jellyfin nginx config

http.conf

#custom config for jellyfin. needed to fix websockets.
server {
    listen 80;
    listen [::]:80;
    server_name jellyfin.b-srv0 jellyfin.b-srv0.intern.example.com jellyfin42.example.com jellyfin.example.com;

    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
    #A man is not dead while his name is still spoken.
    add_header  X-Clacks-Overhead "GNU Terry Pratchett";
}

server {
    listen 443 ssl http2;
    listen [::]:443;
    server_name jellyfin.b-srv0 jellyfin.b-srv0.intern.example.com;

    ssl_certificate /data/custom_ssl/npm-4/fullchain.pem;
    ssl_certificate_key /data/custom_ssl/npm-4/privkey.pem;
    include    /data/nginx/custom/jellyfin_include.conf;

}

server {
    listen 443 ssl http2;
    listen [::]:443;
    server_name jellyfin.example.com;

    #ssl_certificate /data/custom_ssl/npm-4/fullchain.pem;
    ssl_certificate_key /data/custom_ssl/npm-20/privkey.pem;
    ssl_certificate /data/custom_ssl/npm-20/fullchain.pem;
    include    /data/nginx/custom/jellyfin_include.conf;
}

jellyfin_include.conf

# Uncomment to redirect HTTP to HTTPS
    # return 301 https://$host$request_uri;
# Security / XSS Mitigation Headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    #A man is not dead while his name is still spoken.
    add_header  X-Clacks-Overhead "GNU Terry Pratchett";

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP                                                                                            #    # Enforces https content and restricts JS/CSS to origin
                                 #    # External Javascript (such as cast_sender.js for Chromecast or YouTube embed JS for external trailers) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.youtube.com/iframe_api https://s.ytimg.com; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://jellyfin.b.intern.example.com:8096/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }
    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://jellyfin.b.intern.example.com:8096/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }