nixcfg/cluster/prod/app/jitsi/config/nginx.conf

149 lines
4.6 KiB
Nginx Configuration File

# some doc: https://www.nginx.com/resources/wiki/start/topics/examples/full/
error_log /dev/stderr info;
events {}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# mimetypes, required by jitsi!
include /etc/nginx/mime.types;
default_type application/octet-stream;
types {
application/wasm wasm;
}
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Gzip Settings
##
gzip on;
access_log /dev/stdout;
server_names_hash_bucket_size 64;
# Log real IPs
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
# inspired by https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/master/web/rootfs/defaults/meet.conf
server {
#listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
#listen [::]:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} default_server;
listen [::]:{{ env "NOMAD_PORT_https_port" }} default_server;
client_max_body_size 0;
server_name _;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
#ssl_certificate /etc/nginx/jitsi.crt;
#ssl_certificate_key /etc/nginx/jitsi.key;
root /srv/jitsi-meet;
index index.html;
error_page 404 /static/404.html;
location = /config.js {
alias /srv/jitsi-meet/config.js;
}
location = /interface_config.js {
alias /srv/jitsi-meet/interface_config.js;
}
location = /external_api.js {
alias /srv/jitsi-meet/libs/external_api.min.js;
}
# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /srv/jitsi-meet/$1/$2;
}
# not used yet VVV
# colibri (JVB) websockets
#location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
# proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# tcp_nodelay on;
#}
location ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch" {
return 302 https://www.service-public.fr/particuliers/vosdroits/R17674;
}
location = /http-bind {
if ($args ~ "2daut2wank2|2duat2wank|2duat2wank0|2duat2wank1|2duat2wank2|2duat2wank3|2duatr2wank|2duatr2wank0|2duatr2wank1|2duatr2wank2|2wank2daut2|daut1|duat2wank|duat2wank2|duatr2wank2|prettypanties|slutgfs|wabk2daugther|wank2daugther|wank2daut|wank2daut2|wank2daut3|wankwatch") {
return 403 'forbidden';
}
# We add CORS to use a different frontend which is useful for load testing as we do not want to advertise too much our URL
add_header 'Access-Control-Allow-Headers' 'content-type';
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS';
add_header 'Access-Control-Allow-Origin' '*';
proxy_pass http://{{ env "NOMAD_ADDR_bosh_port" }}/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header Host $http_host;
proxy_set_header Host jitsi-bosh;
}
# not used yet VVV
# xmpp websockets
#location = /xmpp-websocket {
# proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/xmpp-websocket;
# proxy_http_version 1.1;
# proxy_set_header Connection "upgrade";
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
# proxy_set_header X-Forwarded-For $remote_addr;
# tcp_nodelay on;
#}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
# Not used yet VVVV
# Etherpad-lite
# location /etherpad/ {
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
# proxy_set_header Host $host;
# proxy_cache_bypass $http_upgrade;
# proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_buffering off;
# proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
# }
}
}