⚠️ Extremely Advanced — exposes your server to the public internet
If you want friends to access your Jellyfin server without downloading a VPN app, you must expose it to the internet. To do this securely without browser warnings, you need an SSL Certificate (HTTPS) and a Reverse Proxy.
Overview
Nginx Proxy Manager (NPM) acts as a traffic cop. It sits at the edge of your network, receives public web traffic, attaches a valid HTTPS security certificate to it, and routes it to the correct app on your LocalNode (like Jellyfin or Nextcloud).
Step 1: Acquiring a Domain Name
You cannot generate a standard SSL certificate for an IP address; you need a domain name.
Free Option: Use DuckDNS to get a free domain (e.g., myhouse.duckdns.org).
Paid Option: Buy a domain from Cloudflare or Namecheap (e.g., smithfamily.com).
Ensure your domain's DNS A-Record points to your home router's public IP address.
Step 2: Forwarding Port 80 and 443
You must tell your home router to send incoming web traffic to Nginx Proxy Manager.
Log into your home Wi-Fi router.
Go to Port Forwarding.
Forward Port 80 (TCP) to your LocalNode's internal IP address (e.g., 192.168.1.50) on internal port 80.
Forward Port 443 (TCP) to your LocalNode's internal IP address on internal port 443.
Note: Port 80 is required so the server can talk to Let's Encrypt to generate the free SSL certificate. Port 443 is the actual secure HTTPS traffic.
Step 3: Configuring Nginx Proxy Manager
Go to your LocalNode dashboard and open Nginx Proxy Manager.
Log in (Default: admin@example.com / changeme).
Click on Proxy Hosts > Add Proxy Host.
Example: Exposing Jellyfin
Domain Names: Type your domain (e.g., jellyfin.myhouse.duckdns.org) and press Enter.
Scheme:http
Forward Hostname / IP: Type the internal IP of the LocalNode (e.g., 192.168.1.50). Note: Even though NPM is on the same machine, use the actual LAN IP here.
Forward Port:8096 (Jellyfin's internal port).
Block Common Exploits: Check this.
Websockets Support: Check this (crucial for Jellyfin playback).
Getting the Certificate:
In the same window, click the SSL tab at the top.
Change the dropdown to "Request a new SSL Certificate".
Check "Force SSL".
Enter your email address (Let's Encrypt requires this for expiration warnings).
The window will spin for 10-30 seconds. If it saves successfully, the green "Online" badge will appear. You can now go to https://jellyfin.myhouse.duckdns.org from anywhere in the world, and it will load securely with a padlock icon!
💡 Tip: If the SSL generation fails and throws an "Internal Error", 99% of the time it means your Port 80 forward in your router is not working correctly, so Let's Encrypt cannot verify you own the domain.
