hpcdisrespecter · March 31, 2025 21:08
diff --git a/jellyfin.cfg b/jellyfin.cfg
 server { 
 	server_name YOUR_SERVER_LOCATION;
 	listen 443 ssl http;
 	#listen [::]:443 ssl http;
 	client_max_body_size 20M;	
 	resolver 127.0.0.1 valid=30;
    ssl_certificate /etc/letsencrypt/live/YOUR_VALUE_HERE/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/YOUR_VALUE_HERE/privkey.pem; # managed by Certbot
 	include /etc/letsencrypt/options-ssl-nginx.conf; 
 	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

 	add_header Strict-Transport-Security "max-age=31536000" always;
 	ssl_trusted_certificate /etc/letsencrypt/live/YOUR_VALUE_HERE/chain.pem;
 	ssl_stapling on;
 	ssl_stapling_verify on;

 	# Security/XSS mitigation 
 	add_header X-Frame-Options "SAMEORIGIN";
 	add_header X-XSS-Protection "1; mode=block";
 	add_header X-Content-Type-Options "nosniff";

 	location = / {
 		return 302 https://$host/web/;
 	}

 	location / { 
 		proxy_pass http://localhost:8096;
 		proxy_set_header Host $host; 
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 		proxy_buffering off;
 		add_header Last-Modified $date_gmt;
 		add_header Cache-Control 'no-store, no-cache';
 		if_modified_since off;
 		expires off;
 		etag off;
 	}

 	location = /web/ {
 		# Proxy main Jellyfin traffic
 		proxy_pass http://localhost:8096/web/index.html;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 		add_header Last-Modified $date_gmt;
 		add_header Cache-Control 'no-store, no-cache';
 		if_modified_since off;
 		expires off;
 		etag off;
 	}

  location /socket {
 		# Proxy Jellyfin Websockets traffic
 		proxy_pass http://localhost:8096;
 		proxy_http_version 1.1;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-Protocol $scheme;
 		proxy_set_header X-Forwarded-Host $http_host;
 		add_header Last-Modified $date_gmt;
 		add_header Cache-Control 'no-store, no-cache';
 		if_modified_since off;
 		expires off;
 		etag off;
  }

 }

 server {
 	server_name YOUR_SERVER_LOCATION;
 	if ($host = YOUR_SERVER_LOCATION) {
        	return 301 https://$host$request_uri;
    	} # managed by Certbot
    	listen 80;
 	return 404;
 }
	server {
	server_name YOUR_SERVER_LOCATION;
	listen 443 ssl http;
	#listen [::]:443 ssl http;
	client_max_body_size 20M;
	resolver 127.0.0.1 valid=30;
	ssl_certificate /etc/letsencrypt/live/YOUR_VALUE_HERE/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/YOUR_VALUE_HERE/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	add_header Strict-Transport-Security "max-age=31536000" always;
	ssl_trusted_certificate /etc/letsencrypt/live/YOUR_VALUE_HERE/chain.pem;
	ssl_stapling on;
	ssl_stapling_verify on;

	# Security/XSS mitigation
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options "nosniff";

	location = / {
	return 302 https://$host/web/;
	}

	location / {
	proxy_pass http://localhost:8096;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_buffering off;
	add_header Last-Modified $date_gmt;
	add_header Cache-Control 'no-store, no-cache';
	if_modified_since off;
	expires off;
	etag off;
	}

	location = /web/ {
	# Proxy main Jellyfin traffic
	proxy_pass http://localhost:8096/web/index.html;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_set_header X-Forwarded-Host $http_host;
	add_header Last-Modified $date_gmt;
	add_header Cache-Control 'no-store, no-cache';
	if_modified_since off;
	expires off;
	etag off;
	}

	location /socket {
	# Proxy Jellyfin Websockets traffic
	proxy_pass http://localhost:8096;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_set_header X-Forwarded-Host $http_host;
	add_header Last-Modified $date_gmt;
	add_header Cache-Control 'no-store, no-cache';
	if_modified_since off;
	expires off;
	etag off;
	}

	}

	server {
	server_name YOUR_SERVER_LOCATION;
	if ($host = YOUR_SERVER_LOCATION) {
	return 301 https://$host$request_uri;
	} # managed by Certbot
	listen 80;
	return 404;
	}