Jellyfin Reverse Proxy 2026: Nginx Proxy Manager (Beginner GUI) vs Caddy vs Traefik

Jellyfin Reverse Proxy Setup: NPM vs Traefik vs Caddy (2026)

A reverse proxy sits between the internet and your Jellyfin server. It handles SSL certificates, domain routing, and security - so you never expose port 8096 directly to the world.

In 2026, three reverse proxies dominate the self-hosting community. This guide compares them and gives you a working Docker setup for each.

Why You Need a Reverse Proxy

• HTTPS encryption - protect credentials and streams in transit
• Custom domain - access your server at jellyfin.yourdomain.com instead of an IP
• Hide your home IP - when combined with Cloudflare
• Centralized routing - one entry point for Jellyfin, Radarr, Sonarr, Jellyseerr
• Security headers - add HSTS, CSP, and rate limiting

Option 1: Caddy (Simplest)

Caddy is the easiest reverse proxy to configure. Automatic HTTPS with zero extra steps.

Docker Compose

services:
  caddy:
    image: caddy:2-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
    restart: unless-stopped

volumes:
  caddy_data:

Caddyfile

jellyfin.yourdomain.com {
    reverse_proxy jellyfin:8096
}

radarr.yourdomain.com {
    reverse_proxy radarr:7878
}

sonarr.yourdomain.com {
    reverse_proxy sonarr:8989
}

requests.yourdomain.com {
    reverse_proxy jellyseerr:5055
}

That is it. Caddy obtains and renews Let's Encrypt certificates automatically.

Best for: Users who want the fastest setup with minimal configuration.

Option 2: Nginx Proxy Manager (Most Visual)

Nginx Proxy Manager (NPM) provides a web-based GUI for managing reverse proxy rules. No config files to edit.

Docker Compose

services:
  npm:
    image: jc21/nginx-proxy-manager:latest
    ports:
      - "80:80"
      - "443:443"
      - "81:81"  # Admin panel
    volumes:
      - ./npm/data:/data
      - ./npm/letsencrypt:/etc/letsencrypt
    restart: unless-stopped

Setup

1. Access the admin panel at http://your-server:81
2. Default login: admin@example.com / changeme
3. Add a Proxy Host:
   • Domain: jellyfin.yourdomain.com
   • Forward hostname: jellyfin (Docker service name)
   • Forward port: 8096
   • Enable SSL → Request a new certificate → Force SSL
4. Repeat for each service

Best for: Users who prefer a GUI over config files.

Option 3: Traefik (Most Powerful)

Traefik is a cloud-native reverse proxy that auto-discovers Docker containers via labels. More complex to set up, but extremely powerful for large stacks.

Docker Compose

services:
  traefik:
    image: traefik:v3.0
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=you@yourdomain.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    restart: unless-stopped

  jellyfin:
    image: jellyfin/jellyfin:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.yourdomain.com`)"
      - "traefik.http.routers.jellyfin.entrypoints=websecure"
      - "traefik.http.routers.jellyfin.tls.certresolver=letsencrypt"
      - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
    volumes:
      - ./jellyfin/config:/config
      - /path/to/media:/media:ro
    restart: unless-stopped

Traefik reads Docker labels and configures routing automatically. Add a new service with labels and it appears instantly.

Best for: Advanced users with large Docker stacks who want auto-discovery.

Comparison Table

Jellyfin-Specific Reverse Proxy Tips

WebSocket support

Jellyfin uses WebSockets for real-time features (SyncPlay, session updates). Make sure your reverse proxy passes WebSocket headers.

Caddy: handled automatically.

NPM: enable "WebSockets Support" in the proxy host settings.

Traefik: add this label:

- "traefik.http.middlewares.jellyfin-headers.headers.customrequestheaders.X-Forwarded-Proto=https"

Large file uploads

If you upload media through the Jellyfin web interface, increase the max body size:

• NPM: Custom Nginx config → client_max_body_size 20G;
• Caddy: No limit by default
• Traefik: Add buffering middleware

Cloudflare considerations

If you use Cloudflare DNS proxy (orange cloud):

• Cloudflare has a 100 MB upload limit on free plans - this can break large file transfers
• Video streaming through Cloudflare proxy may violate their ToS (Section 2.8)
• Consider using DNS-only mode (grey cloud) for your Jellyfin subdomain

Security Hardening

Once your reverse proxy is running:

1. Force HTTPS - redirect all HTTP to HTTPS
2. Enable HSTS - tell browsers to always use HTTPS
3. Add Fail2Ban - block brute-force login attempts
4. Restrict admin access - limit dashboard access to your local network or VPN
5. Monitor access logs - watch for suspicious activity

Monitor Your Exposed Server

Once your Jellyfin server is accessible from the internet, monitoring becomes critical. You need to know:

• Who is connecting and from where
• Whether sessions are transcoding unexpectedly
• If CPU spikes after exposing the server publicly
• Whether unauthorized devices appear

JellyWatch gives you all of this from your Android device - push notifications for new sessions, device tracking, and real-time server health.

Your server is now public - keep it under control. Download JellyWatch on Google Play - monitor sessions, track devices, and get alerts when something looks wrong.

On Emby? Download EmbyWatch on Google Play - the same security monitoring for Emby servers.