolder so that it doesn't occupy the entire root of your domain. To do that, specify the path in the "Base URL" field (e.g. /jellyfin) and remember this for later.
Configure router/firewall
If you're at home as opposed to a hosting service, it's your responsibility to ensure connections from the outside can get inside. On a home network, this is typically disabled by default for obvious security reasons. However, your router/firewall should support "port forwarding" which allows you to have it forward data on a specific port to a specific machine within your network. The idea is to allow traffic from the outside into a specific machine and port on the inside.
So if your Jellyfin (and soon, Caddy) host is on your LAN IP of 192.168.1.4, you would forward external ports :80 and :443 to internal 192.168.1.4:80 and 192.168.1.4:443, respectively. The external and internal ports don't have to match. For example, you could have Caddy bind to higher ports like 9080 and 9443 and forward from :80/:443 to :9080/:9443 instead. This can be useful if you don't want to bind to low ports on your Jellyfin/Caddy host.
When you apply your changes, those ports on your machine will be accessible to the world! So make sure nothing is currently listening on the port(s) you forward to on your host machine!
If you're on a public web host, verify whether your machine is already publicly reachable or if you need to do something similar and allow ports through a firewall.
Install Caddy
Caddy will be your reverse proxy. It obtains and renew your TLS certificates for you, establishes secure connections with clients outside your network, and proxies them to your local Jellyfin instance. It will be on the listening/receiving end of your port forwarding you may have just configured.
Install Caddy on the same host as Jellyfin.
Before continuing, ensure your DNS records are correct and that your machine is reachable from the outside! Otherwise, Caddy will fail when trying to get a certificate for your domain.
Once you're sure your DNS and network/firewall are good to go, the quickest way to be up and running is with a single command:
Code:
$ caddy reverse-proxy --from example.com --to 127.0.0.1:8096
(Replace example.com with your domain name.)
If you get permissions errors, make sure you have permission to bind to low ports. On Linux, you can do this with:
Code:
sudo setcap cap_net_bind_service=+ep $(which caddy)
You should see Caddy provision a certificate for you. At that point, you can access your Jellyfin with your domain name.
And that's all! ... well, sort of. Do not stop here!
The
Code:
caddy reverse-proxy
command blocks until you exit, and it won't run in the background when you start your computer.
Instead, use a Caddyfile with this config, again replacing your actual domain name:
Code:
example.com
reverse_proxy 127.0.0.1:8096
If you instsalled Caddy with a package manager or as a system service, you probably have a Caddyfile that Caddy is already configured to use (e.g. /etc/caddy/Caddyfile). Consult the package's documentation to be sure. If so, you can simply use that. If not, you'll need to make sure Caddy is running as a system service.
Then, start or reload Caddy with your new configuration.
Verify that it worked, and then your Jellyfin instance should be accessible from your domain name yet again -- but this time, Caddy is running in the background and will run when your computer starts.
Dynamic IP address
If you do not have a static IP address, you'll want your DNS to automatically point to your new IP when it changes so you can keep accessing Jellyfin.
Caddy has a dynamic DNS plugin that does this for you.
In addition to this plugin, you'll need a plugin that integrates with your DNS provider. All those plugins are here: https://github.com/caddy-dns - if your DNS provider is not listed, it's your opportunity to contribute!
Anyway, you can use Caddy's download page, xcaddy, or
Code:
caddy add-package
to install those 2 plugins.
Then, after replacing your Caddy binary, add this to the very top of your config file (or augment your global options block if you already have one):
Code:
{
dynamic_dns {
# replace with your DNS provider's plugin name and credentials
provider cloudflare secretAPIToken123
domains {
# DNS zone first, followed by subdomain if any (I know it's weird)
example.com jellyfin
}
}
}
The comments tell you what to replace: the line that configures the DNS provider credentials, and the line that configures your domain name.
Hopefully the line for your DNS provider is fairly obvious. Check the docs for your provider plugin for exact syntax/requirements.
The line for your domain name may look funny. This example is for
Code:
jellyfin.example.com
, but notice that you specify the root of the zone first (
Code:
example.com
) followed by a space, then the subdomain (if any).
Restart your Caddy instance, and check the logs to make sure it worked. Now, Caddy will keep your DNS pointed at your machine even if your IP changes.
