239 lines
10 KiB
Django/Jinja
239 lines
10 KiB
Django/Jinja
## https://jellyfin.org/docs/general/networking/nginx.html
|
|
|
|
{# proxy_cache_path {{ jellyfin_root }}/nginx-cache levels=1:2 keys_zone=cWEB:50m inactive=90d max_size=35000m;
|
|
# map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
|
|
# map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } #}
|
|
|
|
server {
|
|
listen {{ jellyfin_nginx_listen_port }} ssl http2;
|
|
{% if inventory_hostname in wg_clients -%}
|
|
listen {{ wg_clients[inventory_hostname].ip }}:{{ jellyfin_nginx_listen_port }} ssl http2;
|
|
{% endif -%}
|
|
|
|
include /etc/nginx/sudo-known.conf;
|
|
include listen-proxy-protocol.conf;
|
|
server_name {{ jellyfin_url_alt }} www.{{ jellyfin_url_alt }};
|
|
|
|
client_max_body_size 20M;
|
|
|
|
access_log /var/log/nginx/access_{{ jellyfin_url_alt }}.log main;
|
|
error_log /var/log/nginx/error_{{ jellyfin_url_alt }}.log warn;
|
|
|
|
ssl_certificate /usr/local/etc/certs/{{ jellyfin_url_alt }}/fullchain.pem;
|
|
ssl_certificate_key /usr/local/etc/certs/{{ jellyfin_url_alt }}/privkey.pem;
|
|
|
|
location / {
|
|
proxy_pass https://localhost;
|
|
proxy_set_header Host {{ jellyfin_url }};
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
proxy_redirect https://{{ jellyfin_url }}/web/ https://{{ jellyfin_url_alt }}/web/;
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
}
|
|
|
|
}
|
|
|
|
server {
|
|
listen {{ jellyfin_nginx_listen_port }} ssl http2;
|
|
{% if inventory_hostname in wg_clients -%}
|
|
listen {{ wg_clients[inventory_hostname].ip }}:{{ jellyfin_nginx_listen_port }} ssl http2;
|
|
{% endif -%}
|
|
|
|
include /etc/nginx/sudo-known.conf;
|
|
include listen-proxy-protocol.conf;
|
|
server_name {{ jellyfin_url }};
|
|
|
|
client_max_body_size 20M;
|
|
|
|
# use a variable to store the upstream proxy
|
|
# set $jellyfin jellyfin;
|
|
# resolver 127.0.0.1 valid=30;
|
|
|
|
access_log /var/log/nginx/access_{{ jellyfin_url }}.log main;
|
|
error_log /var/log/nginx/error_{{ jellyfin_url }}.log warn;
|
|
|
|
ssl_certificate /usr/local/etc/certs/{{ jellyfin_url }}/fullchain.pem;
|
|
ssl_certificate_key /usr/local/etc/certs/{{ jellyfin_url }}/privkey.pem;
|
|
|
|
#ssl_stapling on;
|
|
#ssl_stapling_verify on;
|
|
|
|
#client_body_buffer_size 1024m;
|
|
#proxy_max_temp_file_size 0;
|
|
|
|
|
|
location = / {
|
|
return 302 https://$host/web/;
|
|
}
|
|
|
|
# jellyfin-web already has a robots.txt file that disallows everything, but we still want to maintain our own.
|
|
# jellyfin (not -web) will issue a 302 redirect from {{ jellyfin_url }}/robots.txt to {{ jellyfin_url }}/web/robots.txt
|
|
# where the file is then served from.
|
|
#
|
|
# https://github.com/jellyfin/jellyfin-web/blob/master/src/robots.txt
|
|
location = /robots.txt {
|
|
alias {{ systemuserlist.jellyfin.home }}/robots.txt;
|
|
}
|
|
location / {
|
|
#include /etc/nginx/jellyfin/jellyfin_auth.conf;
|
|
|
|
proxy_pass http://127.0.0.1:{{ jellyfin_port }};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
# Disable buffering when the nginx proxy gets very resource
|
|
# heavy upon streaming
|
|
#proxy_buffering off;
|
|
}
|
|
|
|
location /metrics {
|
|
return 403;
|
|
}
|
|
|
|
# so /web/#!/ works instead of having to go to /web/index.html/#!/
|
|
location = /web/ {
|
|
proxy_pass http://127.0.0.1:{{ jellyfin_port }}/web/index.html;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
proxy_set_header Accept-Encoding "";
|
|
|
|
# ## this was also in the 'location /' block, if i add it back, also add it
|
|
# ## back there! (2023-02)
|
|
|
|
# proxy_hide_header last-modified;
|
|
# proxy_hide_header cache-control;
|
|
# proxy_hide_header date;
|
|
|
|
# etag off;
|
|
# proxy_hide_header "ETag";
|
|
|
|
# if_modified_since off;
|
|
# expires off;
|
|
# add_header Last-Modified $date_gmt always;
|
|
# add_header Cache-Control 'no-store' always;
|
|
# add_header Clear-Site-Data "cache" always;
|
|
|
|
# # useful until builds/jellyfin-web is in use.
|
|
# sub_filter_types application/javascript;
|
|
# sub_filter_once off;
|
|
# sub_filter 'config.json' 'config.json?id=$request_id';
|
|
|
|
}
|
|
location = /web/config.json {
|
|
# redirect = 302 = temporary
|
|
#
|
|
# seems to work this way without rewriting the javascript with sub_filter and
|
|
# overriding cache entries (providing the client/browser doesnt already have
|
|
# the stupid service worker cache already)
|
|
if ($is_args = '') {
|
|
rewrite "^/web/config.json$" "/web/config.json?id=$request_id" redirect;
|
|
}
|
|
alias "{{ jellyfin_root }}/jellyfin-web/config.json";
|
|
}
|
|
|
|
location /socket {
|
|
proxy_pass http://127.0.0.1:{{ jellyfin_port }};
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
}
|
|
|
|
{% for item in ["/health", "/GetUtcTime"] -%}
|
|
location {{ item }} {
|
|
allow 127.0.0.1;
|
|
{% if inventory_hostname in my_public_ips -%}
|
|
allow {{ my_public_ips[inventory_hostname] }}/32;
|
|
{% endif -%}
|
|
allow {{ my_public_ips[ansible_control_host] }}/32;
|
|
allow {{ wireguard_cidr }};
|
|
deny all;
|
|
|
|
proxy_pass http://127.0.0.1:{{ jellyfin_port }};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
}
|
|
{% endfor %}
|
|
location = /_health {
|
|
proxy_pass http://127.0.0.1:{{ jellyfin_port }}/health;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
}
|
|
|
|
|
|
# location /videos/ {
|
|
# # cache video streams: https://jellyfin.org/docs/general/networking/nginx.html#cache-video-streams
|
|
# proxy_cache cWEB;
|
|
# proxy_cache_valid 200 301 302 30d;
|
|
# proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
|
|
# proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
|
|
# proxy_connect_timeout 10s;
|
|
# proxy_http_version 1.1;
|
|
# #proxy_set_header Connection "";
|
|
#
|
|
# proxy_pass http://localhost:{{ jellyfin_port }};
|
|
# proxy_cache_key "{{ jellyfin_url }}$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level";
|
|
# proxy_cache_valid 200 301 302 30d;
|
|
# }
|
|
|
|
# Security / XSS Mitigation Headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
# Content Security Policy
|
|
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
|
# External Javascript (such as cast_sender.js for Chromecast) must
|
|
# be allowlisted.
|
|
# 'self' https://*.{{ domain }} https://{{ domain }}
|
|
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/cast_sender.js https://www.gstatic.com/eureka/clank/94/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.gstatic.com/eureka/clank/98/cast_sender.js https://www.gstatic.com/eureka/clank/105/cast_sender.js https://www.gstatic.com/eureka/clank/106/cast_sender.js https://www.gstatic.com/eureka/clank/111/cast_sender.js https://www.gstatic.com/eureka/clank/115/cast_sender.js https://www.gstatic.com/eureka/clank/116/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'" always;
|
|
add_header Content-Security-Policy "default-src https: data: blob: image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'" always;
|
|
|
|
# kill cache
|
|
#add_header date $date_gmt always;
|
|
#add_header Cache-Control 'no-store, no-cache' always;
|
|
|
|
# # attempting to fix the title with nginx
|
|
# {% set jellyfin_title = jellyfin_url.split(".")[0].capitalize() %}
|
|
# gzip_static off;
|
|
# gzip off;
|
|
# sub_filter '<title>Jellyfin</title>' '<title>{{ jellyfin_title }}</title>';
|
|
# sub_filter 'document.title="Jellyfin"' 'document.title="{{ jellyfin_title }}"';
|
|
# sub_filter 'document.title=e||"Jellyfin"' 'document.title=e||"{{ jellyfin_title }}"';
|
|
# sub_filter 'document.title=B.ZP.translateHtml(document.title,"core")' 'document.title="{{ jellyfin_title }}"';
|
|
# sub_filter_once off;
|
|
# ## in addition to “text/html”.
|
|
# sub_filter_types application/javascript;
|
|
|
|
|
|
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name {{ jellyfin_url }};
|
|
return 301 https://$host$request_uri;
|
|
}
|