Jellyfin on AWS User Guide
Overview
This image runs Jellyfin, the open source, self-hosted media server - stream your own movies, TV shows, music and photos to any device through a polished web app and native client apps. A free, privacy-respecting alternative to hosted media services, deployable in your own VPC.
The Jellyfin server runs behind nginx as a reverse proxy. The datastore is an embedded SQLite database; hardware-agnostic transcoding is provided by the bundled jellyfin-ffmpeg. The server listens on 127.0.0.1:8096 and is reached through nginx on port 80 (and 443 once you add TLS).
Jellyfin ships with no account until its first-run setup wizard is completed. On the first boot of every deployed instance, a one-shot service completes the wizard and creates a single administrator account with a per-instance password, and generates a fresh per-instance server identity. The login is written to /root/jellyfin-credentials.txt with mode 0600.
Prerequisites
Before you deploy this image you need:
- An Amazon Web Services account where you can launch EC2 instances
- IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
- An EC2 key pair in the target Region for SSH access to the instance
- A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network and inbound ports 80 and 443 from the networks your viewers will reach Jellyfin on
- The AWS CLI (version 2) installed locally if you plan to deploy from the command line
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Jellyfin. Select the cloudimg listing and choose Select, then Continue on the subscription summary.
Pick an instance type of t3.medium or larger - more vCPUs help with on-the-fly transcoding. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and inbound ports 80 and 443 from the networks your viewers use. Leave the root volume at the default size or larger.
Select Launch instance. First boot initialisation takes a minute or two after the instance state becomes Running and the status checks pass.
Step 2: Launch the Instance from the AWS CLI
The following block launches an instance from the cloudimg Jellyfin Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens ports 22, 80, and 443 as described above.
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type t3.medium \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}]' \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=jellyfin-01}]'
The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.
Step 3: Connect and Retrieve the Administrator Login
Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:
| AMI variant | SSH login user |
|---|---|
| Jellyfin 10.11 on Ubuntu 24.04 | ubuntu |
The first boot service runs before the SSH daemon becomes ready, so the credentials file is always in place when you log in for the first time.
ssh <login-user>@<public-ip>
sudo cat /root/jellyfin-credentials.txt
You will see a plain text file containing the Jellyfin URL, the administrator username (admin) and the password. From the same SSH session you can confirm the deployment is healthy - the public info endpoint is open:
curl -fsS http://127.0.0.1/System/Info/Public
{"LocalAddress":"...","ServerName":"...","Version":"10.11.x","StartupWizardCompleted":true,...}
"StartupWizardCompleted":true confirms the full stack - nginx and the Jellyfin server - is serving and ready.
Step 4: First Sign-in
Open a web browser and navigate to http://<public-ip>/. Jellyfin presents its sign-in page. Enter the username admin and the password from /root/jellyfin-credentials.txt, then sign in.
The Jellyfin sign-in, served on first boot with a per-instance administrator login.
Step 5: Add Your Media
Copy your media onto the dedicated media volume, mounted at /srv/media. Organise it into folders by type, for example:
sudo mkdir -p /srv/media/Movies /srv/media/Shows /srv/media/Music
# copy or sync your files into those folders, e.g. with scp, rsync or the AWS CLI
sudo chown -R jellyfin:jellyfin /srv/media
Then in the dashboard add a library for each folder (the image ships with Movies, TV Shows and Music libraries pointing at the matching /srv/media folders). The home screen shows your libraries under My Media.
The Jellyfin home - your Movies, TV Shows and Music libraries, ready for content.
Step 6: The Administration Dashboard
Open the user menu and select Dashboard (or browse to /web/index.html#/dashboard) to manage the server: libraries and scheduled scans, users and access, playback and transcoding, plugins, and server logs.
The Jellyfin administration dashboard - server status, libraries, users and settings.
Step 7: Connect Client Apps
Install an official Jellyfin client - web, Android, iOS, Android TV, Fire TV, Roku, Kodi and more - and point it at http://<public-ip>/ (or your HTTPS domain). Sign in with a user account; create additional users in the dashboard under Users so each viewer has their own profile and watch state.
Step 8: Enable HTTPS with Let's Encrypt
For any production deployment serve Jellyfin over HTTPS so logins and streams cannot be intercepted. The image ships with nginx, which certbot can configure automatically.
The following assumes you have a DNS record pointing your fully qualified domain name at the instance's public IP address.
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d media.your-domain.example \
--non-interactive --agree-tos -m you@your-domain.example \
--redirect
certbot also configures the websocket upgrade headers Jellyfin uses for real-time updates.
Step 9: Backups and Maintenance
Jellyfin keeps its configuration, metadata and SQLite database under /var/lib/jellyfin (and /etc/jellyfin); your media lives on the separate /srv/media volume. Back up the server state regularly:
sudo systemctl stop jellyfin
sudo tar czf <backup-dir>/jellyfin-state-$(date +%F).tgz /var/lib/jellyfin /etc/jellyfin
sudo systemctl start jellyfin
Ship the archive to an Amazon S3 bucket or another object store. Because the server state and the media library are each on their own EBS volume, you can also take coordinated EBS snapshots. To upgrade Jellyfin, run sudo apt-get update && sudo apt-get install --only-upgrade jellyfin and restart. See https://jellyfin.org/docs/.
Step 10: Scaling and Operations
- Attach a larger or additional EBS volume for
/srv/mediaas your library grows - For high concurrent transcoding, choose a larger instance type or enable hardware acceleration where available
- Put the web tier behind an Application Load Balancer (with websocket support) if you need high availability
Each of these is documented in the official Jellyfin documentation at https://jellyfin.org/docs/.
Support
cloudimg provides 24/7/365 expert technical support for this image. Guaranteed response within 24 hours, one hour average for critical issues. Contact support@cloudimg.co.uk.
For general Jellyfin questions consult the documentation at https://jellyfin.org/docs/. Jellyfin is a trademark of its respective owner; use here is nominative and does not imply affiliation or endorsement.