Created
November 13, 2022 13:56
-
-
Save dev-sareno/8034cd1d56af639e9b0cff0485bec4dc to your computer and use it in GitHub Desktop.
Jellyfin NginX configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
server_name stream.example.com; | |
listen 443 ssl http2; # managed by Certbot | |
ssl_certificate /etc/letsencrypt/live/stream.example.com/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/stream.example.com/privkey.pem; # managed by Certbot | |
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
###### Jellyfin - Reverse Proxy Recommended Config Start (https://jellyfin.org/docs/general/networking/nginx.html) ###### | |
add_header Strict-Transport-Security "max-age=31536000" always; | |
ssl_trusted_certificate /etc/letsencrypt/live/stream.example.com/chain.pem; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. | |
client_max_body_size 20M; | |
# Security / XSS Mitigation Headers | |
# NOTE: X-Frame-Options may cause issues with the webOS app | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Content-Type-Options "nosniff"; | |
# Content Security Policy | |
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | |
# Enforces https content and restricts JS/CSS to origin | |
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. | |
# NOTE: The default CSP headers may cause issues with the webOS app | |
add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; | |
###### Jellyfin - Reverse Proxy Recommended Config End ###### | |
access_log /var/log/nginx/stream.example.com.access.log; | |
error_log /var/log/nginx/stream.example.com.error.log; | |
location / { | |
proxy_pass http://localhost:8096; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
###### Jellyfin - Reverse Proxy Recommended Config Start (https://jellyfin.org/docs/general/networking/nginx.html) ###### | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Protocol $scheme; | |
proxy_set_header X-Forwarded-Host $http_host; | |
# Disable buffering when the nginx proxy gets very resource heavy upon streaming | |
proxy_buffering off; | |
###### Jellyfin - Reverse Proxy Recommended Config End ###### | |
} | |
###### Jellyfin - Reverse Proxy Recommended Config Start (https://jellyfin.org/docs/general/networking/nginx.html) ###### | |
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/ | |
location = /web/ { | |
# Proxy main Jellyfin traffic | |
proxy_pass http://localhost:8096/web/index.html; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Protocol $scheme; | |
proxy_set_header X-Forwarded-Host $http_host; | |
} | |
location /socket { | |
# Proxy Jellyfin Websockets traffic | |
proxy_pass http://localhost:8096; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Protocol $scheme; | |
proxy_set_header X-Forwarded-Host $http_host; | |
} | |
###### Jellyfin - Reverse Proxy Recommended Config End ###### | |
} | |
server { | |
if ($host = stream.example.com) { | |
return 301 https://$host$request_uri; | |
} # managed by Certbot | |
listen 80; | |
server_name stream.example.com; | |
return 404; # managed by Certbot | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment