infrastructure/nginx/conf.d/jellyfin.conf

proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=2g inactive=30d use_temp_path=off;

upstream jellyfin_server {
        # ip_hash;
        server jellyfin:8096;
        # server jellyfin:8096 weight=1 max_fails=3 fail_timeout=30s;
}

# Redirect all http requests to the main server wordpress_server
server {
        listen 80;
        listen [::]:80;

        root /var/www/jellyfin;

        server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;

        location ~ /.well-known/acme-challenge {
                allow all;
                root /var/www/jellyfin;
        }

        location / {
                return 301 https://$host$request_uri;
        }
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name jellyfin.bensuperpc.org www.jellyfin.bensuperpc.org;

        ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
        client_max_body_size 20M;

        # All things related to SSL
        ssl_certificate /etc/letsencrypt/live/bensuperpc.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/bensuperpc.org/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/bensuperpc.org/chain.pem;

        include /etc/nginx/conf.d/sub/options-ssl-nginx.conf;

        # Logging
        access_log /var/log/nginx/wordpress.access.log;
        error_log  /var/log/nginx/wordpress.error.log;

        # Security
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;

        # Security / XSS Mitigation Headers
        # NOTE: X-Frame-Options may cause issues with the webOS app
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";

        # Content Security Policy
        # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
        # Enforces https content and restricts JS/CSS to origin
        # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
        # NOTE: The default CSP headers may cause issues with the webOS app
        add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";

        location = / {
                return 302 https://$host/web/;
        }

        location / {
                # Proxy main Jellyfin traffic
                proxy_pass http://jellyfin_server;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;

                # Disable buffering when the nginx proxy gets very resource heavy upon streaming
                proxy_buffering off;
        }

        # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
        location = /web/ {
                # Proxy main Jellyfin traffic
                proxy_pass http://jellyfin_server/web/index.html;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
        }

        location /socket {
                # Proxy Jellyfin Websockets traffic
                proxy_pass http://jellyfin_server;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
        }

        # Cache images (inside server block)
        location ~ /Items/(.*)/Images {
                proxy_pass http://127.0.0.1:8096;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;

                proxy_cache jellyfin;
                proxy_cache_revalidate on;
                proxy_cache_lock on;
                add_header X-Cache-Status $upstream_cache_status; # This is only to check if cache is working
        }

        resolver 8.8.8.8;
}

# All configuration options are documented at https://jellyfin.org/docs/general/networking/nginx/