StreamMusic icon indicating copy to clipboard operation
StreamMusic copied to clipboard

Published 20 hours ago verified publisher icon gitbobobo

通过 HTTPS 反向代理连接 Jellyfin 服务器失败:Android、windows 上 TLS 握手时 HandshakeException

Open ljwzz opened this issue 1 month ago • 0 comments
trafficstars

Steps to reproduce(重现步骤)

在 Windows 设备上安装最新 StreamMusic 打开应用,添加新服务器:(我的 Jellyfin 实例,通过 Nginx 代理,仅包含协议、域名、端口) 输入有效的 Jellyfin 凭据(用户名/密码)。 点击登录按钮。

Expected results(预期结果)

应用成功完成 TLS 握手,认证并加载 Jellyfin 媒体库。因为同主机、手机上通过浏览器能访问。

Actual results(实际结果)

报错“请检查网络或者账号密码是否正确”。通过点击“扫描二维码添加”绕过登录。在日志中找到

ERROR ⛔ [LoginBloc] 登录失败:DioException [unknown]: null ERROR ⛔ Error: HandshakeException: Connection terminated during handshake

Server Type(服务器类型)

Jellyfin

Server Version(服务器版本)

Jellyfin 10.10.7

Client Version(客户端版本)

音流 1.3.9

Operating System(操作系统)

Android, Windows

Connection Type(连接类型)

Direct Mode(直连模式)

Additional Information(附加信息)

nginx config,按AI提示说 Dio 偏好 ECDHE(椭圆曲线)而非 RSA。尝试修改过加密套件

proxy_cache_path /www/wwwroot/[站点目录]/proxy_cache_dir levels=1:2 keys_zone=[站点目录]_cache:20m inactive=1d max_size=5g;
server {
    listen [端口] ssl;

    server_name [域名];
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/[站点目录];
    include /www/server/panel/vhost/nginx/extension/[站点目录]/*.conf;

    ssl_certificate /www/server/panel/vhost/cert/[站点目录]/fullchain.pem;
    ssl_certificate_key /www/server/panel/vhost/cert/[站点目录]/privkey.pem;
    ssl_protocols TLSv1.3;
    # ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5; 
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497 https://$host$request_uri;
    #SSL-END

    #WEBSOCKET-SUPPORT START
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    #WEBSOCKET-SUPPORT END

    #PROXY-CONF-START
    location ^~ / {
        proxy_pass http://127.0.0.1:58096;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-Port $remote_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_connect_timeout 60s;
        proxy_send_timeout 600s;
        proxy_read_timeout 600s;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    #PROXY-CONF-END
}

docker compose

services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    user: "1000:1000"
    volumes:
      - /opt/jellyfin/config:/config
      - /opt/jellyfin/cache:/cache
      - /media:/media
    ports:
      - "127.0.0.1:58096:8096"
    restart: unless-stopped

ssl 证书还在有效期内 证书分类:Let's Encrypt 强制HTTPS:√ 证书品牌:E6 到期时间:2025-11-xx

ljwzz avatar Sep 19 '25 17:09 ljwzz