server { listen 80; server_name video.atomic6.net; # Let's Encrypt challenge path location /.well-known/acme-challenge/ { alias /var/www/html/.well-known/acme-challenge/; try_files $uri =404; } # Redirect all other traffic to HTTPS location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl; http2 on; server_name video.atomic6.net; # SSL Configuration ssl_certificate /etc/letsencrypt/live/home.seanowiecki.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/home.seanowiecki.com/privkey.pem; # SSL Settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # Media server proxy configuration location / { proxy_pass http://192.168.1.131:8096; # Essential headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port 443; # Disable SSL verification for backend proxy_ssl_verify off; proxy_ssl_server_name on; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts for media streaming proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering off; # Allow large file uploads/downloads client_max_body_size 0; } # Explicit WebSocket endpoint location /ws { proxy_pass http://192.168.1.131:8096/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_read_timeout 86400s; } # Security headers add_header X-Frame-Options SAMEORIGIN; add_header Referrer-Policy same-origin; }