Untitled

avatar
unknown
plain_text
a month ago
6.1 kB
11
No Index
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    # Static token for iptv players
    map $arg_key $is_valid_key {
        default 0;
        
        # keys
        "blabla45" 1;
        "sure8!" 1; 
    }

    # HTTP redirect to HTTPS
    server {
    if ($host = my.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen       80;
        server_name  my.domain.com;
        return       301 https://$server_name$request_uri;
    

}

    # HTTPS server
    server {
        listen       443 ssl;
        server_name  my.domain.com;
        client_max_body_size 20M;

        # SSL only - modern protocols
        ssl_protocols TLSv1.3 TLSv1.2;
        
        # SSL config (ubuntu)
        ssl_certificate /etc/nginx/ssl/domain.com.crt;
        ssl_certificate_key /etc/nginx/ssl/domain.com.key;
        
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        # Security Headers
        add_header X-Content-Type-Options "nosniff";
        add_header X-Frame-Options "SAMEORIGIN";

        # Block root
        location / {
            return 403;
        }

        # Allow M3U playlist only with key
        location = /iptv/channels.m3u {
            if ($is_valid_key = 0) {
                return 403 "Access Denied: Invalid key";
            }
            
            proxy_pass http://127.0.0.1:8409/iptv/channels.m3u;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            
            proxy_buffering off;
            proxy_connect_timeout 30s;
            proxy_send_timeout 30s;
            proxy_read_timeout 30s;
        }

        # Allow XMLTV EPG with valid key
        location = /iptv/xmltv.xml {
            if ($is_valid_key = 0) {
                return 403 "Access Denied: Invalid key";
            }
            
            proxy_pass http://127.0.0.1:8409/iptv/xmltv.xml;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            
            proxy_buffering off;
            proxy_connect_timeout 30s;
            proxy_send_timeout 30s;
            proxy_read_timeout 30s;
        }

        # Allow channel pictures
        location ~* ^/iptv/.*\.(jpg|jpeg|png|gif|ico|webp|svg)$ {
            proxy_pass http://192.168.2.144:8409;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            
            proxy_buffering off;
            proxy_connect_timeout 30s;
            proxy_send_timeout 30s;
            proxy_read_timeout 30s;
        }

        # Allow stream types
        location ~* ^/iptv/.*\.(mp4|avi|mkv|mov|wmv|flv|webm|m4v|m3u8|ts)$ {
        #    if ($is_valid_key = 0) {
        #        return 403;
        #    }
            
            proxy_pass http://127.0.0.1:8409;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            
            # BUFFERING OFF
            proxy_buffering off;
            
            # timeout for big files
            proxy_connect_timeout 60s;
            proxy_send_timeout 600s;
            proxy_read_timeout 3600s;
            
            # Range support for video seek
            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_no_cache $http_range $http_if_range;
        }

        # Allow API with valid key
        location ~* ^/iptv/(api|stream|live|vod|movie)/ {
        #    if ($is_valid_key = 0) {
        #        return 403;
        #    }
            
            proxy_pass http://127.0.0.1:8409;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            
            proxy_buffering off;
            proxy_connect_timeout 60s;
            proxy_send_timeout 600s;
            proxy_read_timeout 3600s;
        }

        # WebSocket support SAMO sa validnim kljuÄem
        location /ws {
        #    if ($is_valid_key = 0) {
        #        return 403;
        #    }
            
            proxy_pass http://127.0.0.1:8409;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $http_host;
            
            proxy_buffering off;
        }

        # Block all others in the /iptv
        location /iptv/ {
            return 403;
        }
    
}
}
Editor is loading...
Leave a Comment