infrastructure/nginx-conf/jellyfin.conf

proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=3g inactive=30d use_temp_path=off;
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=3g;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }

upstream jellyfin_server {
        # ip_hash;
        server jellyfin:8096;
        # server jellyfin:8096 weight=1 max_fails=3 fail_timeout=30s;
}

# Redirect all http requests to the main server wordpress_server
server {
        listen 80;
        listen [::]:80;

        server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;

        location ~ /.well-known/acme-challenge {
                allow all;
                root /var/www/jellyfin;
        }

        location / {
                return 301 https://$host$request_uri;
        }
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;

        #client_max_body_size 20M;
        set $jellyfin jellyfin;
        resolver 8.8.8.8 valid=30;

        # All things related to SSL
        ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;
        #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        #add_header Strict-Transport-Security "max-age=31536000" always;

        include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;

        # Security / XSS Mitigation Headers
        # NOTE: X-Frame-Options may cause issues with the webOS app
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

        location = / {
                return 302 http://$host/web/;
                #return 302 https://$host/web/;
        }

        location / {
                # Proxy main Jellyfin traffic
                proxy_pass http://jellyfin_server;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;

                # Disable buffering when the nginx proxy gets very resource heavy upon streaming
                proxy_buffering off;
        }

        location = /web/ {
                # Proxy main Jellyfin traffic
                proxy_pass http://jellyfin_server/web/index.html;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
        }

        location /socket {
                # Proxy Jellyfin Websockets traffic
                proxy_pass http://jellyfin_server;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
        }

        # Cache images
        location ~ /Items/(.*)/Images {
                proxy_pass http://127.0.0.1:8096;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;

                proxy_cache jellyfin;
                proxy_cache_revalidate on;
                proxy_cache_lock on;
                add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
        }

        # Cache videos
        location ~* ^/Videos/(.*)/(?!live)
        {
                slice 2m;

                proxy_cache jellyfin-videos;
                proxy_cache_valid 200 206 301 302 30d;
                proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
                proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
                proxy_connect_timeout 15s;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                # Transmit slice range to the backend
                proxy_set_header Range $slice_range;

                proxy_cache_lock on;
                proxy_cache_lock_age 60s;

                proxy_pass http://$jellyfin:8096;
                proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";

                add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
        }
}

# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00			`proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=3g inactive=30d use_temp_path=off;`
			`proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=3g;`
			`map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }`
			`map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00
			`upstream jellyfin_server {`
			`# ip_hash;`
			`server jellyfin:8096;`
			`# server jellyfin:8096 weight=1 max_fails=3 fail_timeout=30s;`
			`}`

Add https on jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-28 13:43:48 +01:00			`# Redirect all http requests to the main server wordpress_server`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00			`server {`
			`listen 80;`
			`listen [::]:80;`
Add https on jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-28 13:43:48 +01:00
			`server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;`

			`location ~ /.well-known/acme-challenge {`
			`allow all;`
			`root /var/www/jellyfin;`
			`}`

			`location / {`
			`return 301 https://$host$request_uri;`
			`}`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00			`server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;`

Add https on jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-28 13:43:48 +01:00			`#client_max_body_size 20M;`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00			`set $jellyfin jellyfin;`
Add https on jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-28 13:43:48 +01:00			`resolver 8.8.8.8 valid=30;`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00
Add https on jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-28 13:43:48 +01:00			`# All things related to SSL`
			`ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;`
			`ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00			`#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`
			`#add_header Strict-Transport-Security "max-age=31536000" always;`
Add https on jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-28 13:43:48 +01:00
			`include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00
			`# Security / XSS Mitigation Headers`
			`# NOTE: X-Frame-Options may cause issues with the webOS app`
			`add_header X-Frame-Options "SAMEORIGIN";`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header X-Content-Type-Options "nosniff";`
			`#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";`

			`location = / {`
			`return 302 http://$host/web/;`
			`#return 302 https://$host/web/;`
			`}`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00
			`location / {`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00			`# Proxy main Jellyfin traffic`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00			`proxy_pass http://jellyfin_server;`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Protocol $scheme;`
			`proxy_set_header X-Forwarded-Host $http_host;`

			`# Disable buffering when the nginx proxy gets very resource heavy upon streaming`
			`proxy_buffering off;`
			`}`

			`location = /web/ {`
			`# Proxy main Jellyfin traffic`
			`proxy_pass http://jellyfin_server/web/index.html;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Protocol $scheme;`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00			`proxy_set_header X-Forwarded-Host $http_host;`
			`}`

Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00			`location /socket {`
			`# Proxy Jellyfin Websockets traffic`
			`proxy_pass http://jellyfin_server;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Protocol $scheme;`
			`proxy_set_header X-Forwarded-Host $http_host;`
			`}`

			`# Cache images`
			`location ~ /Items/(.*)/Images {`
			`proxy_pass http://127.0.0.1:8096;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Protocol $scheme;`
			`proxy_set_header X-Forwarded-Host $http_host;`

			`proxy_cache jellyfin;`
			`proxy_cache_revalidate on;`
			`proxy_cache_lock on;`
			`add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working`
			`}`

			`# Cache videos`
			`location ~* ^/Videos/(.*)/(?!live)`
			`{`
			`slice 2m;`

			`proxy_cache jellyfin-videos;`
			`proxy_cache_valid 200 206 301 302 30d;`
			`proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;`
			`proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;`
			`proxy_connect_timeout 15s;`
			`proxy_http_version 1.1;`
			`proxy_set_header Connection "";`
			`# Transmit slice range to the backend`
			`proxy_set_header Range $slice_range;`

			`proxy_cache_lock on;`
			`proxy_cache_lock_age 60s;`

			`proxy_pass http://$jellyfin:8096;`
			proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=$slice_range";

			`add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache`
			`}`
WIP jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 17:44:16 +01:00			`}`
Update jellyfin Signed-off-by: Bensuperpc <bensuperpc@gmail.com> 2022-11-27 19:37:45 +01:00
			`# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/`