Created
February 14, 2022 23:34
-
-
Save u6bkep/009a058c3e809373fa2de70c452701c9 to your computer and use it in GitHub Desktop.
jellyfin nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#custom config for jellyfin. needed to fix websockets. | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name jellyfin.b-srv0 jellyfin.b-srv0.intern.example.com jellyfin42.example.com jellyfin.example.com; | |
# Uncomment to redirect HTTP to HTTPS | |
return 301 https://$host$request_uri; | |
#A man is not dead while his name is still spoken. | |
add_header X-Clacks-Overhead "GNU Terry Pratchett"; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443; | |
server_name jellyfin.b-srv0 jellyfin.b-srv0.intern.example.com; | |
ssl_certificate /data/custom_ssl/npm-4/fullchain.pem; | |
ssl_certificate_key /data/custom_ssl/npm-4/privkey.pem; | |
include /data/nginx/custom/jellyfin_include.conf; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443; | |
server_name jellyfin.example.com; | |
#ssl_certificate /data/custom_ssl/npm-4/fullchain.pem; | |
ssl_certificate_key /data/custom_ssl/npm-20/privkey.pem; | |
ssl_certificate /data/custom_ssl/npm-20/fullchain.pem; | |
include /data/nginx/custom/jellyfin_include.conf; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Uncomment to redirect HTTP to HTTPS | |
# return 301 https://$host$request_uri; | |
# Security / XSS Mitigation Headers | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Content-Type-Options "nosniff"; | |
#A man is not dead while his name is still spoken. | |
add_header X-Clacks-Overhead "GNU Terry Pratchett"; | |
# Content Security Policy | |
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # # Enforces https content and restricts JS/CSS to origin | |
# # External Javascript (such as cast_sender.js for Chromecast or YouTube embed JS for external trailers) must be whitelisted. | |
add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.youtube.com/iframe_api https://s.ytimg.com; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; | |
location / { | |
# Proxy main Jellyfin traffic | |
proxy_pass http://jellyfin.b.intern.example.com:8096/; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Protocol $scheme; | |
proxy_set_header X-Forwarded-Host $http_host; | |
# Disable buffering when the nginx proxy gets very resource heavy upon streaming | |
proxy_buffering off; | |
} | |
location /socket { | |
# Proxy Jellyfin Websockets traffic | |
proxy_pass http://jellyfin.b.intern.example.com:8096/socket; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Protocol $scheme; | |
proxy_set_header X-Forwarded-Host $http_host; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment