From 0fdbccfed3f1a9994bfff91450c4aca506487b31 Mon Sep 17 00:00:00 2001
From: noah <noah@theschricks.com>
Date: Sun, 26 Jun 2022 23:55:50 -0500
Subject: [PATCH] README commentary and conf

---
 jellyfin/README.md                   |  9 +++
 jellyfin/stream.theschricks.com.conf | 97 ++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)
 create mode 100644 jellyfin/stream.theschricks.com.conf

diff --git a/jellyfin/README.md b/jellyfin/README.md
index a049999..e381c9c 100644
--- a/jellyfin/README.md
+++ b/jellyfin/README.md
@@ -9,3 +9,12 @@
 # Additional Score Commentary:
 
 ## Mozilla Observatory
+Current CSP requires the use of unsafe-inline in style-src.
+
+Current CSP requires the use of unsafe-inline in script-src.
+
+The relevant issue can be found at https://github.com/jellyfin/jellyfin/issues/1885
+
+This scores a -20 in Mozilla Observatory. 
+
+
diff --git a/jellyfin/stream.theschricks.com.conf b/jellyfin/stream.theschricks.com.conf
new file mode 100644
index 0000000..70963ee
--- /dev/null
+++ b/jellyfin/stream.theschricks.com.conf
@@ -0,0 +1,97 @@
+server {
+
+	server_name stream.theschricks.com;
+	
+	location = / {
+        	return 302 http://$host/web/;
+	        #return 302 https://$host/web/;
+    	}
+
+	# Main Jellyfin traffic
+	location / {
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+       	proxy_set_header X-Forwarded-Protocol $scheme;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_pass http://mediasrv:8096;
+		
+	        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+		proxy_buffering off;
+	}
+
+ 	# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
+    	location = /web/ {
+        	# Proxy main Jellyfin traffic
+        	proxy_pass http://mediasrv:8096/web/index.html;
+        	proxy_set_header Host $host;
+	        proxy_set_header X-Real-IP $remote_addr;
+        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	        proxy_set_header X-Forwarded-Proto $scheme;
+        	proxy_set_header X-Forwarded-Protocol $scheme;
+	        proxy_set_header X-Forwarded-Host $http_host;
+    	}	
+
+	# Jellyfin Websocket Traffic
+	location /socket {
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        	proxy_set_header X-Forwarded-Proto $scheme;
+	        proxy_set_header X-Forwarded-Protocol $scheme;
+	        proxy_set_header X-Forwarded-Host $http_host;
+		proxy_pass http://mediasrv:8096;
+	}
+
+    	client_max_body_size 512m;
+
+	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+	add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
+	add_header X-XSS-Protection "1; mode=block";
+	add_header X-Content-Type-Options nosniff;
+	add_header X-Robots-Tag none;
+	add_header X-Frame-Options "SAMEORIGIN";
+	add_header Referrer-Policy "strict-origin";	
+
+	#CSP. Enforce https, restrict JS/CSS to origin, and whitelist cast_sender.js for Chromecast
+	add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+	
+    	listen [::]:443 ssl; # managed by Certbot
+    	listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/stream.theschricks.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/stream.theschricks.com/privkey.pem; # managed by Certbot
+    	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    	# OCSP stapling
+    	ssl_stapling on;
+    	ssl_stapling_verify on;
+
+}
+
+#HTTP
+server {
+    if ($host = stream.theschricks.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+	listen 80;
+	listen [::]:80;
+	server_name stream.theschricks.com www.stream.theschricks.com;
+	return 301 https://$host$request_uri;
+
+
+}
+
+#Redirect www
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name www.stream.theschricks.com;
+	return 301 https://$host$request_uri;
+}