diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
index 2bf808a..525c371 100644
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@@ -11,6 +11,7 @@ profiles::haproxy::mappings:
       - 'lidarr.main.unkin.net be_lidarr'
       - 'readarr.main.unkin.net be_readarr'
       - 'prowlarr.main.unkin.net be_prowlarr'
+      - 'jellyfin.main.unkin.net be_jellyfin'
   fe_https:
     ensure: present
     mappings:
@@ -21,6 +22,7 @@ profiles::haproxy::mappings:
       - 'lidarr.main.unkin.net be_lidarr'
       - 'readarr.main.unkin.net be_readarr'
       - 'prowlarr.main.unkin.net be_prowlarr'
+      - 'jellyfin.main.unkin.net be_jellyfin'
 
 profiles::haproxy::frontends:
   fe_http:
@@ -153,6 +155,22 @@ profiles::haproxy::backends:
         - set-header X-Forwarded-Port %[dst_port]
         - add-header X-Forwarded-Proto https if { dst_port 443 }
       redirect: 'scheme https if !{ ssl_fc }'
+  be_jellyfin:
+    description: Backend for au-syd1 jellyfin
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
 
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@@ -167,6 +185,7 @@ profiles::pki::vault::alt_names:
   - lidarr.main.unkin.net
   - readarr.main.unkin.net
   - prowlarr.main.unkin.net
+  - jellyfin.main.unkin.net
 
 # additional cnames
 profiles::haproxy::dns::cnames: