Context

This post is a nginx configurations of my How I replaced Netflix and started using my media server for over 2 years now

  • config of jellyfin

We already run jellyfin inside podman and expose the service on port 8096, so we use nginx to handle requests to domain ‘media.bluepie.in’, which connects to jellyfin podman instance.

I point my domain (through domain provider) to the ip address of the server im running my jellyfin instance, then use nginx to serve the requests, the nginx configs are located inside config folders and are included in main file.

Setting Up Nginx (Reminder for me, others ignore)

  • Install Nginx.
  • Then, make a config file in the conf.d folder. I use one config file for each domain and add it to the main Nginx config with /etc/nginx/conf.d/*.conf
  • Check Nginx config: nginx -t
  • Restart Nginx: sudo service nginx restart
  • Reload Nginx: sudo service nginx reload

Config file for media server

  server {
	server_name media.bluepie.in;

	location / {
      proxy_pass http://127.0.0.1:8096;
      proxy_pass_request_headers on;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Protocol $scheme;
      proxy_set_header X-Forwarded-Host $http_host;

      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;
      proxy_buffering on;
	    proxy_redirect / / ;
	    proxy_cookie_path / /;
	}

  • config of torrent

Instead of maintaining a separate domain for running qBittorrent, I utilize the main domain but with the ‘/torrent/’ prefix. To enhance security and prevent others from accessing it, I implement two layers of protection: HTTP basic authentication. For this purpose, a new .htpasswd file is created and linked with Nginx for handling HTTP basic login before accessing qBittorrent. After the initial login to qBittorrent, the username and password are configured. Subsequently, during subsequent logins, users will be prompted for HTTP basic authentication first and then for qBittorrent authentication.

Creating a .htpasswd File for Authentication:

(self note: The auth_basic and auth_basic_user_file directives are built-in and don’t require any extra modules)

  • Creation:

    htpasswd -c /etc/nginx/.htpasswd <username>
    
  • Subsequently, specify its usage in Nginx:

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    

Config to be added to main nginx config

        location /torrent/ {
            proxy_pass http://127.0.0.1:8181/;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection upgrade;
            proxy_set_header Accept-Encoding gzip;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            auth_basic "restricted space";
            auth_basic_user_file /etc/nginx/.htpasswd;
        }

I automate SSL certificate renewals across my devices with Certbot, ensuring secure, uninterrupted service without manual oversight. The heart of this automation is a daily cron job configured to run Certbot’s renewal command, specifically opting for the –preferred-chain “ISRG Root X1” to ensure broad compatibility (particularly for setting up custom DNS servers on Android devices that are operating on version 10 or higher). Here’s the crux of the setup:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin

10 0 * * * /usr/bin/certbot renew --preferred-chain "ISRG Root X1" >> /home/<user>/cronlog.log 2>&1
# The schedule 10 0 * * * means the task will run at 12:10 AM every day server time.

This approach leverages the reliability of cron for scheduling and Certbot for execution, automating the renewal process and logging outcomes for easy monitoring. It’s a streamlined, efficient method.

An Insight into DNS Renewal Challenges (Unrelated to Jellyfin or qBittorrent)

Every time I want to renews the whildcard DNS domain (i.e) *.dns.bluepie.in, I start with logging in and checking the cronlog.log in my logs Directory. This log helps me keep track of the automated renewals for all services running in that server.

This setup works well for most of my domains, automatically renewing their certificates. However, there’s a catch with the wildcard domain *.dns.bluepie.in which requires a manual renewal process every two months. After renewing, I manually move the private key and pem files do dns service so that it can read and update the certificates.

The manual part involves adding a DNS TXT record for _acme-challenge.dns.bluepie.in. and waiting for it to be verified. This process, although straightforward, is a bit of a hassle because it can’t be automated with my current setup. After updating the DNS record, I always double-check to make sure it’s correctly deployed using the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.dns.bluepie.in. This tool confirms the record is live, which is crucial before proceeding with the certification.

The Google Admin Toolbox, specifically the “Dig” tool, is a web-based version of the Unix dig command, which I often use for DNS verification. This tool is part of a suite designed to troubleshoot Google Workspace services and is particularly handy for checking DNS record propagation, such as the TXT records required for SSL certificate validation. I use this tool to confirm that the record is correctly propagated across the DNS system. This step is crucial because the validation of SSL certificates by Let’s Encrypt (or any other certificate authority that supports DNS-01 challenge). For more detailed functionalities and tools, you can explore the toolbox directly at toolbox.googleapps.com​.

I’ve been thinking about solving this issue by integrating with the GoDaddy API for DNS wildcard renewal. Doing this would remove the need for manual intervention every two months, making the process smoother and fully automated. It’s definitely something I plan to work on in the future to streamline my server management tasks.


Personal Update

This section typically opens each of my posts, a tradition spanning many years. However, I’ve decided it might be better placed at the end moving forward.

I’ve begun to engage heavily with LeetCode this year, a detail I haven’t shared in my posts. So, in case future me forgets, I’m jotting it down here for remembrance. Remember AOC, which I previously tackled in 2020 and maintained a GitHub repo here? I’ve opted to take it on this year as well. Yes, even though my plate is overflowing, I’ve decided to add this to my queue… I know, :facepalm:.

I’ve leased a new place in Chennai (Mugalivakkam), roughly 6 kilometers from my current office. It’s a 2BHK flat with parking facilities. I moved in, stating that it would be a family residence, with plans for my parents to join me. This decision came after a series of abrupt changes. Initially, I had a different plan in mind, but it’s funny how things evolve up to the last moment. My friend from the police force, with whom I’ve lived since after COVID and who recently got posted in Chennai after passing his exams, is a close friend. So, despite only needing to be in the Chennai office two days every two weeks (totalling four days a month) and despite the office policy changing around August/September to require my presence two days every week, I opted for a permanent stay over the convenience of crashing at a friend’s place. My decision was influenced by several factors:

  • My close friend, who I’ve known for eight years (time really flies), got a posting in Erode and plans to move out in December 2024. He had his transfer announced just before Diwali in 2023.
  • Parents take care of me, homemade food, household chores, them being atpeace without worring seeing me everyday.
  • The home-like setup for productivity and peace of mind.

I’m writing this update after December, so for me, December is already in the past. I’ve been sick and bedridden over Christmas, alone since my friends and family were in their hometowns, including my parents. Despite my mother’s insistence on coming over as soon as possible because of my neglect towards self-care and healthy eating, I plan to bring them here in January after Pongal 2024. This is another reason I chose an individual house over sharing a space with friends, opting for a PG, or having a flatmate.