server { server_name stream.theschricks.com; location = / { return 302 http://$host/web/; #return 302 https://$host/web/; } # Main Jellyfin traffic location / { proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://mediasrv:8096; # Disable buffering when the nginx proxy gets very resource heavy upon streaming proxy_buffering off; } # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/ location = /web/ { # Proxy main Jellyfin traffic proxy_pass http://mediasrv:8096/web/index.html; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; } # Jellyfin Websocket Traffic location /socket { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_pass http://mediasrv:8096; } client_max_body_size 512m; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Robots-Tag none; add_header X-Frame-Options "SAMEORIGIN"; add_header Referrer-Policy "strict-origin"; #CSP. Enforce https, restrict JS/CSS to origin, and whitelist cast_sender.js for Chromecast add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; listen [::]:443 ssl; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/stream.theschricks.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/stream.theschricks.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot # OCSP stapling ssl_stapling on; ssl_stapling_verify on; } #HTTP server { if ($host = stream.theschricks.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name stream.theschricks.com www.stream.theschricks.com; return 301 https://$host$request_uri; } #Redirect www server { listen 443 ssl; listen [::]:443 ssl; server_name www.stream.theschricks.com; return 301 https://$host$request_uri; }