server { listen 80; listen 443 ssl http2; server_name {{ jitsi_domain }}; ssl_certificate_key {{ jitsi_key_path }}; ssl_certificate {{ jitsi_cert_path }}; include /etc/nginx/ansible_conf.d/perf.inc; include /etc/nginx/ansible_conf.d/force_ssl.inc; include /etc/nginx/ansible_conf.d/acme.inc; if ($request_method !~ ^(GET|POST|HEAD)$ ) { return 405; } add_header Strict-Transport-Security "$hsts_header"; root {{ jitsi_root_dir }}/meet; index index.html; # conferenceMapper endpoint location ~ ^/(phoneNumberList|conferenceMapper) { proxy_pass http://localhost:{{ jitsi_confmapper_port }}; proxy_socket_keepalive on; # TODO : rate limit these endpoints to prevent room listing } # BOSH endpoint location /http-bind { proxy_socket_keepalive on; proxy_pass http://localhost:5280/http-bind; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; } # Websocket endpoint location /xmpp-websocket { proxy_pass http://localhost:5280/xmpp-websocket?$args; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; tcp_nodelay on; } {% if jitsi_auth == 'sso' %} # SSO endpoint location /login { proxy_pass http://127.0.0.1:8888; proxy_set_header mail $http_mail; proxy_set_header displayName $http_displayname; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; # jicofo doesn't add the Content-Type for the redirection page add_header Content-Type 'text/html'; } {% endif %} # Conference rooms location ~ ^/([a-zA-Z0-9=\?]+)$ { rewrite ^/(.*)$ / break; } location / { ssi on; limit_req zone=limit_req_std burst=100 nodelay; limit_conn limit_conn_std 80; } {% for ip in jitsi_web_src_ip %} allow {{ ip }}; {% endfor %} deny all; }