Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Forward all http traffic to HTTPS
- server {
- listen 80;
- server_name example.com;
- #See notes below (SSLLabs likes this on http as well as https)
- #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
- return 301 https://$host$request_uri;
- }
- server {
- listen 443 ssl http2;
- server_name example.com;
- #Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google's have been used here.
- resolver 8.8.4.4 8.8.8.8 valid=300s;
- resolver_timeout 10s;
- #Use letsencrypt.org to get a free and trusted ssl certificate
- ssl_certificate /config/keys/fullchain.pem;
- ssl_certificate_key /config/keys/privkey.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_prefer_server_ciphers on;
- #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
- #Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
- ssl_stapling on;
- ssl_stapling_verify on;
- #For letsencrypt.org you can get your chain like this: https://esham.io/2016/01/ocsp-stapling
- ssl_trusted_certificate /config/nginx/lets-encrypt-x3-cross-signed.pem;
- #Use: openssl dhparam -out dhparam.pem 2048 - 4096 is better but for overhead reasons 2048 is enough for Plex.
- ssl_dhparam /config/nginx/dhparams.pem;
- ssl_ecdh_curve secp384r1;
- #Forward real ip and host to Plex
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- #Forward stuff for transmission
- proxy_pass_header X-Transmission-Session-Id;
- #Websockets
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- #Buffering off send to the client as soon as the data is received from Plex.
- proxy_redirect off;
- proxy_buffering off;
- location / {
- if ($request_method != OPTIONS) {
- set $test A;
- }
- if ($http_x_plex_device_name = '') {
- set $test "${test}B";
- }
- if ($arg_X-Plex-Device-Name = '') {
- set $test "${test}C";
- }
- if ($http_user_agent !~ (SmartTV)) {
- set $test "${test}D";
- }
- #If the client isn't an app like a SmartTV and such, forward them to the web interface.
- if ($test = ABCD) {
- rewrite ^/$ https://$http_host/web/index.html;
- }
- proxy_pass http://192.168.1.164:32400;
- }
- location /sonarr {
- proxy_pass http://192.168.1.164:8989/sonarr;
- }
- location /request {
- proxy_pass http://192.168.1.164:3579;
- }
- location /jackett {
- proxy_pass http://192.168.1.164:9117;
- }
- location /plexpy {
- proxy_bind $server_addr;
- proxy_pass http://192.168.1.164:8181;
- proxy_set_header Host $http_host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Host $server_name;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Ssl on;
- }
- location /radarr {
- proxy_pass http://192.168.1.164:7878/radarr;
- }
- location /deluge {
- proxy_pass http://192.168.1.164:8112/;
- proxy_set_header X-Deluge-Base "/deluge/";
- add_header X-Frame-Options SAMEORIGIN;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement