jee-r/ampache.conf

## ampache.conf
server {
  listen                     80;
  server_name                #DOMAIN#;
  return 301 https://$server_name$request_uri;

}

server {
    listen 443 ssl http2;
    server_name #DOMAIN#;

    ssl_certificate /etc/letsencrypt/live/#DOMAIN#/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/#DOMAIN#/privkey.pem;

    include /etc/nginx/conf.d/ssl_params;
    include /etc/nginx/conf.d/headers_params;

    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log error;

    root /var/www/ampache;
    index index.php;

    proxy_max_temp_file_size 0;

    # Rewrite rule for Subsonic backend
    if ( !-d $request_filename ) {
        rewrite ^/rest/(.*).view$ /rest/index.php?action=$1 last;
        rewrite ^/rest/fake/(.+)$ /play/$1 last;
    }

    # Rewrite rule for Channels
    if (!-d $request_filename){
      rewrite ^/channel/([0-9]+)/(.*)$ /channel/index.php?channel=$1&target=$2 last;
    }

    # Beautiful URL Rewriting
    rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&name=$5 last;
    rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&name=$7 last;
    rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&player=$7&name=$8 last;
    rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/transcode_to/(w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&transcode_to=$7&bitrate=$8&player=$9&name=$10 last;

    # the following line was needed for me to get downloads of single songs to work
    rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/action/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4action=$5&name=$6 last;
        location /play {
            if (!-e $request_filename) {
                rewrite ^/play/art/([^/]+)/([^/]+)/([0-9]+)/thumb([0-9]*)\.([a-z]+)$ /image.php?object_type=$2&object_id=$3&auth=$1;
                break;
            }

        rewrite ^/([^/]+)/([^/]+)(/.*)?$ /play/$3?$1=$2;
        rewrite ^/(/[^/]+|[^/]+/|/?)$ /play/index.php last;
        break;
        }

   location /rest {
       limit_except GET POST {
           deny all;
       }
   }

   location ^~ /bin/ {
       deny all;
       return 403;
   }

   location ^~ /config/ {
       deny all;
       return 403;
   }

   location / {
       limit_except GET POST HEAD{
          deny all;
       }
   }

   location ~ \.php$ {
        try_files $uri = 404;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        fastcgi_read_timeout 600s;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        #fastcgi_param HTTP_PROXY "";
        #fastcgi_param HTTPS on;
        #fastcgi_split_path_info ^(.+?\.php)(/.*)$;
   }

    # Rewrite rule for WebSocket
    location /ws {
         rewrite ^/ws/(.*) /$1 break;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_pass http://127.0.0.1:8100/;
    }

    # Static Content

    location /static/ {
        root /var/www/;
    }

}

## headers_params
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

## ssl_param
ssl_protocols TLSv1.2;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
	server {
	listen 80;
	server_name #DOMAIN#;
	return 301 https://$server_name$request_uri;

	}

	server {
	listen 443 ssl http2;
	server_name #DOMAIN#;

	ssl_certificate /etc/letsencrypt/live/#DOMAIN#/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/#DOMAIN#/privkey.pem;

	include /etc/nginx/conf.d/ssl_params;
	include /etc/nginx/conf.d/headers_params;

	access_log /var/log/nginx/access.log combined;
	error_log /var/log/nginx/error.log error;

	root /var/www/ampache;
	index index.php;

	proxy_max_temp_file_size 0;

	# Rewrite rule for Subsonic backend
	if ( !-d $request_filename ) {
	rewrite ^/rest/(.*).view$ /rest/index.php?action=$1 last;
	rewrite ^/rest/fake/(.+)$ /play/$1 last;
	}

	# Rewrite rule for Channels
	if (!-d $request_filename){
	rewrite ^/channel/([0-9]+)/(.*)$ /channel/index.php?channel=$1&target=$2 last;
	}

	# Beautiful URL Rewriting
	rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&name=$5 last;
	rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(.)/noscrobble/([0-1])/name/(.)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&name=$7 last;
	rewrite ^/play/ssid/(.)/type/(.)/oid/([0-9]+)/uid/([0-9]+)/client/(.)/noscrobble/([0-1])/player/(.)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&player=$7&name=$8 last;
	rewrite ^/play/ssid/(.)/type/(.)/oid/([0-9]+)/uid/([0-9]+)/client/(.)/noscrobble/([0-1])/transcode_to/(w+)/bitrate/([0-9]+)/player/(.)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&transcode_to=$7&bitrate=$8&player=$9&name=$10 last;

	# the following line was needed for me to get downloads of single songs to work
	rewrite ^/play/ssid/(.)/type/(.)/oid/([0-9]+)/uid/([0-9]+)/action/(.)/name/(.)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4action=$5&name=$6 last;
	location /play {
	if (!-e $request_filename) {
	rewrite ^/play/art/([^/]+)/([^/]+)/([0-9]+)/thumb([0-9]*)\.([a-z]+)$ /image.php?object_type=$2&object_id=$3&auth=$1;
	break;
	}

	rewrite ^/([^/]+)/([^/]+)(/.*)?$ /play/$3?$1=$2;
	rewrite ^/(/[^/]+\|[^/]+/\|/?)$ /play/index.php last;
	break;
	}

	location /rest {
	limit_except GET POST {
	deny all;
	}
	}

	location ^~ /bin/ {
	deny all;
	return 403;
	}

	location ^~ /config/ {
	deny all;
	return 403;
	}

	location / {
	limit_except GET POST HEAD{
	deny all;
	}
	}

	location ~ \.php$ {
	try_files $uri = 404;
	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	fastcgi_index index.php;
	fastcgi_read_timeout 600s;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	#fastcgi_param HTTP_PROXY "";
	#fastcgi_param HTTPS on;
	#fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	}

	# Rewrite rule for WebSocket
	location /ws {
	rewrite ^/ws/(.*) /$1 break;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_pass http://127.0.0.1:8100/;
	}

	# Static Content

	location /static/ {
	root /var/www/;
	}

	}
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	ssl_protocols TLSv1.2;
	ssl_ecdh_curve X25519:P-521:P-384:P-256;
	ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
	ssl_prefer_server_ciphers on;

	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 15m;
	ssl_session_tickets off;