Correcting and adjusting Nginx docs #1098
Conversation
|
Still testing to validate function vs security. |
|
What are your opinions on the way we currently have the http vs https configs laid out? Right now we have an http config with https parameters commented out. But we also have a separate https example. Should we de-clutter the http example in favor of the already separate https example? |
|
We should have the default be https, and tell them to comment / change certain lines if they wish to have a http only setup. |
Done. Put HTTPS prominently at the top. HTTP example is tucked away in an expandable block. Why would the subpath examples not proxy /socket? |
|
why isn't the https one default for the subpath option? |
Re-arranged. |
I do agree it is excessive. I will trim and tone down the warnings.
My bad. Will make it uniform. |
I removed one of the cautions and changed the remaining caution to a tip and changed it a bit to tone it down.
Done. Also uncommented the CSP header and added img-src to address an issue not having it causes when searching for images in the Jellyfin UI. |
docs/general/networking/nginx.md
Outdated
| :::tip | ||
|
|
||
| The default X-Frame-Options header may cause issues with the webOS app, causing it to remain stuck at a black screen. If enabled, the default Content Security Policy may also cause issues. | ||
|
|
||
| ::: |
There was a problem hiding this comment.
A caution is more appropriate for this one but realistically it can be removed altogether IMO, there is already mentions about it in the comments in the config
docs/general/networking/nginx.md
Outdated
| server { | ||
| listen 80; | ||
| listen [::]:80; | ||
| # server_name DOMAIN_NAME; | ||
| server_name jellyfin.DOMAIN.TLD; |
There was a problem hiding this comment.
Maybe using example.com would be better than DOMAIN.TLD? Also add text to tell users to replace the example domain with what they actually want
docs/general/networking/nginx.md
Outdated
| # listen [::]:443 ssl; | ||
| http2 on; | ||
| server_name DOMAIN_NAME; | ||
| server_name jellyfin.DOMAIN.TLD; |
docs/general/networking/nginx.md
Outdated
| ssl_certificate /etc/letsencrypt/live/DOMAIN.TLD/fullchain.pem; | ||
| ssl_certificate_key /etc/letsencrypt/live/DOMAIN.TLD/privkey.pem; | ||
| include /etc/letsencrypt/options-ssl-nginx.conf; | ||
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | ||
| ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN.TLD/chain.pem; |
There was a problem hiding this comment.
same as above (example.com instead of DOMAIN.TLD)
| # Content Security Policy | ||
| # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | ||
| # Enforces https content and restricts JS/CSS to origin | ||
| # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. | ||
| # NOTE: The default CSP headers may cause issues with the webOS app | ||
| #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; | ||
| add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; |
There was a problem hiding this comment.
why are the gstatic.com and youtube.com policies needed here?
docs/general/networking/nginx.md
Outdated
| :::tip | ||
|
|
||
| The following configuration is provided for ease of use only. If you are planning on exposing your server over the Internet you should setup HTTPS. [Let's Encrypt](https://letsencrypt.org/getting-started/) can provide free TLS certificates which can be installed easily via [certbot](https://certbot.eff.org/). Using only HTTP will expose passwords and API keys. | ||
|
|
||
| ::: |
There was a problem hiding this comment.
The entire thing or just the first sentence?
| # Enforces https content and restricts JS/CSS to origin | ||
| # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. | ||
| # NOTE: The default CSP headers may cause issues with the webOS app | ||
| add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; |
docs/general/networking/nginx.md
Outdated
| server { | ||
| listen 80; | ||
| listen [::]:80; | ||
| server_name jellyfin.DOMAIN.TLD; |
Cloudflare Pages deployment
|
Correcting and adjusting Nginx docs. Jellyfin site config should not be in conf.d. Also making adjustments to config to address common problems. Particularly with the COOP/COEP headers causing image searching to not show images.