Troubleshooting help please: 502 (nginx) with new subdomain for Jellyfin/SWAG on Docker

Hi, I’m adding Jellyfin ( Docker) to an Unraid server with SWAG, Nextcloud ( Dockers) and others working well, internally and externally through an OPNsense router/firewall. My domain and DDNS are hosted on Cloudflare.

So far, I can only access Jellyfin by IP on the LAN. I’ve missed something basic and I just can’t see it. I suspect a reverse proxy issue, although I guess it could be a router setting. Hopefully there’s a clue below that might give someone more experienced an idea where I need to look. I would appreciate any troubleshooting suggestions. Thanks!

[Edit: sorry if the obfuscation of my example URLs is confusing. This forum disallowed my post as containing links, which they are not.]

I followed the same setup steps as my other apps (creating a CNAME record, configuring SWAG in the same way, etc.).

SWAG successfully generates certificates for all my subdomains and completes without error.
DNS checker (WAN side) shows the URL “jellyfin-dot-[my_domain]” resolves correctly to my WAN address.
Port Reflection is turned on in Opnsense.

On the LAN:
Other subdomains resolve and work correctly. (eg “nextcloud-dot-[my_domain]”)

However I can only access Jellyfin by “Server-IP-Address:8096”

If I type “jellyfin-dot-[my_domain]” it gets resolved as “jellyfin-dot-[my_domain]:4443/”, and is flagged as a security risk. If I bypass the risk it says “A potential DNS Rebind attack has been detected”. (I should note that 4443 happens to be the TCP port I use for my Opnsense router)

On the WAN side:
My other subdomains can be accessed via their URLs.
“jellyfin-dot-[my_domain]” times out with a “502 Bad Gateway (nginx)” error.

I’m not sure if the issue is in the firewall or SWAG. Comparing configs with the working instances and running through Youtube tutorials again has not helped.

Again, I would appreciate any troubleshooting suggestions. Thanks!

502 means swag cannot reach the application.
Here are the potential causes SWAG -

I would, however, suggest coming on discord for support rather than here.

since you mention the rebind attack, this implies that you are NOT using split dns (we recommend split dns) and when you lookup, both internally and externally, it resolves to your WAN IP. If you want to keep this potentially insecure setup, you need to enable hairpin nat/nat loopback/nat reflection on your router, otherwise your router will block rebinds. See Split dns - for more info on split dns and hairpin.

Thanks driz.

My biggest question is “why is it working perfectly for all subdomains except this one?” and “Why is this subdomain resolving to port 4443?” (the port number my router uses). What’s doing that?

I’ll check the info in that link but I believe I do have NAT reflection enabled.