From b9c96c24b310f00d483b06c2208920d4d8ae9c24 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 29 Mar 2020 15:53:19 +0200 Subject: [PATCH] Add example nginx configuration. --- examples/nginx/bigbluebutton | 109 +++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 examples/nginx/bigbluebutton diff --git a/examples/nginx/bigbluebutton b/examples/nginx/bigbluebutton new file mode 100644 index 0000000..faa59f4 --- /dev/null +++ b/examples/nginx/bigbluebutton @@ -0,0 +1,109 @@ +server { + listen 80; + listen [::]:80; + server_name ; + return 301 https://$server_name$request_uri; +} + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ; + + ssl_certificate /var/lib/dehydrated/certs//fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs//privkey.pem; + #ssl_trusted_certificate /var/lib/dehydrated/certs//fullchain.pem; + + # - Needed for (automated) updating certificate + # - + include snippets/letsencrypt-acme-challenge.conf; + + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE + # omit SSLv3 because of POODLE + # omit TLSv1 TLSv1.1 + ssl_protocols TLSv1.2; + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + #add_header X-Frame-Options "SAMEORIGIN"; + + access_log /var/log/nginx/bigbluebutton.access.log; + + # Handle RTMPT (RTMP Tunneling). Forwards requests + # to Red5 on port 5080 + location ~ (/open/|/close/|/idle/|/send/|/fcs/) { + proxy_pass http://127.0.0.1:5080; + proxy_redirect off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + client_max_body_size 10m; + client_body_buffer_size 128k; + + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + + proxy_buffering off; + keepalive_requests 1000000000; + } + + # Handle desktop sharing tunneling. Forwards + # requests to Red5 on port 5080. + location /deskshare { + proxy_pass http://127.0.0.1:5080; + proxy_redirect default; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + include fastcgi_params; + } + + # BigBlueButton landing page. + location / { + root /var/www/bigbluebutton-default; + index index.html index.htm; + expires 1m; + } + + # Include specific rules for record and playback + include /etc/bigbluebutton/nginx/*.nginx; + + #error_page 404 /404.html; + + # Redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/www/nginx-default; + } +} +