|
server { |
|
listen 80; |
|
listen [::]:80; |
|
listen 443 ssl; |
|
listen [::]:443 ssl; |
|
http2 on; |
|
# HTTP3 ONLY |
|
#listen 443 quic reuseport; |
|
#listen [::]:443 quic reuseport; |
|
#quic_retry on; |
|
#quic_gso on; |
|
#ssl_early_data on; |
|
#http3 on; |
|
#http3_hq off; |
|
#http3_max_concurrent_streams 128; |
|
#http3_stream_buffer_size 64k; |
|
|
|
server_name jf.example.me; |
|
|
|
set $jellyfin 127.0.0.1; |
|
|
|
keepalive_timeout 60; |
|
|
|
ssl_conf_command Options KTLS; # Use kernel processing to make TLS faster. |
|
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256; # Tell OpenSSL what ciphers we are going to use. TLS1.3 only. |
|
ssl_protocols TLSv1.3; # Modern only. |
|
ssl_prefer_server_ciphers on; # Server will use the best cipher from OpenSSL |
|
ssl_session_tickets off; |
|
ssl_session_timeout 24h; |
|
ssl_ecdh_curve secp256r1; |
|
ssl_buffer_size 4k; |
|
ssl_stapling on; |
|
ssl_stapling_verify on; |
|
resolver 1.1.1.1 1.0.0.1 valid=300s; |
|
ssl_session_cache shared:dotmesecure:10m; |
|
ssl_ocsp_cache shared:dotmestaple:10m; |
|
ssl_certificate "/etc/letsencrypt/live/example.me/fullchain.pem"; |
|
ssl_certificate_key "/etc/letsencrypt/live/example.me/privkey.pem"; |
|
ssl_trusted_certificate "/etc/letsencrypt/live/example.me/chain.pem"; |
|
|
|
add_header Content-Security-Policy "base-uri 'none'; connect-src 'self'; default-src 'none'; font-src 'self' data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' blob: data: https:; manifest-src 'self'; media-src 'self' blob:; object-src 'none'; script-src 'self' 'unsafe-inline' blob:; script-src-elem 'self' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/ blob:; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:;"; |
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; |
|
add_header X-Frame-Options SAMEORIGIN always; |
|
add_header X-Content-Type-Options nosniff; |
|
add_header Referrer-Policy strict-origin-when-cross-origin; |
|
#add_header Alt-Svc 'h3=":$server_port"; ma=86400'; |
|
add_header X-protocol $server_protocol always; |
|
|
|
add_header Cache-Control "private$jf_content"; |
|
|
|
access_log /var/log/nginx/jellyfin.log main buffer=32k flush=5m; |
|
|
|
if ($request_method !~ ^(GET|HEAD|POST|DELETE)$ ) { |
|
return 405; |
|
} |
|
|
|
sendfile on; |
|
tcp_nopush on; |
|
|
|
location = / { |
|
return 301 https://$host/web/; |
|
} |
|
|
|
location / { |
|
proxy_pass http://$jellyfin:8096; |
|
proxy_http_version 1.1; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Real-IP $remote_addr; |
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto $scheme; |
|
proxy_set_header X-Forwarded-Protocol $scheme; |
|
proxy_set_header X-Forwarded-Host $http_host; |
|
proxy_redirect http:// https://; |
|
proxy_buffering on; |
|
proxy_buffers 16 4k; |
|
proxy_buffer_size 4k; |
|
proxy_busy_buffers_size 8k; |
|
proxy_temp_file_write_size 8k; |
|
proxy_max_temp_file_size 16k; |
|
proxy_connect_timeout 60s; |
|
proxy_send_timeout 60s; |
|
proxy_read_timeout 60s; |
|
#proxy_ssl_certificate /etc/nginx/jellyfin/cert.pem; |
|
#proxy_ssl_certificate_key /etc/nginx/jellyfin/priv.key; |
|
#proxy_ssl_protocols TLSv1.2 TLSv1.3; |
|
#proxy_ssl_session_reuse on; |
|
} |
|
location = /web/ { |
|
proxy_pass http://$jellyfin:8096/web/index.html; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Real-IP $remote_addr; |
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto $scheme; |
|
proxy_set_header X-Forwarded-Protocol $scheme; |
|
proxy_set_header X-Forwarded-Host $http_host; |
|
} |
|
location /socket { |
|
proxy_pass http://$jellyfin:8096; |
|
proxy_http_version 1.1; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_set_header Connection "upgrade"; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Real-IP $remote_addr; |
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto $scheme; |
|
proxy_set_header X-Forwarded-Protocol $scheme; |
|
proxy_set_header X-Forwarded-Host $http_host; |
|
proxy_connect_timeout 60s; |
|
proxy_send_timeout 60s; |
|
proxy_read_timeout 60s; |
|
} |
|
location ~ /Items/(.*)/Images { |
|
proxy_pass http://$jellyfin:8096; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Real-IP $remote_addr; |
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto $scheme; |
|
proxy_set_header X-Forwarded-Protocol $scheme; |
|
proxy_set_header X-Forwarded-Host $http_host; |
|
proxy_cache jellyfin; |
|
proxy_cache_revalidate on; |
|
proxy_cache_lock on; |
|
add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working |
|
} |
|
location ~\.(pl|cgi|py|sh|lua|asp|php)$ { |
|
return 444; |
|
} |
|
location ~ /\. { |
|
return 444; |
|
} |
|
} |
Hello friend, could you reupload your document, since the host went down and I read it when I was at work and it looked very complete, could you reupload it?