From a68ada329eda384e6d6c170b8f642775263b0b64 Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Tue, 5 Nov 2024 13:14:03 +0100
Subject: [PATCH] fixing the nginx site to work properly
---
templates/site.j2 | 103 +++-------------------------------------------
1 file changed, 5 insertions(+), 98 deletions(-)
diff --git a/templates/site.j2 b/templates/site.j2
index c086da4..c6dcd03 100644
--- a/templates/site.j2
+++ b/templates/site.j2
@@ -5,52 +5,14 @@ types {
application/wasm wasm;
audio/wav wav;
}
-upstream prosody {
- zone upstreams 64K;
- server 127.0.0.1:5280;
- keepalive 2;
-}
-upstream jvb1 {
- zone upstreams 64K;
- server 127.0.0.1:9090;
- keepalive 2;
-}
-map $arg_vnode $prosody_node {
- default prosody;
- v1 v1;
- v2 v2;
- v3 v3;
- v4 v4;
- v5 v5;
- v6 v6;
- v7 v7;
- v8 v8;
-}
-server {
- listen 80;
- listen [::]:80;
- server_name {{jitsi_domain}};
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /usr/share/jitsi-meet;
- }
- location = /.well-known/acme-challenge/ {
- return 404;
- }
- location / {
- return 301 https://$host$request_uri;
- }
-}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{jitsi_domain}};
- # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
- ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
- ssl_prefer_server_ciphers off;
+ ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; # about 40000 sessions
@@ -61,9 +23,9 @@ server {
set $custom_index "";
set $config_js_location /etc/jitsi/meet/{{jitsi_domain}}-config.js;
- ssl_certificate /etc/ssl/jitsi/makise1.crt;
- ssl_certificate_key /etc/ssl/jitsi/makise1.crt;
-
+ ssl_certificate /etc/ssl/step/{{fqdn}}.crt;
+ ssl_certificate_key /etc/ssl/step/{{fqdn}}.key;
+# ssl_dhparam /etc/ssl/step/{{fqdn}}.dh;
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
@@ -113,43 +75,6 @@ server {
}
}
- # BOSH
- location = /http-bind {
- proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
- proxy_http_version 1.1;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header Host $http_host;
- proxy_set_header Connection "";
- }
-
- # xmpp websockets
- location = /xmpp-websocket {
- proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $http_host;
- tcp_nodelay on;
- }
-
- # colibri (JVB) websockets for jvb1
- location ~ ^/colibri-ws/default-id/(.*) {
- proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- tcp_nodelay on;
- }
-
- # load test minimal client, uncomment when used
- #location ~ ^/_load-test/([^/?&:'"]+)$ {
- # rewrite ^/_load-test/(.*)$ /load-test/index.html break;
- #}
- #location ~ ^/_load-test/libs/(.*)$ {
- # add_header 'Access-Control-Allow-Origin' '*';
- # alias /usr/share/jitsi-meet/load-test/libs/$1;
- #}
-
location ~ ^/conference-request/v1(\/.*)?$ {
proxy_pass http://127.0.0.1:8888/conference-request/v1$1;
add_header "Cache-Control" "no-cache, no-store";
@@ -185,24 +110,6 @@ server {
rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
}
- # BOSH for subdomains
- location ~ ^/([^/?&:'"]+)/http-bind {
- set $subdomain "$1.";
- set $subdir "$1/";
- set $prefix "$1";
-
- rewrite ^/(.*)$ /http-bind;
- }
-
- # websockets for subdomains
- location ~ ^/([^/?&:'"]+)/xmpp-websocket {
- set $subdomain "$1.";
- set $subdir "$1/";
- set $prefix "$1";
-
- rewrite ^/(.*)$ /xmpp-websocket;
- }
-
location ~ ^/([^/?&:'"]+)/_api/room-info {
set $subdomain "$1.";
set $subdir "$1/";
--
GitLab