dw5 · June 9, 2022 12:29
diff --git a/nginx-jellyfin-certbot.conf b/nginx-jellyfin-certbot.conf
 # NGiNX reverse proxy configuration for Jellyfin
 #
 # Use this configuration on NGiNX running on the same server as your Jellyfin instance. Replace the values as needed.
 # LetsEncrypt is enabled and configured using `certbot`: install it via apt on Debian (`sudo apt install certbot`) or
 # your package manager of choice. To start, make only the first section (port 80) active, then once that configuration
 # is active, run Certbot for the first time to request your cert. Then, add the second section (port 443) and reload.
 # With this config left in place, Certbot's automatic renewal will work and automatically replace the cert and
 # reload NGiNX as needed, without interrupting your Jellyfin instance.
 #
 # Certbot request command:
 # $ sudo certbot certonly --standalone --preferred-challenges http-01 --http-01-port 63443 \
 #     --noninteractive --agree-tos \
 #     --email [email protected] \
 #     --cert-name <your_domain_name> \
 #     -d <your_domain_name>[,www.<your_domain_name>,jellyfin.<your_domain_name>,etc.]
 #
 # Certbot renewal cron job (daily at midnight):
 # $ echo "0 0 * * *  root  certbot renew --quiet --no-self-upgrade --post-hook 'systemctl reload nginx'" \
 #     | sudo tee -a /etc/cron.d/renew_certbot

 # HTTP listener; pass through Certbot and redirect to HTTPS
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
        
    # Update to your desired hostname, or leave as default to capture all virtual hosts
    server_name _;

    # LetsEncrypt validation URLS
    location /.well-known/acme-challenge/ {
        # Certbot will listen on port 63443
        proxy_pass http://127.0.0.1:63443;
    }

    # Redirection to HTTPS
    location / {
        # Use a 301 permanent code so browsers remember this
        return 301 https://$host$request_uri;
    }
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
        
    # Update to your desired hostname, or leave as default to capture all virtual hosts
    server_name _;

    # SSL configuration
    # dhparams.pem should be generated with `openssl dhparam -out /etc/ssl/dhparams.pem 2048`; don't use your OS default!
    ssl_dhparam /etc/ssl/dhparams.pem;
    # Paths to the Certbot folder; replace <your_domain_name> with the LetsEncrypt cert name
    ssl_certificate /etc/letsencrypt/live/<your_domain_name>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<your_domain_name>/privkey.pem;
    # SSL tuning options; good defaults for modern browsers
    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ALL;
    # Remove TLSv1.3 for nginx < 1.13; enable TLSv1.0 if your browser complains
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    # Optional HSTS compliance with a 1-year age; force browsers to remember HTTPS status
    add_header Strict-Transport-Security "max-age=31536000" always;
        
    # Pass through everything to Jellyfin
    location / {
        proxy_pass http://jellyfin;
    }
 }
 upstream jellyfin {
    server localhost:8096;
 }
	# NGiNX reverse proxy configuration for Jellyfin
	#
	# Use this configuration on NGiNX running on the same server as your Jellyfin instance. Replace the values as needed.
	# LetsEncrypt is enabled and configured using `certbot`: install it via apt on Debian (`sudo apt install certbot`) or
	# your package manager of choice. To start, make only the first section (port 80) active, then once that configuration
	# is active, run Certbot for the first time to request your cert. Then, add the second section (port 443) and reload.
	# With this config left in place, Certbot's automatic renewal will work and automatically replace the cert and
	# reload NGiNX as needed, without interrupting your Jellyfin instance.
	#
	# Certbot request command:
	# $ sudo certbot certonly --standalone --preferred-challenges http-01 --http-01-port 63443 \
	# --noninteractive --agree-tos \
	# --email [email protected] \
	# --cert-name <your_domain_name> \
	# -d <your_domain_name>[,www.<your_domain_name>,jellyfin.<your_domain_name>,etc.]
	#
	# Certbot renewal cron job (daily at midnight):
	# $ echo "0 0 * * * root certbot renew --quiet --no-self-upgrade --post-hook 'systemctl reload nginx'" \
	# \| sudo tee -a /etc/cron.d/renew_certbot

	# HTTP listener; pass through Certbot and redirect to HTTPS
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# Update to your desired hostname, or leave as default to capture all virtual hosts
	server_name _;

	# LetsEncrypt validation URLS
	location /.well-known/acme-challenge/ {
	# Certbot will listen on port 63443
	proxy_pass http://127.0.0.1:63443;
	}

	# Redirection to HTTPS
	location / {
	# Use a 301 permanent code so browsers remember this
	return 301 https://$host$request_uri;
	}
	}
	server {
	listen 443 ssl;
	listen [::]:443 ssl;

	# Update to your desired hostname, or leave as default to capture all virtual hosts
	server_name _;

	# SSL configuration
	# dhparams.pem should be generated with `openssl dhparam -out /etc/ssl/dhparams.pem 2048`; don't use your OS default!
	ssl_dhparam /etc/ssl/dhparams.pem;
	# Paths to the Certbot folder; replace <your_domain_name> with the LetsEncrypt cert name
	ssl_certificate /etc/letsencrypt/live/<your_domain_name>/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/<your_domain_name>/privkey.pem;
	# SSL tuning options; good defaults for modern browsers
	ssl_session_cache shared:le_nginx_SSL:1m;
	ssl_session_timeout 1440m;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ALL;
	# Remove TLSv1.3 for nginx < 1.13; enable TLSv1.0 if your browser complains
	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
	# Optional HSTS compliance with a 1-year age; force browsers to remember HTTPS status
	add_header Strict-Transport-Security "max-age=31536000" always;

	# Pass through everything to Jellyfin
	location / {
	proxy_pass http://jellyfin;
	}
	}
	upstream jellyfin {
	server localhost:8096;
	}