douglasparker · January 8, 2022 17:37
diff --git a/overseerr.example.com.conf b/overseerr.example.com.conf
 server {
    listen 80;
    server_name overseerr.example.com;
    return 301 https://$server_name$request_uri;
 }

 server {
    listen 443 ssl http2;
    server_name overseerr.example.com;

    ssl_certificate /etc/letsencrypt/live/overseerr.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/overseerr.example.com/privkey.pem;

    proxy_set_header Referer $http_referer;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-Port $remote_port;
    proxy_set_header X-Forwarded-Host $host:$remote_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-Port $remote_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Ssl on;
    real_ip_header CF-Connecting-IP;
    # Control the behavior of the Referer header (Referrer-Policy)
    add_header Referrer-Policy "no-referrer";
    # HTTP Strict Transport Security
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    # Reduce XSS risks (Content-Security-Policy)
    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://plex.tv; style-src 'self' 'unsafe-inline' https://rsms.me/inter/inter.css; script-src 'self' 'unsafe-inline'; img-src 'self' data: https://plex.tv https://assets.plex.tv https://secure.gravatar.com https://i2.wp.com https://image.tmdb.org; font-src 'self' https://rsms.me/inter/font-files/" always;
    # Prevent some categories of XSS attacks (X-XSS-Protection)
    add_header X-XSS-Protection "1; mode=block" always;
    # Provide clickjacking protection (X-Frame-Options)
    add_header X-Frame-Options "SAMEORIGIN" always;
    # Prevent Sniff Mimetype (X-Content-Type-Options)
    add_header X-Content-Type-Options "nosniff" always;

    access_log /var/log/nginx/overseerr.example.com-access.log;
    error_log /var/log/nginx/overseerr.example.com-error.log;

    location / {
        proxy_pass http://127.0.0.1:5055;
    }
 }
	server {
	listen 80;
	server_name overseerr.example.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name overseerr.example.com;

	ssl_certificate /etc/letsencrypt/live/overseerr.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/overseerr.example.com/privkey.pem;

	proxy_set_header Referer $http_referer;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Real-Port $remote_port;
	proxy_set_header X-Forwarded-Host $host:$remote_port;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-Port $remote_port;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Ssl on;
	real_ip_header CF-Connecting-IP;
	# Control the behavior of the Referer header (Referrer-Policy)
	add_header Referrer-Policy "no-referrer";
	# HTTP Strict Transport Security
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
	# Reduce XSS risks (Content-Security-Policy)
	add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://plex.tv; style-src 'self' 'unsafe-inline' https://rsms.me/inter/inter.css; script-src 'self' 'unsafe-inline'; img-src 'self' data: https://plex.tv https://assets.plex.tv https://secure.gravatar.com https://i2.wp.com https://image.tmdb.org; font-src 'self' https://rsms.me/inter/font-files/" always;
	# Prevent some categories of XSS attacks (X-XSS-Protection)
	add_header X-XSS-Protection "1; mode=block" always;
	# Provide clickjacking protection (X-Frame-Options)
	add_header X-Frame-Options "SAMEORIGIN" always;
	# Prevent Sniff Mimetype (X-Content-Type-Options)
	add_header X-Content-Type-Options "nosniff" always;

	access_log /var/log/nginx/overseerr.example.com-access.log;
	error_log /var/log/nginx/overseerr.example.com-error.log;

	location / {
	proxy_pass http://127.0.0.1:5055;
	}
	}