AnonymousWebHacker · October 6, 2023 07:31
diff --git a/about.md b/about.md
diff --git a/block.conf b/block.conf
 server {
 	listen 80;
 	listen [::]:80;
 	server_name _;
 	return 444;
 	access_log /var/log/nginx/block.log main buffer=32k flush=5m;
 }

 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	# HTTP3 ONLY
 	#listen 443 quic;
 	#quic_retry on;
 	#ssl_early_data on;
 	#http3 on;
 	#http3_hq off;

 	server_name _;
 	# A reject causes problems with SSL Labs test. Will cause server to fail TLS 1.3 and fallback on 1.2.
 	#ssl_reject_handshake on;
 	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
 	ssl_prefer_server_ciphers on;
 	ssl_session_tickets off;
 	ssl_session_timeout 10m;
 	ssl_ecdh_curve prime256v1;
 	ssl_buffer_size 1400;
 	ssl_session_cache shared:ipsecure:10m;
 	# we use a fake cert so TLS works to send a 444.
 	ssl_certificate "/etc/nginx/certs/invalid.pem";
 	ssl_certificate_key "/etc/nginx/certs/invalid.key";
 	ssl_dhparam "/etc/nginx/dhparam.pem";
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	add_header X-Frame-Options "SAMEORIGIN" always;
 	add_header X-Content-Type-Options "nosniff" always;
 	add_header Referrer-Policy "strict-origin" always;
 	# HTTP3 ONLY
 	#add_header Alt-Svc 'h3-29=":$server_port"; ma=86400, h3=":$server_port"; ma=86400';
 	return 444;
 	access_log /var/log/nginx/block.log main buffer=32k flush=5m;
 }
diff --git a/jellyfin.vhost b/jellyfin.vhost
 server {
 	listen 80;
 	listen [::]:80;
 	server_name jf.example.com;
 	add_header Content-Security-Policy "default-src 'self';";
 	return 301 jf.example.com;
 	access_log off;
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	# HTTP3 ONLY
 	#listen 443 quic reuseport;
 	#listen [::]:443 quic reuseport;
 	#quic_retry on;
 	#ssl_early_data on;
 	#http3 on;
 	#http3_hq off;

 	server_name jf.example.com;

 	set $jellyfin 127.0.0.1;

 	keepalive_timeout 60;

 	ssl_conf_command Options KTLS;
 	#ssl_protocols READ GUIDE FOR THIS;
 	#ssl_ciphers READ GUIDE FOR THIS;
 	ssl_prefer_server_ciphers on;
 	ssl_session_tickets off;
 	ssl_session_timeout 24h;
 	ssl_ecdh_curve secp256r1;
 	ssl_buffer_size 4k;
 	ssl_stapling on;
 	ssl_stapling_verify on;
 	resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
 	ssl_session_cache shared:dotcomsecure:10m;
 	ssl_ocsp_cache shared:dotcomstaple:10m;
 	ssl_certificate "/etc/letsencrypt/live/example.com/fullchain.pem";
 	ssl_certificate_key "/etc/letsencrypt/live/example.com/privkey.pem";
 	ssl_trusted_certificate "/etc/letsencrypt/live/example.com/chain.pem";
 	ssl_dhparam "/etc/nginx/dh/dhparam.pem";

 	add_header Content-Security-Policy "base-uri 'none'; connect-src 'self'; default-src 'self'; font-src 'self' data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' blob: data: https:; manifest-src 'self'; media-src 'self' blob:; object-src 'none'; script-src 'self' 'unsafe-inline' blob:; script-src-elem 'self' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/ blob:; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:;";
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	add_header X-Frame-Options SAMEORIGIN always;
 	add_header X-Content-Type-Options nosniff;
 	add_header Referrer-Policy strict-origin-when-cross-origin;
 	# HTTP3 ONLY
 	#add_header Alt-Svc 'h3-29=":$server_port"; ma=86400, h3=":$server_port"; ma=86400';
 	add_header X-protocol $server_protocol always;
 	# Private cache is used for security reasons. This isn't a public service.
 	# Responses with Authorization headers while using Public can be problematic if you're behind a proxy from Amazon, Cloudflare, Fastly, etc.
 	add_header Cache-Control "private$jf_content";

 	access_log /var/log/nginx/jellyfin.log main buffer=32k flush=5m;

 	# Only allow these HTTP response types.
 	# If you need to delete content via the UI, use the LAN:IP.
 	# Adding DELETE here allows someone to delete content through Jellyfin TLD.
 	if ($request_method !~ ^(GET|HEAD|POST)$ ) {
 		return 405;
 	}

 	sendfile on;
 	tcp_nopush on;

 	location = / {
 		return 301 https://$host/web/;
 	}

 	location / {
 		proxy_pass http://$jellyfin:8096;
 		proxy_http_version 1.1;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_buffering on;
 		proxy_buffers 16 4k;
 		proxy_buffer_size 4k;
 		proxy_busy_buffers_size 8k;
 		proxy_temp_file_write_size 8k;
 		proxy_max_temp_file_size 16k;
 		proxy_connect_timeout 60s;
 		proxy_send_timeout 60s;
 		proxy_read_timeout 60s;
 		# For use with TLS locally. See guide.
 		#proxy_ssl_certificate /etc/nginx/certs/cert.pem;
 		#proxy_ssl_certificate_key /etc/nginx/certs/priv.key;
 		#proxy_ssl_protocols TLSv1.2 TLSv1.3;
 		#proxy_ssl_session_reuse on;
 	}
 	location = /web/ {
 		proxy_pass http://$jellyfin:8096/web/index.html;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 	}
 	location /socket {
 		proxy_pass http://$jellyfin:8096;
 		proxy_http_version 1.1;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_connect_timeout 60s;
 		proxy_send_timeout 60s;
 		proxy_read_timeout 60s;
 	}
 	location ~ /Items/(.*)/Images {
 		# We give NGINX its own cache so Jellyfin doesn't have to serve the request.
 		proxy_pass http://$jellyfin:8096;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_cache jellyfin;
 		proxy_cache_revalidate on;
 		proxy_cache_lock on;
 		add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
 	}
 	# Drop script execution.
 	location ~* .(pl|cgi|py|sh|lua|asp|php)$ {
 		return 444;
 	}
 	# Drop access to hidden files.
 	location ~ /\. {
 		return 444;
 	}
 }
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 worker_rlimit_nofile 2048;

 events {
 	worker_connections 1024;
 }

 http {
 	# Hides nginx/version
 	#server_tokens off;
 	# Send the data as soon as it’s ready to go.
 	tcp_nodelay on;
 	client_body_buffer_size 1m;
 	client_max_body_size 20m;
 	client_header_buffer_size 1k;
 	large_client_header_buffers 4 16k;
 	# Proxy performance
 	open_file_cache max=5000 inactive=20s;
 	open_file_cache_valid 60s;
 	open_file_cache_min_uses 4;
 	open_file_cache_errors on;

 	include /etc/nginx/mime.types;
 	default_type application/octet-stream; # Undefined mime types are downloaded instead of rendered.

 	####
 	# Compress contents in order of preference.
 	# Brotli is preffered over Gzip.
 	# Files that match the mime types are compressed.
 	# 1 is low compression using low CPU.
 	# 9 is high compression using high CPU.
 	# Gzip defaults: Nginx uses 1, Apache uses 6.
 	####
 	#brotli on;
 	#brotli_static on;
 	#brotli_comp_level 7;
 	#brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype font/woff font/woff2 image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
 	#gzip on;
 	#gzip_vary on;
 	#gzip_min_length 100;
 	#gzip_comp_level 4;
 	#gzip_proxied any;
 	#gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

 	####
 	# Logging
 	####
 	log_format main [$time_local] ' $status' ' $request_time' ' $remote_user' ' $remote_addr' ' "$request" $body_bytes_sent' ' "$http_referer" "$http_user_agent"';
 	access_log /var/log/nginx/access.log main buffer=32k flush=5m;
 	error_log /var/log/nginx/error.log; # Add 'info' if you need a more detailed breakdown. 'debug' is excessive and requires debug build.

 	####
 	# Set headers to keep contents in client cache.
 	# This reduces server load and speeds up browsing.
 	# You need to connect to this per site (server block).
 	# It's best to avoid caching all of "~applications/" or else various site functions will break.
 	# This one is specific to Jellyfin.
 	####
 	map $sent_http_content_type $jf_content {
 		# Undefined content is off
 		"default" "";
 		# HTML gets unique define
 		"text/html" ", epoch";
 		# Text content, 30 days / 1 month
 		"text/javascript" ", max-age=2592000";
 		"text/css" ", max-age=2592000";
 		# Fonts, 365 days / 12 months
 		"application/vnd.ms-fontobject" ", max-age=31536000";
 		"application/font-woff" ", max-age=31536000";
 		"application/x-font-truetype" ", max-age=31536000";
 		"application/x-font-opentype" ", max-age=31536000";
 		"~font/" "max-age=31536000";
 		# Media, 180 days / 6 months
 		# You don't want to send cache responses for video or audio.
 		"~image/" ", max-age=15552000";
 	}
 	proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:256m max_size=15g inactive=30d use_temp_path=off;

 	include fastcgi.conf;
 	include block.conf; # Drops direct IP access.
 	#include local.conf; # LAN sites for internal use.
 	include sites-available/*; # vhosts for TLDs.
 }
	server {
	listen 80;
	listen [::]:80;
	server_name _;
	return 444;
	access_log /var/log/nginx/block.log main buffer=32k flush=5m;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	# HTTP3 ONLY
	#listen 443 quic;
	#quic_retry on;
	#ssl_early_data on;
	#http3 on;
	#http3_hq off;

	server_name _;
	# A reject causes problems with SSL Labs test. Will cause server to fail TLS 1.3 and fallback on 1.2.
	#ssl_reject_handshake on;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
	ssl_prefer_server_ciphers on;
	ssl_session_tickets off;
	ssl_session_timeout 10m;
	ssl_ecdh_curve prime256v1;
	ssl_buffer_size 1400;
	ssl_session_cache shared:ipsecure:10m;
	# we use a fake cert so TLS works to send a 444.
	ssl_certificate "/etc/nginx/certs/invalid.pem";
	ssl_certificate_key "/etc/nginx/certs/invalid.key";
	ssl_dhparam "/etc/nginx/dhparam.pem";
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "strict-origin" always;
	# HTTP3 ONLY
	#add_header Alt-Svc 'h3-29=":$server_port"; ma=86400, h3=":$server_port"; ma=86400';
	return 444;
	access_log /var/log/nginx/block.log main buffer=32k flush=5m;
	}
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	worker_rlimit_nofile 2048;

	events {
	worker_connections 1024;
	}

	http {
	# Hides nginx/version
	#server_tokens off;
	# Send the data as soon as it’s ready to go.
	tcp_nodelay on;
	client_body_buffer_size 1m;
	client_max_body_size 20m;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 16k;
	# Proxy performance
	open_file_cache max=5000 inactive=20s;
	open_file_cache_valid 60s;
	open_file_cache_min_uses 4;
	open_file_cache_errors on;

	include /etc/nginx/mime.types;
	default_type application/octet-stream; # Undefined mime types are downloaded instead of rendered.

	####
	# Compress contents in order of preference.
	# Brotli is preffered over Gzip.
	# Files that match the mime types are compressed.
	# 1 is low compression using low CPU.
	# 9 is high compression using high CPU.
	# Gzip defaults: Nginx uses 1, Apache uses 6.
	####
	#brotli on;
	#brotli_static on;
	#brotli_comp_level 7;
	#brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype font/woff font/woff2 image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
	#gzip on;
	#gzip_vary on;
	#gzip_min_length 100;
	#gzip_comp_level 4;
	#gzip_proxied any;
	#gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

	####
	# Logging
	####
	log_format main [$time_local] ' $status' ' $request_time' ' $remote_user' ' $remote_addr' ' "$request" $body_bytes_sent' ' "$http_referer" "$http_user_agent"';
	access_log /var/log/nginx/access.log main buffer=32k flush=5m;
	error_log /var/log/nginx/error.log; # Add 'info' if you need a more detailed breakdown. 'debug' is excessive and requires debug build.

	####
	# Set headers to keep contents in client cache.
	# This reduces server load and speeds up browsing.
	# You need to connect to this per site (server block).
	# It's best to avoid caching all of "~applications/" or else various site functions will break.
	# This one is specific to Jellyfin.
	####
	map $sent_http_content_type $jf_content {
	# Undefined content is off
	"default" "";
	# HTML gets unique define
	"text/html" ", epoch";
	# Text content, 30 days / 1 month
	"text/javascript" ", max-age=2592000";
	"text/css" ", max-age=2592000";
	# Fonts, 365 days / 12 months
	"application/vnd.ms-fontobject" ", max-age=31536000";
	"application/font-woff" ", max-age=31536000";
	"application/x-font-truetype" ", max-age=31536000";
	"application/x-font-opentype" ", max-age=31536000";
	"~font/" "max-age=31536000";
	# Media, 180 days / 6 months
	# You don't want to send cache responses for video or audio.
	"~image/" ", max-age=15552000";
	}
	proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:256m max_size=15g inactive=30d use_temp_path=off;

	include fastcgi.conf;
	include block.conf; # Drops direct IP access.
	#include local.conf; # LAN sites for internal use.
	include sites-available/*; # vhosts for TLDs.
	}