API tools faq
paste
Advertisement
Guest User

default conf

a guest
Jul 13th, 2017
312
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Nginx 4.23 KB | None | 0 0
raw download clone embed print report
  1. #Forward all http traffic to HTTPS
  2. server {
  3.     listen 80;
  4.     server_name example.com;
  5.  
  6.     #See notes below (SSLLabs likes this on http as well as https)
  7.     #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
  8.  
  9.     return 301 https://$host$request_uri;
  10. }
  11.  
  12. server {
  13.    
  14.     listen 443 ssl http2;
  15.    
  16.     server_name example.com;
  17.    
  18.     #Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google's have been used here.
  19.     resolver 8.8.4.4 8.8.8.8 valid=300s;
  20.     resolver_timeout 10s;
  21.    
  22.     #Use letsencrypt.org to get a free and trusted ssl certificate
  23.     ssl_certificate /config/keys/fullchain.pem;
  24.     ssl_certificate_key /config/keys/privkey.pem;
  25.    
  26.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  27.     ssl_prefer_server_ciphers on;
  28.    
  29.     #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
  30.     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  31.    
  32.     #Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
  33.     ssl_stapling on;
  34.     ssl_stapling_verify on;
  35.     #For letsencrypt.org you can get your chain like this: https://esham.io/2016/01/ocsp-stapling
  36.     ssl_trusted_certificate /config/nginx/lets-encrypt-x3-cross-signed.pem;
  37.    
  38.     #Use: openssl dhparam -out dhparam.pem 2048 - 4096 is better but for overhead reasons 2048 is enough for Plex.
  39.     ssl_dhparam /config/nginx/dhparams.pem;
  40.     ssl_ecdh_curve secp384r1;
  41.  
  42.     #Forward real ip and host to Plex
  43.     proxy_set_header Host $http_host;
  44.     proxy_set_header X-Real-IP $remote_addr;
  45.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  46.     proxy_set_header X-Forwarded-Proto $scheme;
  47.  
  48.     #Forward stuff for transmission
  49.     proxy_pass_header X-Transmission-Session-Id;
  50.  
  51.     #Websockets
  52.     proxy_http_version 1.1;
  53.     proxy_set_header Upgrade $http_upgrade;
  54.     proxy_set_header Connection "upgrade";
  55.  
  56.     #Buffering off send to the client as soon as the data is received from Plex.
  57.     proxy_redirect off;
  58.     proxy_buffering off;
  59.  
  60.     location / {
  61.         if ($request_method != OPTIONS) {
  62.             set $test A;
  63.         }
  64.         if ($http_x_plex_device_name = '') {
  65.             set $test "${test}B";
  66.         }
  67.         if ($arg_X-Plex-Device-Name = '') {
  68.             set $test "${test}C";
  69.         }
  70.         if ($http_user_agent !~ (SmartTV)) {
  71.             set $test "${test}D";
  72.         }
  73.  
  74.         #If the client isn't an app like a SmartTV and such, forward them to the web interface.
  75.         if ($test = ABCD) {
  76.             rewrite ^/$ https://$http_host/web/index.html;
  77.         }
  78.  
  79.         proxy_pass http://192.168.1.164:32400;
  80.     }
  81.    
  82.     location /sonarr {
  83.         proxy_pass http://192.168.1.164:8989/sonarr;
  84.     }
  85.    
  86.     location /request {
  87.         proxy_pass http://192.168.1.164:3579;
  88.     }
  89.    
  90.     location /jackett {
  91.         proxy_pass http://192.168.1.164:9117;
  92.     }
  93.    
  94.     location /plexpy {
  95.         proxy_bind $server_addr;
  96.         proxy_pass http://192.168.1.164:8181;
  97.         proxy_set_header Host $http_host;
  98.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  99.         proxy_set_header X-Forwarded-Host $server_name;
  100.         proxy_set_header X-Real-IP $remote_addr;
  101.         proxy_set_header    X-Forwarded-Proto   $scheme;
  102.         proxy_set_header    X-Forwarded-Ssl     on;
  103.     }
  104.    
  105.     location /radarr {
  106.         proxy_pass http://192.168.1.164:7878/radarr;
  107.     }
  108.    
  109.     location /deluge {
  110.         proxy_pass http://192.168.1.164:8112/;
  111.         proxy_set_header X-Deluge-Base "/deluge/";
  112.         add_header X-Frame-Options SAMEORIGIN;
  113.     }
  114. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!