# Uncomment the commented sections after you have acquired a SSL Certificate

1. # Uncomment the commented sections after you have acquired a SSL Certificate
2. server {
3. listen 80;
4. listen [::]:80;
5. # server_name DOMAIN_NAME;
6.  
7. # Uncomment to redirect HTTP to HTTPS
8. # return 301 https://$host$request_uri;
9. #}
10.  
11. #server {
12. listen 443 ssl http2;
13. # listen [::]:443 ssl http2;
14. server_name jellyfin.YOURDOMAIN.COM;
15.  
16. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
17. client_max_body_size 20M;
18.  
19. # use a variable to store the upstream proxy
20. # in this example we are using a hostname which is resolved via DNS
21. # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
22. set $jellyfin 127.0.0.1;
23. resolver 127.0.0.1 valid=30;
24.  
25. ssl_certificate /etc/letsencrypt/live/jellyfin.YOURDOMAIN.COM/fullchain.pem;
26. ssl_certificate_key /etc/letsencrypt/live/jellyfin.YOURDOMAIN.COM/privkey.pem;
27. include /etc/letsencrypt/options-ssl-nginx.conf;
28. add_header Strict-Transport-Security "max-age=31536000" always;
29.  
30.  
31. # Security / XSS Mitigation Headers
32. # NOTE: X-Frame-Options may cause issues with the webOS app
33. add_header X-Frame-Options "SAMEORIGIN";
34. add_header X-XSS-Protection "1; mode=block";
35. add_header X-Content-Type-Options "nosniff";
36.  
37. # Content Security Policy
38. # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
39. # Enforces https content and restricts JS/CSS to origin
40. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
41. # NOTE: The default CSP headers may cause issues with the webOS app
42. #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
43.  
44. location = / {
45. return 302 http://$host/web/;
46. #return 302 https://$host/web/;
47. }
48.  
49. location / {
50. # Proxy main Jellyfin traffic
51. proxy_pass http://$jellyfin:8096;
52. proxy_set_header Host $host;
53. proxy_set_header X-Real-IP $remote_addr;
54. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
55. proxy_set_header X-Forwarded-Proto $scheme;
56. proxy_set_header X-Forwarded-Protocol $scheme;
57. proxy_set_header X-Forwarded-Host $http_host;
58.  
59. # Disable buffering when the nginx proxy gets very resource heavy upon streaming
60. proxy_buffering off;
61. }
62.  
63. # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
64. location = /web/ {
65. # Proxy main Jellyfin traffic
66. proxy_pass http://$jellyfin:8096/web/index.html;
67. proxy_set_header Host $host;
68. proxy_set_header X-Real-IP $remote_addr;
69. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
70. proxy_set_header X-Forwarded-Proto $scheme;
71. proxy_set_header X-Forwarded-Protocol $scheme;
72. proxy_set_header X-Forwarded-Host $http_host;
73. }
74.  
75. location /socket {
76. # Proxy Jellyfin Websockets traffic
77. proxy_pass http://$jellyfin:8096;
78. proxy_http_version 1.1;
79. proxy_set_header Upgrade $http_upgrade;
80. proxy_set_header Connection "upgrade";
81. proxy_set_header Host $host;
82. proxy_set_header X-Real-IP $remote_addr;
83. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
84. proxy_set_header X-Forwarded-Proto $scheme;
85. proxy_set_header X-Forwarded-Protocol $scheme;
86. proxy_set_header X-Forwarded-Host $http_host;
87. }
88. }
89.