diff --git a/roles/jellyfin/tasks/httpd-proxy.yml b/roles/jellyfin/tasks/httpd-proxy.yml
index 8f8a74a..df7e71f 100644
--- a/roles/jellyfin/tasks/httpd-proxy.yml
+++ b/roles/jellyfin/tasks/httpd-proxy.yml
@@ -17,3 +17,12 @@
     persistent: true
   tags:
   - selinux
+
+- name: ensure jellyfin http proxy port is allowed in firewall
+  firewalld:
+    port: 8443/tcp
+    state: enabled
+    immediate: true
+    permanent: true
+  tags:
+  - firewalld
diff --git a/roles/jellyfin/templates/jellyfin.httpd.conf.j2 b/roles/jellyfin/templates/jellyfin.httpd.conf.j2
index 620eb1f..a9832cd 100644
--- a/roles/jellyfin/templates/jellyfin.httpd.conf.j2
+++ b/roles/jellyfin/templates/jellyfin.httpd.conf.j2
@@ -26,3 +26,26 @@
     Header always set \
         Strict-Transport-Security "max-age=63072000; includeSubDomains"
 </VirtualHost>
+
+Listen 8443
+<VirtualHost _default_:8443>
+    ServerName {{ jellyfin_server_name }}
+
+    SSLCertificateFile {{ jellyfin_ssl_certificate }}
+    SSLCertificateKeyFile {{ jellyfin_ssl_certificate_key }}
+    SSLCertificateChainFile {{ jellyfin_ssl_certificate }}
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RemoteIPProxyProtocol On
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:8096/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:8096/$1 [P,L]
+    ProxyPassReverse / http://localhost:8096/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>