Novice trying to reverse proxy with caddy for Jellyfin - problems

I own a domain that is registered on Google domains. I’ve setup a subdomain through the DNS panel to forward to my.server.ip.

When I put into the URL bar of a browser, it gives me a SITE CANNOT BE REACHED error but it shows me the IP address of my server - so the forward is working. And caddy is working. But for some reason the URL is not taking me to the Jellyfin server.

Can you get us the output of:

curl -IL

Thanks so much for your continued help with this. Here’s the output:

root@xxxxxx:~# curl -IL
HTTP/1.1 301 Moved Permanently
Location:  (this correctly points at the IP of my VPS)
Date: Fri, 14 Aug 2020 14:58:21 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 218
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

HTTP/1.1 200 OK
Server: Caddy
Date: Fri, 14 Aug 2020 14:58:21 GMT

To test the server, I OPENED port 8096 and tried to visit my.vps.ip:8096 and it did successfully connect to the Jellyfin server. So the server is there and working. I CLOSED 8096 again.

Is there a chance some port I need to have open is not open?

# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.

http:/    {



Any thoughts? Sorry to nag I’m just totally stuck here.

My domain points to my server IP. My config file points the domain at server.ip:8096. There’s a Jellyfin server up and running on that port. But when I go to the domain, it cannot connect to the site (the connection has timed out).

** I know the forward is working because the “connection has timed out” screen in my browser shows the IP of the VPS.

**I know know that caddy is running because I’ve run the ‘service status’ command I get:

caddy.service - Caddy
       Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: en
       Active: active (running) since Sat 2020-08-15 13:04:27 UTC; 3h 0min ago
     Main PID: 1020 (caddy)
        Tasks: 14 (limit: 4915)
       CGroup: /system.slice/caddy.service
               └─1020 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

    Aug 15 13:04:27 Fermi-Plex caddy[1020]: USER=caddy
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: INVOCATION_ID=fb36a0068d6f4ace85b46e2f96
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: JOURNAL_STREAM=9:16045
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9760141,
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.984018,"
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: 2020/08/15 13:04:27 [INFO][cache:0xc0003
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9897885,
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.992747,"
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9958575,
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9958959,

** I know a Jellyfin server is working on that ip and port because if I open port 8096 and then go to the server.ip:8096, I get the login screen.

Any other troubleshooting I can do? I feel like caddy is running and the forward is working. Not sure why it’s not connecting to the server.

You’re missing a / in your site address. Maybe?

If you’re trying to access your internal services with the public domain and public IP address from within your network it could be that your router doesn’t support hairpin NAT or doesn’t have it enabled. Mine doesn’t support it and it’s super annoying to work around but it can be done.

To clarify, this is what Matt is talking about, you only have one / here, but you need two: http://

Are you sure you have ports 80 and 443 open in your VPS firewall?

Thank you both for replying. This morning, to be 100% sure, I went and:

ufw allow 80

ufw allow 443

(curious, on a side note, why its not safe to just have the Jellyfin port open - 8096 - but it’s safe to have both 443 and 80 open?)

When I open a browser and type into the URL bar it immediately repopulates with my.vps.ip. So I know the redirect is working. But now I just get a blank screen (not a ‘connection timed out’ error). So I am thinking I did, in fact, need to open one of those ports but it hasn’t solve the problem entirely.

I doubt this is an issue but I am also running a plex server on this same box. Nothing appears to be conflicting but I wanted to make you aware. I’m going to open a ticket with my VPS provider re: hairpin NAT - I don’t know what that means but I’m sure they do.

oh! and yes, I did have two “/” - that was a typo.

Is there something I could run from the command line that would tell me if this is/isn’t enabled?

Because then users won’t get all their traffic encrypted, which is Caddy’s job here. Port 80 is only open so Caddy can trigger the HTTP->HTTPS redirect, and to solve the ACME HTTP challenge, which is one of the ways that Caddy can prove to Let’s Encrypt that you own the domain.

Oh, that trailing / is important. This is telling Caddy to only match requests to /. Remove this / to have Caddy handle requests to all paths. {
1 Like

It worked!!! Thank you so much! Okay, so this means my reverse proxy is safely in place?

Next step for me would be to setup and encrypted connection. Is there a relatively newbie friendly guide to doing that?

1 Like

Yep, just remove http:// from the front and you should be done.

Just as a note for next time; this is exactly why redacting parts of your config or modifying it before posting it on the forums is always a mistake. We went in circles a few times because we didn’t have evidence of the issue because you didn’t post your exact config.

1 Like

You’re 100% right. I’ve been concerned about security but obviously this was the right move.

Just to be clear, in my Caddy file I simply remove http:// and leave and caddy will handle everything to make it encrypted?

1 Like

I just tried to load your site with and it’s working with TLS :+1:

1 Like

So it is! Wow, thank you. Possible I just tried to load it too quickly? Like, does the cert take time to populate?

1 Like

It can take a bit of time for Caddy to have the cert issued. You can watch the logs to see the progress.

1 Like

Ok, thanks. This is so great, thanks for your help.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.