|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
listen 443 ssl http2;
|
|
|
|
server_name {{ jitsi_domain }};
|
|
|
|
|
|
|
|
ssl_certificate_key {{ jitsi_key_path }};
|
|
|
|
ssl_certificate {{ jitsi_cert_path }};
|
|
|
|
|
|
|
|
include /etc/nginx/ansible_conf.d/perf.inc;
|
|
|
|
include /etc/nginx/ansible_conf.d/force_ssl.inc;
|
|
|
|
include /etc/nginx/ansible_conf.d/acme.inc;
|
|
|
|
|
|
|
|
if ($request_method !~ ^(GET|POST|HEAD)$ ) {
|
|
|
|
return 405;
|
|
|
|
}
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security "$hsts_header";
|
|
|
|
|
|
|
|
root {{ jitsi_root_dir }}/meet;
|
|
|
|
index index.html;
|
|
|
|
|
|
|
|
# conferenceMapper endpoint
|
|
|
|
location ~ ^/(phoneNumberList|conferenceMapper) {
|
|
|
|
proxy_pass http://localhost:{{ jitsi_confmapper_port }};
|
|
|
|
proxy_socket_keepalive on;
|
|
|
|
# TODO : rate limit these endpoints to prevent room listing
|
|
|
|
}
|
|
|
|
|
|
|
|
# BOSH endpoint
|
|
|
|
location /http-bind {
|
|
|
|
proxy_socket_keepalive on;
|
|
|
|
proxy_pass http://localhost:5280/http-bind;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
proxy_set_header Host $http_host;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Websocket endpoint
|
|
|
|
location /xmpp-websocket {
|
|
|
|
proxy_pass http://localhost:5280/xmpp-websocket?$args;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_set_header Host $http_host;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
tcp_nodelay on;
|
|
|
|
}
|
|
|
|
{% if jitsi_auth == 'sso' %}
|
|
|
|
|
|
|
|
# SSO endpoint
|
|
|
|
location /login {
|
|
|
|
proxy_pass http://127.0.0.1:8888;
|
|
|
|
proxy_set_header mail $http_mail;
|
|
|
|
proxy_set_header displayName $http_displayname;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
proxy_set_header Host $http_host;
|
|
|
|
|
|
|
|
# jicofo doesn't add the Content-Type for the redirection page
|
|
|
|
add_header Content-Type 'text/html';
|
|
|
|
}
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
# Conference rooms
|
|
|
|
location ~ ^/([a-zA-Z0-9=\?]+)$ {
|
|
|
|
rewrite ^/(.*)$ / break;
|
|
|
|
}
|
|
|
|
location / {
|
|
|
|
ssi on;
|
|
|
|
limit_req zone=limit_req_std burst=100 nodelay;
|
|
|
|
limit_conn limit_conn_std 80;
|
|
|
|
}
|
|
|
|
|
|
|
|
{% for ip in jitsi_web_src_ip %}
|
|
|
|
allow {{ ip }};
|
|
|
|
{% endfor %}
|
|
|
|
deny all;
|
|
|
|
}
|