output of NGINX -T

1.  nginx -T
2. nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
3. nginx: configuration file /etc/nginx/nginx.conf test is successful
4. # configuration file /etc/nginx/nginx.conf:
5. user www-data;
6. worker_processes auto;
7. pid /run/nginx.pid;
8. include /etc/nginx/modules-enabled/*.conf;
9.  
10. events {
11.         worker_connections 768;
12.         # multi_accept on;
13. }
14.  
15. http {
16.  
17.         ##
18.         # Basic Settings
19.         ##
20.  
21.         sendfile on;
22.         tcp_nopush on;
23.         types_hash_max_size 2048;
24.         # server_tokens off;
25.  
26.         # server_names_hash_bucket_size 64;
27.         # server_name_in_redirect off;
28.  
29.         include /etc/nginx/mime.types;
30.         default_type application/octet-stream;
31.  
32.         ##
33.         # SSL Settings
34.         ##
35.  
36.         ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
37.         ssl_prefer_server_ciphers on;
38.  
39.         ##
40.         # Logging Settings
41.         ##
42.  
43.         access_log /var/log/nginx/access.log;
44.         error_log /var/log/nginx/error.log;
45.  
46.         ##
47.         # Gzip Settings
48.         ##
49.  
50.         gzip on;
51.  
52.         # gzip_vary on;
53.         # gzip_proxied any;
54.         # gzip_comp_level 6;
55.         # gzip_buffers 16 8k;
56.         # gzip_http_version 1.1;
57.         # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
58.  
59.         ##
60.         # Virtual Host Configs
61.         ##
62.  
63.         include /etc/nginx/conf.d/*.conf;
64.         include /etc/nginx/sites-enabled/*;
65. }
66.  
67.  
68. #mail {
69. #       # See sample authentication script at:
70. #       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
71. #
72. #       # auth_http localhost/auth.php;
73. #       # pop3_capabilities "TOP" "USER";
74. #       # imap_capabilities "IMAP4rev1" "UIDPLUS";
75. #
76. #       server {
77. #               listen     localhost:110;
78. #               protocol   pop3;
79. #               proxy      on;
80. #       }
81. #
82. #       server {
83. #               listen     localhost:143;
84. #               protocol   imap;
85. #               proxy      on;
86. #       }
87. #}
88.  
89. # configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
90. load_module modules/ngx_http_geoip_module.so;
91.  
92. # configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
93. load_module modules/ngx_http_image_filter_module.so;
94.  
95. # configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
96. load_module modules/ngx_http_xslt_filter_module.so;
97.  
98. # configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
99. load_module modules/ngx_mail_module.so;
100.  
101. # configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
102. load_module modules/ngx_stream_module.so;
103.  
104. # configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf:
105. load_module modules/ngx_stream_geoip_module.so;
106.  
107. # configuration file /etc/nginx/mime.types:
108.  
109. types {
110.     text/html                             html htm shtml;
111.     text/css                              css;
112.     text/xml                              xml;
113.     image/gif                             gif;
114.     image/jpeg                            jpeg jpg;
115.     application/javascript                js;
116.     application/atom+xml                  atom;
117.     application/rss+xml                   rss;
118.  
119.     text/mathml                           mml;
120.     text/plain                            txt;
121.     text/vnd.sun.j2me.app-descriptor      jad;
122.     text/vnd.wap.wml                      wml;
123.     text/x-component                      htc;
124.  
125.     image/png                             png;
126.     image/tiff                            tif tiff;
127.     image/vnd.wap.wbmp                    wbmp;
128.     image/x-icon                          ico;
129.     image/x-jng                           jng;
130.     image/x-ms-bmp                        bmp;
131.     image/svg+xml                         svg svgz;
132.     image/webp                            webp;
133.  
134.     application/font-woff                 woff;
135.     application/java-archive              jar war ear;
136.     application/json                      json;
137.     application/mac-binhex40              hqx;
138.     application/msword                    doc;
139.     application/pdf                       pdf;
140.     application/postscript                ps eps ai;
141.     application/rtf                       rtf;
142.     application/vnd.apple.mpegurl         m3u8;
143.     application/vnd.ms-excel              xls;
144.     application/vnd.ms-fontobject         eot;
145.     application/vnd.ms-powerpoint         ppt;
146.     application/vnd.wap.wmlc              wmlc;
147.     application/vnd.google-earth.kml+xml  kml;
148.     application/vnd.google-earth.kmz      kmz;
149.     application/x-7z-compressed           7z;
150.     application/x-cocoa                   cco;
151.     application/x-java-archive-diff       jardiff;
152.     application/x-java-jnlp-file          jnlp;
153.     application/x-makeself                run;
154.     application/x-perl                    pl pm;
155.     application/x-pilot                   prc pdb;
156.     application/x-rar-compressed          rar;
157.     application/x-redhat-package-manager  rpm;
158.     application/x-sea                     sea;
159.     application/x-shockwave-flash         swf;
160.     application/x-stuffit                 sit;
161.     application/x-tcl                     tcl tk;
162.     application/x-x509-ca-cert            der pem crt;
163.     application/x-xpinstall               xpi;
164.     application/xhtml+xml                 xhtml;
165.     application/xspf+xml                  xspf;
166.     application/zip                       zip;
167.  
168.     application/octet-stream              bin exe dll;
169.     application/octet-stream              deb;
170.     application/octet-stream              dmg;
171.     application/octet-stream              iso img;
172.     application/octet-stream              msi msp msm;
173.  
174.     application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
175.     application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
176.     application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
177.  
178.     audio/midi                            mid midi kar;
179.     audio/mpeg                            mp3;
180.     audio/ogg                             ogg;
181.     audio/x-m4a                           m4a;
182.     audio/x-realaudio                     ra;
183.  
184.     video/3gpp                            3gpp 3gp;
185.     video/mp2t                            ts;
186.     video/mp4                             mp4;
187.     video/mpeg                            mpeg mpg;
188.     video/quicktime                       mov;
189.     video/webm                            webm;
190.     video/x-flv                           flv;
191.     video/x-m4v                           m4v;
192.     video/x-mng                           mng;
193.     video/x-ms-asf                        asx asf;
194.     video/x-ms-wmv                        wmv;
195.     video/x-msvideo                       avi;
196. }
197.  
198. # configuration file /etc/nginx/conf.d/jellyfin.conf:
199. server {
200.     listen 80;
201.     listen [::]:80;
202.     #server_name media.exzibyte.com;
203.  
204.     # Uncomment to redirect HTTP to HTTPS
205.     # return 301 https://$host$request_uri;
206. #}
207.  
208. #server {
209.     # listen 443 ssl http2;
210.     # listen [::]:443 ssl http2;
211.     server_name media.exzibyte.com;
212.  
213.     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
214.     client_max_body_size 20M;
215.  
216.     # use a variable to store the upstream proxy
217.     # in this example we are using a hostname which is resolved via DNS
218.     # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
219.     set $jellyfin jellyfin;
220.     resolver 192.168.0.15 valid=30;
221.  
222.     ssl_certificate /etc/letsencrypt/live/media.exzibyte.com/fullchain.pem;
223.     ssl_certificate_key /etc/letsencrypt/live/media.exzibyte.com/privkey.pem;
224.     include /etc/letsencrypt/options-ssl-nginx.conf;
225.     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
226.     add_header Strict-Transport-Security "max-age=31536000" always;
227.     ssl_trusted_certificate /etc/letsencrypt/live/media.exzibyte.com/chain.pem;
228.     ssl_stapling on;
229.     ssl_stapling_verify on;
230.  
231.     # Security / XSS Mitigation Headers
232.     # NOTE: X-Frame-Options may cause issues with the webOS app
233.     add_header X-Frame-Options "SAMEORIGIN";
234.     add_header X-XSS-Protection "1; mode=block";
235.     add_header X-Content-Type-Options "nosniff";
236.  
237.     # Content Security Policy
238.     # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
239.     # Enforces https content and restricts JS/CSS to origin
240.     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
241.     # NOTE: The default CSP headers may cause issues with the webOS app
242.     #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
243.  
244.     location = / {
245.         return 302 http://$host/web/;
246.         #return 302 https://$host/web/;
247.     }
248.  
249.     location / {
250.         # Proxy main Jellyfin traffic
251.         proxy_pass http://$jellyfin:8096;
252.         proxy_set_header Host $host;
253.         proxy_set_header X-Real-IP $remote_addr;
254.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
255.         proxy_set_header X-Forwarded-Proto $scheme;
256.         proxy_set_header X-Forwarded-Protocol $scheme;
257.         proxy_set_header X-Forwarded-Host $http_host;
258.  
259.         # Disable buffering when the nginx proxy gets very resource heavy upon streaming
260.         proxy_buffering off;
261.     }
262.  
263.     # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
264.     location = /web/ {
265.         # Proxy main Jellyfin traffic
266.         proxy_pass http://$jellyfin:8096/web/index.html;
267.         proxy_set_header Host $host;
268.         proxy_set_header X-Real-IP $remote_addr;
269.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
270.         proxy_set_header X-Forwarded-Proto $scheme;
271.         proxy_set_header X-Forwarded-Protocol $scheme;
272.         proxy_set_header X-Forwarded-Host $http_host;
273.     }
274.  
275.     location /socket {
276.         # Proxy Jellyfin Websockets traffic
277.         proxy_pass http://$jellyfin:8096;
278.         proxy_http_version 1.1;
279.         proxy_set_header Upgrade $http_upgrade;
280.         proxy_set_header Connection "upgrade";
281.         proxy_set_header Host $host;
282.         proxy_set_header X-Real-IP $remote_addr;
283.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
284.         proxy_set_header X-Forwarded-Proto $scheme;
285.         proxy_set_header X-Forwarded-Protocol $scheme;
286.         proxy_set_header X-Forwarded-Host $http_host;
287.     }
288. }
289.  
290. # configuration file /etc/letsencrypt/options-ssl-nginx.conf:
291. # This file contains important security parameters. If you modify this file
292. # manually, Certbot will be unable to automatically provide future security
293. # updates. Instead, Certbot will print and log an error message with a path to
294. # the up-to-date file that you will need to refer to when manually updating
295. # this file.
296.  
297. ssl_session_cache shared:le_nginx_SSL:10m;
298. ssl_session_timeout 1440m;
299. ssl_session_tickets off;
300.  
301. ssl_protocols TLSv1.2 TLSv1.3;
302. ssl_prefer_server_ciphers off;
303.  
304. ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
305.  
306. # configuration file /etc/nginx/sites-enabled/default:
307. map $http_upgrade $connection_upgrade {
308.     default upgrade;
309.     '' close;
310. }
311.  
312. server {
313.     listen 80;
314.     listen [::]:80;            # comment to disable IPv6
315.  
316.     if ($scheme = "http") {
317.         return 301 https://$host$request_uri;
318.     }
319.  
320.     listen 443 ssl http2;
321.     listen [::]:443 ssl http2; # comment to disable IPv6
322.  
323.     server_name exzibyte.com;
324.  
325.     location / {
326.         resolver localhost; # Note: you need to set a valid dns resolver here or use 127.0.0.1 / [::1] instead of localhost in the line below. See https://stackoverflow.com/a/49642310 for a better explanation
327.         proxy_pass http://192.168.0.15:8280$request_uri; # Note: you need to change localhost to 127.0.0.1 or [::1], if you don't use a valid dns resolver in the line above
328.  
329.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
330.         proxy_set_header X-Forwarded-Port $server_port;
331.         proxy_set_header Early-Data $ssl_early_data;
332.         proxy_set_header X-Forwarded-Scheme $scheme;
333.         proxy_set_header X-Forwarded-Proto $scheme;
334.         proxy_set_header X-Real-IP $remote_addr;
335.         proxy_set_header Accept-Encoding "";
336.         proxy_set_header Host $host;
337.  
338.         client_body_buffer_size 512k;
339.         proxy_read_timeout 86400s;
340.         client_max_body_size 0;
341.  
342.         # Websocket
343.         proxy_http_version 1.1;
344.         proxy_set_header Upgrade $http_upgrade;
345.         proxy_set_header Connection $connection_upgrade;
346.     }
347.  
348.     ssl_certificate /etc/letsencrypt/live/exzibyte.com/fullchain.pem;   # managed by certbot on host machine
349.     ssl_certificate_key /etc/letsencrypt/live/exzibyte.com/privkey.pem; # managed by certbot on host machine
350.  
351.     ssl_early_data on;
352.     ssl_session_timeout 1d;
353.     ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
354.     ssl_session_tickets off;
355.  
356.     ssl_protocols TLSv1.2 TLSv1.3;
357.     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
358.     ssl_prefer_server_ciphers off;
359. }
360.  
361. # configuration file /etc/nginx/sites-enabled/pterodactyl.conf:
362. server_tokens off;
363.  
364. server {
365.     listen 80;
366.     server_name panel.exzibyte.com;
367.     return 301 https://$server_name$request_uri;
368. }
369.  
370. server {
371.     listen 443 ssl http2;
372.     server_name panel.exzibyte.com;
373.  
374.     root /var/www/pterodactyl/public;
375.     index index.php;
376.  
377.     access_log /var/log/nginx/pterodactyl.app-access.log;
378.     error_log  /var/log/nginx/pterodactyl.app-error.log error;
379.  
380.     # allow larger file uploads and longer script runtimes
381.     client_max_body_size 100m;
382.     client_body_timeout 120s;
383.  
384.     sendfile off;
385.  
386.     # SSL Configuration - Replace the example <domain> with your domain
387.     ssl_certificate /etc/letsencrypt/live/panel.exzibyte.com/fullchain.pem;
388.     ssl_certificate_key /etc/letsencrypt/live/panel.exzibyte.com/privkey.pem;
389.     ssl_session_cache shared:SSL:10m;
390.     ssl_protocols TLSv1.2 TLSv1.3;
391.     ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
392.     ssl_prefer_server_ciphers on;
393.  
394.     # See https://hstspreload.org/ before uncommenting the line below.
395.     # add_header Strict-Transport-Security "max-age=15768000; preload;";
396.     add_header X-Content-Type-Options nosniff;
397.     add_header X-XSS-Protection "1; mode=block";
398.     add_header X-Robots-Tag none;
399.     add_header Content-Security-Policy "frame-ancestors 'self'";
400.     add_header X-Frame-Options DENY;
401.     add_header Referrer-Policy same-origin;
402.  
403.     location / {
404.         try_files $uri $uri/ /index.php?$query_string;
405.     }
406.  
407.     location ~ \.php$ {
408.         fastcgi_split_path_info ^(.+\.php)(/.+)$;
409.         fastcgi_pass unix:/run/php/php8.1-fpm.sock;
410.         fastcgi_index index.php;
411.         include fastcgi_params;
412.         fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
413.         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
414.         fastcgi_param HTTP_PROXY "";
415.         fastcgi_intercept_errors off;
416.         fastcgi_buffer_size 16k;
417.         fastcgi_buffers 4 16k;
418.         fastcgi_connect_timeout 300;
419.         fastcgi_send_timeout 300;
420.         fastcgi_read_timeout 300;
421.         include /etc/nginx/fastcgi_params;
422.     }
423.  
424.     location ~ /\.ht {
425.         deny all;
426.     }
427. }
428.  
429. # configuration file /etc/nginx/fastcgi_params:
430.  
431. fastcgi_param  QUERY_STRING       $query_string;
432. fastcgi_param  REQUEST_METHOD     $request_method;
433. fastcgi_param  CONTENT_TYPE       $content_type;
434. fastcgi_param  CONTENT_LENGTH     $content_length;
435.  
436. fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
437. fastcgi_param  REQUEST_URI        $request_uri;
438. fastcgi_param  DOCUMENT_URI       $document_uri;
439. fastcgi_param  DOCUMENT_ROOT      $document_root;
440. fastcgi_param  SERVER_PROTOCOL    $server_protocol;
441. fastcgi_param  REQUEST_SCHEME     $scheme;
442. fastcgi_param  HTTPS              $https if_not_empty;
443.  
444. fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
445. fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
446.  
447. fastcgi_param  REMOTE_ADDR        $remote_addr;
448. fastcgi_param  REMOTE_PORT        $remote_port;
449. fastcgi_param  REMOTE_USER        $remote_user;
450. fastcgi_param  SERVER_ADDR        $server_addr;
451. fastcgi_param  SERVER_PORT        $server_port;
452. fastcgi_param  SERVER_NAME        $server_name;
453.  
454. # PHP only, required if PHP was built with --enable-force-cgi-redirect
455. fastcgi_param  REDIRECT_STATUS    200;
456.