This will work fine over the web, but won’t work with clients.

They have instructions on jellyfin forums on setting up HAProxy, that part totally works.

But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.

You did the 2FA on the whitelister only using path-based routing.

You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.

edit:

I just tried it, it appears to work so far.

I can send websocket traffic inbound to 8096: to the JF server and it loads on web, Android and Roku clients with an ACL limiter on originating ips. and send 8096/whitelist to another server altogether with no ACL limits.

On that process, I’d load nginx, authelia, fail2ban and what flask? Surely someone has a python longin/admin framework that I could hijack for this. Then have that app reack over in shared container storage to twiddle the haproxy config to add some ip’s and reload it?

I wonder if I could do something to the haproxy side to detect non-use of an IP and remove it.