more updates march

jitsi/config/jitsi-meet-cfg/web/nginx/meet.conf

@@ -0,0 +1,141 @@
+
+
+
+
+
+
+
+
+server_name _;
+
+charset utf8;
+
+client_max_body_size 0;
+
+root /usr/share/jitsi-meet;
+
+# ssi on with javascript for multidomain variables in config.js
+ssi on;
+ssi_types application/x-javascript application/javascript;
+
+index index.html index.htm;
+error_page 404 /static/404.html;
+
+# Security headers
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+
+set $prefix "";
+
+
+
+# Opt out of FLoC (deprecated)
+add_header Permissions-Policy "interest-cohort=()";
+
+include /config/nginx-custom/*.conf;
+
+location = /config.js {
+    alias /config/config.js;
+}
+
+location = /interface_config.js {
+    alias /config/interface_config.js;
+}
+
+location = /external_api.js {
+    alias /usr/share/jitsi-meet/libs/external_api.min.js;
+}
+
+
+
+# ensure all static content can always be found first
+location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known|transcripts)/(.*)$ {
+    add_header 'Access-Control-Allow-Origin' '*';
+    alias /usr/share/jitsi-meet/$1/$2;
+
+    # cache all versioned files
+    if ($arg_v) {
+        expires 1y;
+    }
+}
+
+
+
+# BOSH
+location = /http-bind {
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host meet.jitsi;
+
+    proxy_pass http://xmpp.meet.jitsi:5280/http-bind?prefix=$prefix&$args;
+}
+
+
+# xmpp websockets
+location = /xmpp-websocket {
+    tcp_nodelay on;
+
+    proxy_http_version 1.1;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Host meet.jitsi;
+    proxy_set_header X-Forwarded-For $remote_addr;
+
+    proxy_pass http://xmpp.meet.jitsi:5280/xmpp-websocket?prefix=$prefix&$args;
+}
+
+
+
+
+
+
+location ~ ^/([^/?&:'"]+)$ {
+    try_files $uri @root_path;
+}
+
+location @root_path {
+    rewrite ^/(.*)$ / break;
+}
+
+
+    # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+    location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+    }
+
+    location ~ ^/([^/?&:'"]+)/config.js$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+
+        alias /config/config.js;
+    }
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /http-bind;
+    }
+
+    
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /xmpp-websocket;
+    }
+    
+
+    
+    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+    }
+

jitsi/config/jitsi-meet-cfg/web/nginx/nginx.conf

@@ -0,0 +1,69 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	client_max_body_size 0;
+
+	
+	resolver 127.0.0.11;
+	include /etc/nginx/mime.types;
+	types {
+		# add support for the wav MIME type that is requried to playback wav files in Firefox.
+		audio/wav        wav;
+	}
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /dev/stdout;
+	error_log /dev/stderr;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_types text/plain text/css application/javascript application/json;
+	gzip_vary on;
+	gzip_min_length 860;
+
+	##
+	# Connection header for WebSocket reverse proxy
+	##
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		''      close;
+	}
+
+	##
+	# Virtual Host Configs
+	##
+	include /config/nginx/site-confs/*;
+}
+
+
+daemon off;

jitsi/config/jitsi-meet-cfg/web/nginx/site-confs/default

@@ -0,0 +1,24 @@
+server {
+	listen 80 default_server;
+	
+	
+	listen [::]:80 default_server;
+	
+
+	
+	include /config/nginx/meet.conf;
+	
+}
+
+
+server {
+	listen 443 ssl http2;
+	
+	
+	listen [::]:443 ssl http2;
+	
+
+	include /config/nginx/ssl.conf;
+	include /config/nginx/meet.conf;
+}
+

jitsi/config/jitsi-meet-cfg/web/nginx/ssl.conf

@@ -0,0 +1,25 @@
+# session settings
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# ssl certs
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+
+# protocols
+# Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# Diffie-Hellman parameter for DHE cipher suites
+ssl_dhparam /defaults/ffdhe2048.txt;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+