# Uncomment the commented sections after you have acquired a SSL Certificatese

1. # Uncomment the commented sections after you have acquired a SSL Certificate
2. server {
3.     listen 80;
4.     listen [::]:80;
5. #   server_name jellyfin.ovingivhomelab.page;
6.  
7.     # Uncomment to redirect HTTP to HTTPS
8.       return 301 https://$host$request_uri;
9. }
10.  
11. server {
12.      listen 443 ssl http2;
13.      listen [::]:443 ssl http2;
14. #    server_name jellyfin.ovingivhomelab.page;
15.  
16.     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
17.     client_max_body_size 20M;
18.  
19.     # use a variable to store the upstream proxy
20.     # in this example we are using a hostname which is resolved via DNS
21.     # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
22.    set $jellyfin jellyfin;
23.    resolver 127.0.0.1 valid=30;
24.  
25.    ssl_certificate /media/10TB/cert/cert.perm;
26.    ssl_certificate_key /media/10TB/cert/private.key;
27. #   ssl_certificate /etc/letsencrypt/live/jellyfin.ovingivhomelab.page/fullchain.pem
28. #   ssl_certificate_key /etc/letsencrypt/live/jellyfin.ovingivhomelab.page/privkey.pem
29.    #include /etc/letsencrypt/options-ssl-nginx.conf;
30.    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
31.    #add_header Strict-Transport-Security "max-age=31536000" always;
32.    #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
33.    #ssl_stapling on;
34.    #ssl_stapling_verify on;
35.  
36.    # Security / XSS Mitigation Headers
37.    # NOTE: X-Frame-Options may cause issues with the webOS app
38.    add_header X-Frame-Options "SAMEORIGIN";
39.    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
40.    add_header X-Content-Type-Options "nosniff";
41.  
42.    # COOP/COEP. Disable if you use external plugins/images/assets
43.    add_header Cross-Origin-Opener-Policy "same-origin" always;
44.    add_header Cross-Origin-Embedder-Policy "require-corp" always;
45.    add_header Cross-Origin-Resource-Policy "same-origin" always;
46.  
47.    # Permissions policy. May cause issues on some clients
48.    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
49.  
50.    # Tell browsers to use per-origin process isolation
51.    add_header Origin-Agent-Cluster "?1" always;
52.  
53.  
54.    # Content Security Policy
55.    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
56.    # Enforces https content and restricts JS/CSS to origin
57.    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
58.    # NOTE: The default CSP headers may cause issues with the webOS app
59.    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
60.  
61.    location = / {
62.        return 302 http://$host/web/;
63.        return 302 https://$host/web/;
64.    }
65.  
66.    location / {
67.        # Proxy main Jellyfin traffic
68.        proxy_pass http://$jellyfin:8096;
69.        proxy_set_header Host $host;
70.        proxy_set_header X-Real-IP $remote_addr;
71.        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
72.        proxy_set_header X-Forwarded-Proto $scheme;
73.        proxy_set_header X-Forwarded-Protocol $scheme;
74.        proxy_set_header X-Forwarded-Host $http_host;
75.  
76.        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
77.        proxy_buffering off;
78.    }
79.  
80.    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
81.    location = /web/ {
82.        # Proxy main Jellyfin traffic
83.        proxy_pass http://$jellyfin:8096/web/index.html;
84.        proxy_set_header Host $host;
85.        proxy_set_header X-Real-IP $remote_addr;
86.        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
87.        proxy_set_header X-Forwarded-Proto $scheme;
88.        proxy_set_header X-Forwarded-Protocol $scheme;
89.        proxy_set_header X-Forwarded-Host $http_host;
90.    }
91.  
92.    location /socket {
93.        # Proxy Jellyfin Websockets traffic
94.        proxy_pass http://$jellyfin:8096;
95.        proxy_http_version 1.1;
96.        proxy_set_header Upgrade $http_upgrade;
97.        proxy_set_header Connection "upgrade";
98.        proxy_set_header Host $host;
99.        proxy_set_header X-Real-IP $remote_addr;
100.        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
101.        proxy_set_header X-Forwarded-Proto $scheme;
102.        proxy_set_header X-Forwarded-Protocol $scheme;
103.        proxy_set_header X-Forwarded-Host $http_host;
104.    }
105. }
106.