Saving Even More Power

calendar2022-12-21 · 3 min read · power green linux Raspberry Pi  ·
Share on: linkedincopy

I decided having a blog that is not up all 24h a day, is not nice. So I have moved hosting to a Raspberry Pi 3B that I had lying around.

The shift was very smooth. I installed Ubuntu Server on the little thing, and was able to move configuration from my NAS.

At the same time I also re-enabled WakeOnLAN for my NAS. My Jellyfin library is still on that server, and Nginx on the Pi is just forwarding trafic.

My website has this Nginx config:

 1server {
 2    listen 80;
 3    listen [::]:80;
 4    server_name veloce.dk;
 5
 6    # Uncomment to redirect HTTP to HTTPS
 7    return 301 https://$host$request_uri;
 8}
 9
10server {
11    listen 443 ssl http2;
12    listen [::]:443 ssl http2;
13    server_name veloce.dk;
14
15    ssl_certificate /etc/letsencrypt/live/veloce.dk/fullchain.pem;
16    ssl_certificate_key /etc/letsencrypt/live/veloce.dk/privkey.pem;
17    include /etc/letsencrypt/options-ssl-nginx.conf;
18    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
19    add_header Strict-Transport-Security "max-age=31536000" always;
20    ssl_trusted_certificate /etc/letsencrypt/live/veloce.dk/chain.pem;
21    ssl_stapling on;
22    ssl_stapling_verify on;
23
24    # Security / XSS Mitigation Headers
25    add_header X-Frame-Options "SAMEORIGIN";
26    add_header X-XSS-Protection "1; mode=block";
27    add_header X-Content-Type-Options "nosniff";
28
29    location / {
30        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
31        proxy_set_header Host $host;
32        proxy_pass http://127.0.0.1:3000;
33        proxy_http_version 1.1;
34        proxy_set_header Upgrade $http_upgrade;
35        proxy_set_header Connection "upgrade";
36    }
37}

and the jellyfin forward is like this:

 1server {
 2    listen 80;
 3    listen [::]:80;
 4    server_name jellyfin;
 5
 6    # Uncomment to redirect HTTP to HTTPS
 7    return 301 https://$host$request_uri;
 8}
 9
10server {
11    listen 443 ssl http2;
12    listen [::]:443 ssl http2;
13    server_name jellyfin;
14
15    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
16    client_max_body_size 20M;
17
18    # use a variable to store the upstream proxy
19    # in this example we are using a hostname which is resolved via DNS
20    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
21    #set $jellyfin jellyfin;
22    #resolver 127.0.0.1 valid=30;
23    set $jellyfin 192.168.1.10;
24
25    ssl_certificate /etc/letsencrypt/live/jellyfin/fullchain.pem;
26    ssl_certificate_key /etc/letsencrypt/live/jellyfin/privkey.pem;
27    include /etc/letsencrypt/options-ssl-nginx.conf;
28    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
29    add_header Strict-Transport-Security "max-age=31536000" always;
30    ssl_trusted_certificate /etc/letsencrypt/live/jellyfin/chain.pem;
31    ssl_stapling on;
32    ssl_stapling_verify on;
33
34    # Security / XSS Mitigation Headers
35    add_header X-Frame-Options "SAMEORIGIN";
36    add_header X-XSS-Protection "1; mode=block";
37    add_header X-Content-Type-Options "nosniff";
38
39    # Content Security Policy
40    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
41    # Enforces https content and restricts JS/CSS to origin
42    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
43    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
44
45    location = / {
46        #return 302 http://$host/web/;
47        return 302 https://$host/web/;
48    }
49
50    location / {
51        # Proxy main Jellyfin traffic
52        proxy_pass http://$jellyfin:8096;
53        proxy_set_header Host $host;
54        proxy_set_header X-Real-IP $remote_addr;
55        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
56        proxy_set_header X-Forwarded-Proto $scheme;
57        proxy_set_header X-Forwarded-Protocol $scheme;
58        proxy_set_header X-Forwarded-Host $http_host;
59
60        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
61        proxy_buffering off;
62    }
63
64    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
65    location = /web/ {
66        # Proxy main Jellyfin traffic
67        proxy_pass http://$jellyfin:8096/web/index.html;
68        proxy_set_header Host $host;
69        proxy_set_header X-Real-IP $remote_addr;
70        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
71        proxy_set_header X-Forwarded-Proto $scheme;
72        proxy_set_header X-Forwarded-Protocol $scheme;
73        proxy_set_header X-Forwarded-Host $http_host;
74    }
75
76    location /socket {
77        # Proxy Jellyfin Websockets traffic
78        proxy_pass http://$jellyfin:8096;
79        proxy_http_version 1.1;
80        proxy_set_header Upgrade $http_upgrade;
81        proxy_set_header Connection "upgrade";
82        proxy_set_header Host $host;
83        proxy_set_header X-Real-IP $remote_addr;
84        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
85        proxy_set_header X-Forwarded-Proto $scheme;
86        proxy_set_header X-Forwarded-Protocol $scheme;
87        proxy_set_header X-Forwarded-Host $http_host;
88    }
89}