From e3c69fbe523a9e3f978cf45f72e6455735c0cba0 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:32:30 -0500 Subject: [PATCH 01/16] Modernize nginx config --- nginx.conf | 212 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 126 insertions(+), 86 deletions(-) diff --git a/nginx.conf b/nginx.conf index bd6cb6e..a9e5d3d 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,104 +1,144 @@ -#Must be set in the global scope see: https://forum.nginx.org/read.php?2,152294,152294 -#Why this is important especially with Plex as it makes a lot of requests http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html / https://www.peterbe.com/plog/ssl_session_cache-ab -ssl_session_cache shared:SSL:10m; -ssl_session_timeout 10m; +# SSL Config from https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 +ssl_session_cache shared:MozSSL:10m; +ssl_session_timeout 1d; #Upstream to Plex upstream plex_backend { - #Set this to the IP address that appears in `ifconfig` (NATTED LAN IP or Public IP address) if you want the bandwidth meter in the server status page to work + # Set the port and server to your plex server. server 127.0.0.1:32400; keepalive 32; } +# For better Plex logging. +log_format plex '$remote_addr - $remote_user [$time_local]' + '"$request" $status $body_bytes_sent' + '"$http_referer" $host "$http_user_agent"' + '"$request_time" "$upstream_connect_time"' + '"$geoip_city" "$geoip_city_country_code"'; + server { listen 80; - #Enabling http2 can cause some issues with some devices, see #29 - Disable it if you experience issues - listen 443 ssl http2; #http2 can provide a substantial improvement for streaming: https://blog.cloudflare.com/introducing-http2/ + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + # Set this A / AAAA / CNAME record prior to starting. server_name plex.EXAMPLE.COM; - - send_timeout 100m; #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) - - #Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google's have been used here. - resolver 8.8.4.4 8.8.8.8 valid=300s; - resolver_timeout 10s; - - #Use letsencrypt.org to get a free and trusted ssl certificate - ssl_certificate /path/to/fullchain.pem; - ssl_certificate_key /path/to/privkey.pem; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - - #Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ + access_log /var/log/nginx/access.log plex; # You can disable this. + + # ACME SSL Cert Generation Method: + # curl https://get.acme.sh | sh + # mkdir -p /etc/nginx/ssl/${hostname} + # chmod 700 /etc/nginx/ssl + # /root/.acme.sh/acme.sh --set-default-ca --server letsencrypt # No personal data needed to setup + # /root/.acme.sh/acme.sh --force --issue --standalone -d ${hostname} + # /root/.acme.sh/acme.sh --force --install-cert -d ${hostname} --key-file /etc/nginx/ssl/${hostname}/key.pem --fullchain-file /etc/nginx/ssl/${hostname}/fullchain.pem --ca-file /etc/nginx/ssl/${hostname}/chain.pem --reloadcmd "systemctl reload nginx" + + ssl_certificate /etc/nginx/ssl/plex.EXAMPLE.COM/fullchain.pem; + ssl_key /etc/nginx/ssl/plex.EXAMPLE.COM/key.pem; + ssl_trusted_certificate /etc/nginx/ssl/plex.EXAMPLE.COM/fullchain.pem; + # Generate by doing openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 + ssl_session_cache shared:MozSSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ecdh_curve X25519:P-256:P-384; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; - #For letsencrypt.org you can get your chain like this: https://esham.io/2016/01/ocsp-stapling - ssl_trusted_certificate /path/to/chain.pem; - - #Reuse ssl sessions, avoids unnecessary handshakes - #Turning this on will increase performance, but at the cost of security. Read below before making a choice. - #https://github.com/mozilla/server-side-tls/issues/135 - #https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29 - #ssl_session_tickets on; - ssl_session_tickets off; - - #Use: openssl dhparam -out dhparam.pem 2048 - 4096 is better but for overhead reasons 2048 is enough for Plex. - ssl_dhparam /path/to/dhparam.pem; - ssl_ecdh_curve secp384r1; + + + # Set resolver to Cloudflare + resolver 1.1.1.1 1.0.0.1 valid=300s; + resolver_timeout 5s; - #Will ensure https is always used by supported browsers which prevents any server-side http > https redirects, as the browser will internally correct any request to https. - #Recommended to submit to your domain to https://hstspreload.org as well. - #!WARNING! Only enable this if you intend to only serve Plex over https, until this rule expires in your browser it WONT BE POSSIBLE to access Plex via http, remove 'includeSubDomains;' if you only want it to effect your Plex (sub-)domain. - #This is disabled by default as it could cause issues with some playback devices it's advisable to test it with a small max-age and only enable if you don't encounter issues. (Haven't encountered any yet) - #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - - #Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven't encountered any yet) - gzip on; - gzip_vary on; - gzip_min_length 1000; - gzip_proxied any; - gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; - gzip_disable "MSIE [1-6]\."; - - #Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. - #Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more - client_max_body_size 100M; - - #Forward real ip and host to Plex - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - #When using ngx_http_realip_module change $proxy_add_x_forwarded_for to '$http_x_forwarded_for,$realip_remote_addr' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; - proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; - proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; - - #Websockets - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - - #Disables compression between Plex and Nginx, required if using sub_filter below. - #May also improve loading time by a very marginal amount, as nginx will compress anyway. - #proxy_set_header Accept-Encoding ""; - - #Buffering off send to the client as soon as the data is received from Plex. - proxy_redirect off; - proxy_buffering off; + send_timeout 100m; #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) + proxy_headers_hash_bucket_size 128; + proxy_headers_hash_max_size 1024; + proxy_buffers 32 4k; + # Increase body size + client_max_body_size 1G; + + + # If using cloudflare this will resolve user ips correctly. + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 104.16.0.0/13; + set_real_ip_from 104.24.0.0/14; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 131.0.72.0/22; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 172.64.0.0/13; + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + set_real_ip_from 2c0f:f248::/32; + set_real_ip_from 2a06:98c0::/29; + real_ip_header X-Forwarded-For; location / { - #Example of using sub_filter to alter what Plex displays, this disables Plex News. - #sub_filter ',news,' ','; - #sub_filter_once on; - #sub_filter_types text/xml; - proxy_pass http://plex_backend; + #Websockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; + proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; + proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; + # Plex Headers + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $http_x_forwarded_for; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + # Allows All Encodings + proxy_set_header Accept-Encoding ""; + proxy_ssl_verify off; + proxy_http_version 1.1; + proxy_read_timeout 86400; + proxy_pass http://plex_backend; } - #PlexPy forward example, works the same for other services. - #location /plexpy { - # proxy_pass http://127.0.0.1:8181; - #} + location /tautulli { + proxy_pass http://127.0.0.1:24200/tautulli; + # Advanced Proxy Config + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + proxy_headers_hash_bucket_size 128; + proxy_headers_hash_max_size 1024; + proxy_buffers 32 4k; + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + #proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + } } From 04a1ae7859367e793a1f956fa850513029f295fc Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:33:10 -0500 Subject: [PATCH 02/16] Update nginx.conf --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index a9e5d3d..47f5ff1 100644 --- a/nginx.conf +++ b/nginx.conf @@ -118,7 +118,7 @@ server { proxy_ssl_verify off; proxy_http_version 1.1; proxy_read_timeout 86400; - proxy_pass http://plex_backend; + proxy_pass http://plex_backend; } location /tautulli { From bcf74186410da4111baa3b4c5f6b850067f8ecd0 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:34:41 -0500 Subject: [PATCH 03/16] Update nginx.conf --- nginx.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nginx.conf b/nginx.conf index 47f5ff1..c218731 100644 --- a/nginx.conf +++ b/nginx.conf @@ -53,8 +53,9 @@ server { # Set resolver to Cloudflare resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 5s; - - send_timeout 100m; #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) + # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) + # You should really just be timing out using plex if the stream is inactive this long. + send_timeout 100m; proxy_headers_hash_bucket_size 128; proxy_headers_hash_max_size 1024; proxy_buffers 32 4k; From e4592adf13eca32ac7f4a8a8c7bf7e578551b1ae Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:38:45 -0500 Subject: [PATCH 04/16] Update nginx.conf --- nginx.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nginx.conf b/nginx.conf index c218731..4843d9c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -89,6 +89,10 @@ server { real_ip_header X-Forwarded-For; location / { + #Example of using sub_filter to alter what Plex displays, this disables Plex News. + #sub_filter ',news,' ','; + #sub_filter_once on; + #sub_filter_types text/xml; #Websockets proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; From bb700c4c25b4ae76defa65ef581484fbe78a3052 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:40:09 -0500 Subject: [PATCH 05/16] Update nginx.conf --- nginx.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nginx.conf b/nginx.conf index 4843d9c..ec3ed3e 100644 --- a/nginx.conf +++ b/nginx.conf @@ -48,8 +48,7 @@ server { ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; - - + # Set resolver to Cloudflare resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 5s; @@ -61,7 +60,6 @@ server { proxy_buffers 32 4k; # Increase body size client_max_body_size 1G; - # If using cloudflare this will resolve user ips correctly. set_real_ip_from 103.21.244.0/22; From 33f66ac67875a158d7ccfc8354499a76bfdd1333 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:43:38 -0500 Subject: [PATCH 06/16] security --- nginx.conf | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/nginx.conf b/nginx.conf index ec3ed3e..0049839 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,3 +1,15 @@ +sendfile on; +tcp_nopush on; +tcp_nodelay on; +keepalive_timeout 65; +types_hash_max_size 2048; +server_names_hash_bucket_size 512; +server_names_hash_max_size 512; +proxy_headers_hash_bucket_size 512; +proxy_headers_hash_max_size 512; +include /etc/nginx/mime.types; +default_type application/octet-stream; + # SSL Config from https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 ssl_session_cache shared:MozSSL:10m; ssl_session_timeout 1d; @@ -48,9 +60,17 @@ server { ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; + ssl_buffer_size 4k; + + # Security + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Robots-Tag "none" always; + add_header Referrer-Policy same-origin always; # Set resolver to Cloudflare - resolver 1.1.1.1 1.0.0.1 valid=300s; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; resolver_timeout 5s; # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome) # You should really just be timing out using plex if the stream is inactive this long. @@ -87,11 +107,12 @@ server { real_ip_header X-Forwarded-For; location / { - #Example of using sub_filter to alter what Plex displays, this disables Plex News. - #sub_filter ',news,' ','; - #sub_filter_once on; - #sub_filter_types text/xml; - #Websockets + # Example of using sub_filter to alter what Plex displays, this disables Plex News. + # sub_filter ',news,' ','; + # sub_filter_once on; + # sub_filter_types text/xml; + + # Websockets proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_redirect off; From e19a043490ed05b585c4c7366556db8571157bf5 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:44:17 -0500 Subject: [PATCH 07/16] Update nginx.conf --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index 0049839..9fff4ed 100644 --- a/nginx.conf +++ b/nginx.conf @@ -36,7 +36,7 @@ server { # Set this A / AAAA / CNAME record prior to starting. server_name plex.EXAMPLE.COM; access_log /var/log/nginx/access.log plex; # You can disable this. - + root /srv/; # ACME SSL Cert Generation Method: # curl https://get.acme.sh | sh # mkdir -p /etc/nginx/ssl/${hostname} From ada608214164b09bd974108127c8e0a222243fb5 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:46:41 -0500 Subject: [PATCH 08/16] Update README.md --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c72ac47..04718d9 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,12 @@ This configuration will allow you to serve Plex via Nginx. ## Minimal Requirements Nginx - + +```bash +# for Debian based systems: +apt-get install -y nginx subversion ssl-cert socat +``` + Plex: * Remote Access - Disable * Network - Custom server access URLs = `https://:443,http://:80` From fc03fdd1d807cedaad3130915f828fbccc0cae44 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:51:14 -0500 Subject: [PATCH 09/16] make nginx config tight --- nginx.conf | 70 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/nginx.conf b/nginx.conf index 9fff4ed..0928035 100644 --- a/nginx.conf +++ b/nginx.conf @@ -37,14 +37,19 @@ server { server_name plex.EXAMPLE.COM; access_log /var/log/nginx/access.log plex; # You can disable this. root /srv/; + + ## # ACME SSL Cert Generation Method: + # # curl https://get.acme.sh | sh # mkdir -p /etc/nginx/ssl/${hostname} # chmod 700 /etc/nginx/ssl # /root/.acme.sh/acme.sh --set-default-ca --server letsencrypt # No personal data needed to setup # /root/.acme.sh/acme.sh --force --issue --standalone -d ${hostname} # /root/.acme.sh/acme.sh --force --install-cert -d ${hostname} --key-file /etc/nginx/ssl/${hostname}/key.pem --fullchain-file /etc/nginx/ssl/${hostname}/fullchain.pem --ca-file /etc/nginx/ssl/${hostname}/chain.pem --reloadcmd "systemctl reload nginx" - + # Change the below. + ## + ssl_certificate /etc/nginx/ssl/plex.EXAMPLE.COM/fullchain.pem; ssl_key /etc/nginx/ssl/plex.EXAMPLE.COM/key.pem; ssl_trusted_certificate /etc/nginx/ssl/plex.EXAMPLE.COM/fullchain.pem; @@ -111,7 +116,6 @@ server { # sub_filter ',news,' ','; # sub_filter_once on; # sub_filter_types text/xml; - # Websockets proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; @@ -144,25 +148,47 @@ server { proxy_read_timeout 86400; proxy_pass http://plex_backend; } + + ## + # Forward Tautulli over same domain + ## + + # location /tautulli { + # proxy_pass http://127.0.0.1:24200/tautulli; + # # Advanced Proxy Config + # proxy_read_timeout 240; + # proxy_send_timeout 240; + # proxy_connect_timeout 240; + # proxy_headers_hash_bucket_size 128; + # proxy_headers_hash_max_size 1024; + # proxy_buffers 32 4k; + # # Basic Proxy Config + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto https; + # #proxy_redirect http:// $scheme://; + # proxy_http_version 1.1; + # proxy_set_header Connection ""; + # proxy_cache_bypass $cookie_session; + # proxy_no_cache $cookie_session; + #} + + ## + # Host Librespeed on same domain + # If you want librespeed, install php-fpm libfcgi0ldbl php-cli php-dev php-xml php-curl php-xmlrpc php-json php-mbstring php-opcache php-geoip php-xml + # Check your php version and modify below accordingly. + ## + # location /librespeed { + # alias /srv/librespeed; + # client_max_body_size 50M; + # client_body_buffer_size 128k; - location /tautulli { - proxy_pass http://127.0.0.1:24200/tautulli; - # Advanced Proxy Config - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - proxy_headers_hash_bucket_size 128; - proxy_headers_hash_max_size 1024; - proxy_buffers 32 4k; - # Basic Proxy Config - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - #proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - } + # location ~ \.php$ { + # include snippets/fastcgi-php.conf; + # fastcgi_pass unix:/run/php/php7.4-fpm.sock; + # fastcgi_param SCRIPT_FILENAME $request_filename; + # include fastcgi_params; + # } + # } } From 193fc49d40c5e22ff07f32e4006d585a1e42eb3d Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:51:39 -0500 Subject: [PATCH 10/16] Update nginx.conf --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index 0928035..e895f80 100644 --- a/nginx.conf +++ b/nginx.conf @@ -172,7 +172,7 @@ server { # proxy_set_header Connection ""; # proxy_cache_bypass $cookie_session; # proxy_no_cache $cookie_session; - #} + # } ## # Host Librespeed on same domain From 2bb432fcd5f2c00f16b6134fb586c30b076b9896 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 14 Feb 2022 22:57:12 -0500 Subject: [PATCH 11/16] add connection upgrade back --- nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nginx.conf b/nginx.conf index e895f80..bcfac16 100644 --- a/nginx.conf +++ b/nginx.conf @@ -21,6 +21,11 @@ upstream plex_backend { keepalive 32; } +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + # For better Plex logging. log_format plex '$remote_addr - $remote_user [$time_local]' '"$request" $status $body_bytes_sent' From 108120717f396c7338e9f66ba2e96afa04bc9b09 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 7 Mar 2022 11:15:18 -0500 Subject: [PATCH 12/16] enable SSL Early Data --- nginx.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index bcfac16..fba4dde 100644 --- a/nginx.conf +++ b/nginx.conf @@ -71,6 +71,7 @@ server { ssl_stapling on; ssl_stapling_verify on; ssl_buffer_size 4k; + ssl_early_data on; # Security add_header X-Frame-Options SAMEORIGIN; @@ -78,7 +79,8 @@ server { add_header X-XSS-Protection "1; mode=block" always; add_header X-Robots-Tag "none" always; add_header Referrer-Policy same-origin always; - + proxy_set_header Early-Data $ssl_early_data; + # Set resolver to Cloudflare resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; resolver_timeout 5s; From 99ea3477fe6c3e8713e1ca0e5a6d4aa8a2ab0ef1 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 7 Mar 2022 11:17:33 -0500 Subject: [PATCH 13/16] add DNS API verification comments --- nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nginx.conf b/nginx.conf index fba4dde..8765e22 100644 --- a/nginx.conf +++ b/nginx.conf @@ -50,7 +50,12 @@ server { # mkdir -p /etc/nginx/ssl/${hostname} # chmod 700 /etc/nginx/ssl # /root/.acme.sh/acme.sh --set-default-ca --server letsencrypt # No personal data needed to setup + # Standalone Method # /root/.acme.sh/acme.sh --force --issue --standalone -d ${hostname} + # DNS API Verification Method + # Reference: https://github.com/acmesh-official/acme.sh/wiki/dnsapi + # /root/.acme.sh/acme.sh --force --issue --dns dns_cf -d ${hostname} -d "*.${hostname}" + # Deploy to nginx # /root/.acme.sh/acme.sh --force --install-cert -d ${hostname} --key-file /etc/nginx/ssl/${hostname}/key.pem --fullchain-file /etc/nginx/ssl/${hostname}/fullchain.pem --ca-file /etc/nginx/ssl/${hostname}/chain.pem --reloadcmd "systemctl reload nginx" # Change the below. ## From 134ed65c65477687dedc348ea2101a31ad289575 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 11 Jul 2022 12:28:30 -0400 Subject: [PATCH 14/16] chore: add `X-Plex-Container-Size` header Per log from Plex, this will be required to avoid 400 in the near future. --- nginx.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx.conf b/nginx.conf index 8765e22..1d7aff6 100644 --- a/nginx.conf +++ b/nginx.conf @@ -138,6 +138,7 @@ server { proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; # Plex Headers proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Container-Size $http_x_plex_container_size; proxy_set_header X-Plex-Device $http_x_plex_device; proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; proxy_set_header X-Plex-Platform $http_x_plex_platform; From 414597ebdee722cf60d43a6d704dc7607924182c Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 11 Jul 2022 12:31:23 -0400 Subject: [PATCH 15/16] fix: `ssl_ciphers` update --- nginx.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nginx.conf b/nginx.conf index 1d7aff6..f4fe798 100644 --- a/nginx.conf +++ b/nginx.conf @@ -69,10 +69,9 @@ server { # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 ssl_session_cache shared:MozSSL:10m; ssl_session_timeout 1d; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ecdh_curve X25519:P-256:P-384; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; ssl_buffer_size 4k; From 568fa7b924ed1b8a9526e12f4348d9d22dc09288 Mon Sep 17 00:00:00 2001 From: Brett Petch Date: Mon, 11 Jul 2022 13:22:34 -0400 Subject: [PATCH 16/16] chore: add `X-Plex-Container-Start` header due to warning in plex logs --- nginx.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx.conf b/nginx.conf index f4fe798..c6f126d 100644 --- a/nginx.conf +++ b/nginx.conf @@ -138,6 +138,7 @@ server { # Plex Headers proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; proxy_set_header X-Plex-Container-Size $http_x_plex_container_size; + proxy_set_header X-Plex-Container-Start $http_x_plex_container_start; proxy_set_header X-Plex-Device $http_x_plex_device; proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; proxy_set_header X-Plex-Platform $http_x_plex_platform;