mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-08-04 07:37:20 +02:00
Update to 2021-12-01 19:13
This commit is contained in:
Daniel Berteaud
73
roles/jitsi/templates/nginx.conf.j2
Normal file
73
roles/jitsi/templates/nginx.conf.j2
Normal file
@@ -0,0 +1,73 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl http2;
|
||||
server_name {{ jitsi_domain }};
|
||||
|
||||
ssl_certificate_key {{ jitsi_key_path }};
|
||||
ssl_certificate {{ jitsi_cert_path }};
|
||||
|
||||
include /etc/nginx/ansible_conf.d/perf.inc;
|
||||
include /etc/nginx/ansible_conf.d/force_ssl.inc;
|
||||
include /etc/nginx/ansible_conf.d/acme.inc;
|
||||
|
||||
if ($request_method !~ ^(GET|POST|HEAD)$ ) {
|
||||
return 405;
|
||||
}
|
||||
|
||||
add_header Strict-Transport-Security "$hsts_header";
|
||||
|
||||
root {{ jitsi_root_dir }}/meet;
|
||||
index index.html;
|
||||
|
||||
# conferenceMapper endpoint
|
||||
location ~ ^/(phoneNumberList|conferenceMapper) {
|
||||
proxy_pass http://localhost:{{ jitsi_confmapper_port }};
|
||||
proxy_socket_keepalive on;
|
||||
# TODO : rate limit these endpoints to prevent room listing
|
||||
}
|
||||
|
||||
# BOSH endpoint
|
||||
location /http-bind {
|
||||
proxy_socket_keepalive on;
|
||||
proxy_pass http://localhost:5280/http-bind;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# Websocket endpoint
|
||||
location /xmpp-websocket {
|
||||
proxy_pass http://localhost:5280/xmpp-websocket?$args;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
{% if jitsi_auth == 'sso' %}
|
||||
|
||||
# SSO endpoint
|
||||
location /login {
|
||||
proxy_pass http://127.0.0.1:8888;
|
||||
proxy_set_header mail $http_mail;
|
||||
proxy_set_header displayName $http_displayname;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
# jicofo doesn't add the Content-Type for the redirection page
|
||||
add_header Content-Type 'text/html';
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
ssi on;
|
||||
limit_req zone=limit_req_std burst=100 nodelay;
|
||||
limit_conn limit_conn_std 80;
|
||||
try_files $uri /index.html;
|
||||
}
|
||||
|
||||
{% for ip in jitsi_web_src_ip %}
|
||||
allow {{ ip }};
|
||||
{% endfor %}
|
||||
deny all;
|
||||
}
|
||||
Reference in New Issue
Block a user