r/jellyfin: Add virtual host for HAProxy

Expose a virtual host on a separate TCP port that uses the PROXY
protocol.  This way, HAProxy can pass the original client IP address to
Jellyfin without terminating the TLS connection.

roles/jellyfin/tasks/httpd-proxy.yml

@@ -17,3 +17,12 @@
     persistent: true
   tags:
   - selinux
+
+- name: ensure jellyfin http proxy port is allowed in firewall
+  firewalld:
+    port: 8443/tcp
+    state: enabled
+    immediate: true
+    permanent: true
+  tags:
+  - firewalld

roles/jellyfin/templates/jellyfin.httpd.conf.j2

@@ -26,3 +26,26 @@
     Header always set \
         Strict-Transport-Security "max-age=63072000; includeSubDomains"
 </VirtualHost>
+
+Listen 8443
+<VirtualHost _default_:8443>
+    ServerName {{ jellyfin_server_name }}
+
+    SSLCertificateFile {{ jellyfin_ssl_certificate }}
+    SSLCertificateKeyFile {{ jellyfin_ssl_certificate_key }}
+    SSLCertificateChainFile {{ jellyfin_ssl_certificate }}
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    RemoteIPProxyProtocol On
+
+    RewriteEngine On
+    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+    RewriteRule /(.*)  ws://localhost:8096/$1 [P,L]
+    RewriteRule /(.*)  http://localhost:8096/$1 [P,L]
+    ProxyPassReverse / http://localhost:8096/
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</VirtualHost>