| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 |
- server_names_hash_bucket_size 64;
-
- types {
- # nginx's default mime.types doesn't include a mapping for wasm or wav.
- application/wasm wasm;
- audio/wav wav;
- }
- upstream prosody {
- zone upstreams 64K;
- server 127.0.0.1:5280;
- keepalive 2;
- }
- upstream jvb1 {
- zone upstreams 64K;
- server 127.0.0.1:9090;
- keepalive 2;
- }
- map $arg_vnode $prosody_node {
- default prosody;
- v1 v1;
- v2 v2;
- v3 v3;
- v4 v4;
- v5 v5;
- v6 v6;
- v7 v7;
- v8 v8;
- }
- server {
- listen 80;
- listen [::]:80;
- server_name jitsi-meet.example.com;
-
- location ^~ /.well-known/acme-challenge/ {
- default_type "text/plain";
- root /usr/share/jitsi-meet;
- }
- location = /.well-known/acme-challenge/ {
- return 404;
- }
- location / {
- return 301 https://$host$request_uri;
- }
- }
- server {
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name jitsi-meet.example.com;
-
- # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
- ssl_prefer_server_ciphers off;
-
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:10m; # about 40000 sessions
- ssl_session_tickets off;
-
- add_header Strict-Transport-Security "max-age=63072000" always;
- set $prefix "";
- set $custom_index "";
- set $config_js_location /etc/jitsi/meet/jitsi-meet.example.com-config.js;
-
- ssl_certificate /etc/jitsi/meet/jitsi-meet.example.com.crt;
- ssl_certificate_key /etc/jitsi/meet/jitsi-meet.example.com.key;
-
- root /usr/share/jitsi-meet;
-
- # ssi on with javascript for multidomain variables in config.js
- ssi on;
- ssi_types application/x-javascript application/javascript;
-
- index index.html index.htm;
- error_page 404 /static/404.html;
-
- gzip on;
- gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
- gzip_vary on;
- gzip_proxied no-cache no-store private expired auth;
- gzip_min_length 512;
-
- include /etc/jitsi/meet/jaas/*.conf;
-
- location = /config.js {
- alias $config_js_location;
- }
-
- location = /external_api.js {
- alias /usr/share/jitsi-meet/libs/external_api.min.js;
- }
-
- location = /_api/room-info {
- proxy_pass http://prosody/room-info?prefix=$prefix&$args;
- proxy_http_version 1.1;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header Host $http_host;
- }
-
- location ~ ^/_api/public/(.*)$ {
- autoindex off;
- alias /etc/jitsi/meet/public/$1;
- }
-
- # ensure all static content can always be found first
- location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
- {
- add_header 'Access-Control-Allow-Origin' '*';
- alias /usr/share/jitsi-meet/$1/$2;
-
- # cache all versioned files
- if ($arg_v) {
- expires 1y;
- }
- }
-
- # BOSH
- location = /http-bind {
- proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
- proxy_http_version 1.1;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_set_header Host $http_host;
- proxy_set_header Connection "";
- }
-
- # xmpp websockets
- location = /xmpp-websocket {
- proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $http_host;
- tcp_nodelay on;
- }
-
- # colibri (JVB) websockets for jvb1
- location ~ ^/colibri-ws/default-id/(.*) {
- proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- tcp_nodelay on;
- }
-
- # load test minimal client, uncomment when used
- #location ~ ^/_load-test/([^/?&:'"]+)$ {
- # rewrite ^/_load-test/(.*)$ /load-test/index.html break;
- #}
- #location ~ ^/_load-test/libs/(.*)$ {
- # add_header 'Access-Control-Allow-Origin' '*';
- # alias /usr/share/jitsi-meet/load-test/libs/$1;
- #}
-
- location ~ ^/([^/?&:'"]+)$ {
- set $roomname "$1";
- try_files $uri @root_path;
- }
-
- location @root_path {
- rewrite ^/(.*)$ /$custom_index break;
- }
-
- location ~ ^/([^/?&:'"]+)/config.js$
- {
- set $subdomain "$1.";
- set $subdir "$1/";
-
- alias $config_js_location;
- }
-
- # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
- location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
- set $subdomain "$1.";
- set $subdir "$1/";
- rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
- }
-
- # BOSH for subdomains
- location ~ ^/([^/?&:'"]+)/http-bind {
- set $subdomain "$1.";
- set $subdir "$1/";
- set $prefix "$1";
-
- rewrite ^/(.*)$ /http-bind;
- }
-
- # websockets for subdomains
- location ~ ^/([^/?&:'"]+)/xmpp-websocket {
- set $subdomain "$1.";
- set $subdir "$1/";
- set $prefix "$1";
-
- rewrite ^/(.*)$ /xmpp-websocket;
- }
-
- location ~ ^/([^/?&:'"]+)/_api/room-info {
- set $subdomain "$1.";
- set $subdir "$1/";
- set $prefix "$1";
-
- rewrite ^/(.*)$ /_api/room-info;
- }
-
- # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
- location ~ ^/([^/?&:'"]+)/(.*)$ {
- set $subdomain "$1.";
- set $subdir "$1/";
- rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
- }
- }
|
