starred/bunkerweb-templates
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb-templates.git synced 2026-04-24 20:05:49 +03:00
Code Issues 1 Projects Releases 4 Packages Wiki Activity

[PR #7] [MERGED] Align Jellyfin reverse proxy config with official docs (ModSec, rate limit, CSP, Permissions-Policy) #9

New issue
Closed
opened 2026-03-02 03:02:32 +03:00 by kerem · 0 comments
kerem commented 2026-03-02 03:02:32 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/bunkerity/bunkerweb-templates/pull/7
Author: @TheophileDiot
Created: 2/20/2026
Status: Merged
Merged: 2/20/2026
Merged by: @TheophileDiot

Base: mainHead: dev

📝 Commits (2)

  • d99fe7f [#6] fix: Update ModSecurity rules to prevent false positives for specific Jellyfin API requests
  • 13ec18b fix: Correct MAX_CLIENT_SIZE format and update LIMIT_REQ_RATE in Jellyfin template

📊 Changes

2 files changed (+10 additions, -6 deletions)

View changed files

📝 templates/jellyfin/configs/modsec-crs/jellyfin_false_positives.conf (+6 -2)
📝 templates/jellyfin/template.json (+4 -4)

📄 Description

Summary

This PR aligns the Jellyfin reverse proxy configuration with the official Jellyfin reverse proxy documentation and resolves several frontend-related false positives and policy conflicts.

The changes refine ModSecurity exclusions, relax rate limiting, and update security headers (CSP and Permissions-Policy) to match recommended upstream behavior.

Changes

1. ModSecurity (CRS) False Positive Handling

File: templates/jellyfin/configs/modsec-crs/jellyfin_false_positives.conf

Updates:

  • Removed:

    • ctl:ruleRemoveById=949110

  • Retained:

    • ctl:ruleRemoveById=930130 for /web/config.json

  • Added:

    • New SecRule for /web/node_modules.history.bundle.js
    • Applies ctl:ruleRemoveById=930130

Rationale:

  • 930130 continues to trigger false positives for specific Jellyfin web assets and must remain suppressed for those paths.
  • 949110 is no longer required and was removed to avoid unnecessary rule suppression.
  • The additional exclusion ensures frontend bundles load without CRS interference.

This keeps ModSecurity exceptions minimal while maintaining compatibility with Jellyfin’s web client.

2. Request Rate Adjustment

File: templates/jellyfin/template.json

  • Increased:

    • "LIMIT_REQ_RATE" from "10r/s""15r/s"

Rationale:
The previous rate was overly aggressive during normal UI usage (dashboard loads, metadata fetches, websocket-related activity).
Increasing to 15r/s reduces unintended throttling while maintaining protective rate limiting.

3. Content Security Policy Update

File: templates/jellyfin/template.json

  • Removed:

    • frame-ancestors 'self' from CONTENT_SECURITY_POLICY

Rationale:
The frame-ancestors directive can conflict with deployments where framing policies are enforced upstream (e.g., at a global reverse proxy or ingress layer).

Removing it avoids duplicate or conflicting header definitions and aligns with the Jellyfin reverse proxy guidance, where header management may be centralized.

4. Permissions-Policy Update

File: templates/jellyfin/template.json

Update:

  • Adjusted PERMISSIONS_POLICY to align with Jellyfin’s documented reverse proxy recommendations.
  • Explicitly disables or restricts browser features not required by Jellyfin.

Rationale:

  • Ensures parity with Jellyfin’s official reverse proxy documentation.
  • Prevents unnecessary browser capabilities while avoiding frontend breakage.
  • Keeps the policy explicit and deterministic instead of relying on browser defaults.

This ensures secure defaults without deviating from upstream-recommended behavior.

Overall Rationale

These changes were made to:

  • Align with Jellyfin’s official reverse proxy documentation
  • Reduce ModSecurity false positives affecting frontend assets
  • Prevent unnecessary request throttling
  • Normalize security headers (CSP + Permissions-Policy) to recommended values
  • Avoid policy conflicts in layered proxy environments

No breaking changes are expected.

Closes #6

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/bunkerity/bunkerweb-templates/pull/7 **Author:** [@TheophileDiot](https://github.com/TheophileDiot) **Created:** 2/20/2026 **Status:** ✅ Merged **Merged:** 2/20/2026 **Merged by:** [@TheophileDiot](https://github.com/TheophileDiot) **Base:** `main` ← **Head:** `dev` --- ### 📝 Commits (2) - [`d99fe7f`](https://github.com/bunkerity/bunkerweb-templates/commit/d99fe7fcb10ff9870927521cfe651717d248e67b) [#6] fix: Update ModSecurity rules to prevent false positives for specific Jellyfin API requests - [`13ec18b`](https://github.com/bunkerity/bunkerweb-templates/commit/13ec18b49ddcf338b2788918fe0150a9529707d9) fix: Correct MAX_CLIENT_SIZE format and update LIMIT_REQ_RATE in Jellyfin template ### 📊 Changes **2 files changed** (+10 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `templates/jellyfin/configs/modsec-crs/jellyfin_false_positives.conf` (+6 -2) 📝 `templates/jellyfin/template.json` (+4 -4) </details> ### 📄 Description ## Summary This PR aligns the Jellyfin reverse proxy configuration with the **official Jellyfin reverse proxy documentation** and resolves several frontend-related false positives and policy conflicts. The changes refine ModSecurity exclusions, relax rate limiting, and update security headers (CSP and Permissions-Policy) to match recommended upstream behavior. --- ## Changes ### 1. ModSecurity (CRS) False Positive Handling **File:** `templates/jellyfin/configs/modsec-crs/jellyfin_false_positives.conf` **Updates:** * Removed: * `ctl:ruleRemoveById=949110` * Retained: * `ctl:ruleRemoveById=930130` for `/web/config.json` * Added: * New `SecRule` for `/web/node_modules.history.bundle.js` * Applies `ctl:ruleRemoveById=930130` **Rationale:** * `930130` continues to trigger false positives for specific Jellyfin web assets and must remain suppressed for those paths. * `949110` is no longer required and was removed to avoid unnecessary rule suppression. * The additional exclusion ensures frontend bundles load without CRS interference. This keeps ModSecurity exceptions minimal while maintaining compatibility with Jellyfin’s web client. --- ### 2. Request Rate Adjustment **File:** `templates/jellyfin/template.json` * Increased: * `"LIMIT_REQ_RATE"` from `"10r/s"` → `"15r/s"` **Rationale:** The previous rate was overly aggressive during normal UI usage (dashboard loads, metadata fetches, websocket-related activity). Increasing to 15r/s reduces unintended throttling while maintaining protective rate limiting. --- ### 3. Content Security Policy Update **File:** `templates/jellyfin/template.json` * Removed: * `frame-ancestors 'self'` from `CONTENT_SECURITY_POLICY` **Rationale:** The `frame-ancestors` directive can conflict with deployments where framing policies are enforced upstream (e.g., at a global reverse proxy or ingress layer). Removing it avoids duplicate or conflicting header definitions and aligns with the Jellyfin reverse proxy guidance, where header management may be centralized. --- ### 4. Permissions-Policy Update **File:** `templates/jellyfin/template.json` **Update:** * Adjusted `PERMISSIONS_POLICY` to align with Jellyfin’s documented reverse proxy recommendations. * Explicitly disables or restricts browser features not required by Jellyfin. **Rationale:** * Ensures parity with Jellyfin’s official reverse proxy documentation. * Prevents unnecessary browser capabilities while avoiding frontend breakage. * Keeps the policy explicit and deterministic instead of relying on browser defaults. This ensures secure defaults without deviating from upstream-recommended behavior. --- ## Overall Rationale These changes were made to: * Align with **Jellyfin’s official reverse proxy documentation** * Reduce ModSecurity false positives affecting frontend assets * Prevent unnecessary request throttling * Normalize security headers (CSP + Permissions-Policy) to recommended values * Avoid policy conflicts in layered proxy environments No breaking changes are expected. Closes #6 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-02 03:02:32 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
dependabot/github_actions/dev/softprops/action-gh-release-3.0.0
dependabot/github_actions/dev/softprops/action-gh-release-2.6.1
dependabot/github_actions/dev/softprops/action-gh-release-2.5.0
dependabot/github_actions/dev/actions/checkout-6.0.2
dependabot/github_actions/actions/checkout-6.0.2
dependabot/github_actions/actions/checkout-6.0.1
dependabot/github_actions/softprops/action-gh-release-2.5.0
dependabot/github_actions/actions/checkout-6.0.0
dependabot/github_actions/softprops/action-gh-release-2.4.2
0.4
dev
0.3
0.2
v0.1
Labels
Clear labels   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/bunkerweb-templates#9
No description provided.