{% if jitsimeet_ssl.stat.exists %} map $arg_vnode $prosody_node { default prosody; v1 v1; v2 v2; v3 v3; v4 v4; v5 v5; v6 v6; v7 v7; v8 v8; } {% endif %} server { listen 80; listen [::]:80; server_name {{ domain }}; # For certbot location ~ /.well-known/acme-challenge { alias /var/lib/letsencrypt/; try_files $uri =404; allow all; } {% if jitsimeet_ssl.stat.exists %} location / { return 301 https://$host$request_uri; } {% endif %} } {% if jitsimeet_ssl.stat.exists %} server { listen 8088 ssl http2; listen [::]:8088 ssl http2; server_name {{ domain }}; access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m error_log /var/log/nginx/{{ service }}.error.log; # For certbot location ~ /.well-known/acme-challenge { alias /var/lib/letsencrypt/; try_files $uri =404; allow all; } # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # about 40000 sessions ssl_session_tickets off; add_header Strict-Transport-Security "max-age=63072000" always; set $prefix ""; set $custom_index ""; set $config_js_location /etc/jitsi/meet/{{ domain }}-config.js; set $interface_config_js_location /etc/jitsi/meet/{{ domain }}-interface_config.js; set $welcome_page_additional_content_location /etc/jitsi/meet/welcomePageAdditionalContent.html; ## # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; root /usr/share/jitsi-meet; # ssi on with javascript for multidomain variables in config.js ssi on; ssi_types application/x-javascript application/javascript; index index.html index.htm; error_page 404 /static/404.html; gzip on; gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm; gzip_vary on; gzip_proxied no-cache no-store private expired auth; gzip_min_length 512; include /etc/jitsi/meet/jaas/*.conf; location = /config.js { alias $config_js_location; } location = /interface_config.js { alias $interface_config_js_location; } location = /external_api.js { alias /usr/share/jitsi-meet/libs/external_api.min.js; } location = /static/welcomePageAdditionalContent.html { alias $welcome_page_additional_content_location; } location = /_api/room-info { proxy_pass http://prosody/room-info?prefix=$prefix&$args; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host {{ jitsimeet_domains | first }}; } location ~ ^/_api/public/(.*)$ { autoindex off; alias /etc/jitsi/meet/public/$1; } # ensure all static content can always be found first location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$ { add_header 'Access-Control-Allow-Origin' '*'; alias /usr/share/jitsi-meet/$1/$2; # cache all versioned files if ($arg_v) { expires 1y; } } # BOSH location = /http-bind { proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host {{ jitsimeet_domains | first }}; proxy_set_header Connection ""; } # xmpp websockets location = /xmpp-websocket { add_header 'Access-Control-Allow-Origin' '*'; proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host {{ jitsimeet_domains | first }}; tcp_nodelay on; } # colibri (JVB) websockets for jvb1 location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) { proxy_pass http://jvb1/colibri-ws/default-id/$2$is_args$args; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; tcp_nodelay on; } # load test minimal client, uncomment when used #location ~ ^/_load-test/([^/?&:'"]+)$ { # rewrite ^/_load-test/(.*)$ /load-test/index.html break; #} #location ~ ^/_load-test/libs/(.*)$ { # add_header 'Access-Control-Allow-Origin' '*'; # alias /usr/share/jitsi-meet/load-test/libs/$1; #} location ~ ^/([^/?&:'"]+)$ { set $roomname "$1"; try_files $uri @root_path; } location @root_path { rewrite ^/(.*)$ /$custom_index break; } location ~ ^/([^/?&:'"]+)/config.js$ { set $subdomain "$1."; set $subdir "$1/"; alias $config_js_location; } # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ { set $subdomain "$1."; set $subdir "$1/"; rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2; } # BOSH for subdomains location ~ ^/([^/?&:'"]+)/http-bind { set $subdomain "$1."; set $subdir "$1/"; set $prefix "$1"; rewrite ^/(.*)$ /http-bind; } # websockets for subdomains location ~ ^/([^/?&:'"]+)/xmpp-websocket { set $subdomain "$1."; set $subdir "$1/"; set $prefix "$1"; rewrite ^/(.*)$ /xmpp-websocket; } location ~ ^/([^/?&:'"]+)/_api/room-info { set $subdomain "$1."; set $subdir "$1/"; set $prefix "$1"; rewrite ^/(.*)$ /_api/room-info; } # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / location ~ ^/([^/?&:'"]+)/(.*)$ { set $subdomain "$1."; set $subdir "$1/"; rewrite ^/([^/?&:'"]+)/(.*)$ /$2; } } {% endif %}