From ea5e96fdf41094f91388b530b1750d0c8d2a7e06 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Fri, 1 May 2020 19:14:35 +0200
Subject: [PATCH] Add example nginx configuration for jitsi meet host.

---
 example/nginx/jetsi-meet.domain.tld.conf | 141 +++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 example/nginx/jetsi-meet.domain.tld.conf

diff --git a/example/nginx/jetsi-meet.domain.tld.conf b/example/nginx/jetsi-meet.domain.tld.conf
new file mode 100644
index 0000000..6a1a387
--- /dev/null
+++ b/example/nginx/jetsi-meet.domain.tld.conf
@@ -0,0 +1,141 @@
+# - @jetsi-meet.domain.tld@
+
+server_names_hash_bucket_size 64;
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name @jetsi-meet.domain.tld@;
+
+    return 301 https://$host$request_uri;
+
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name @jetsi-meet.domain.tld@;
+
+    # Include location directive for Let's Encrypt ACME Challenge
+    #
+    # - Needed for (automated) updating certificate
+    # -
+    include snippets/letsencrypt-acme-challenge.conf;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    #
+    # To generate a dhparam.pem file, run in a terminal
+    #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
+    #
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Eable session resumption to improve https performance
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 10m;
+    ssl_session_tickets off;
+
+    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
+    # omit SSLv3 because of POODLE
+    # omit  TLSv1 TLSv1.1
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
+    # Everything better than SHA1 (deprecated)
+    #
+    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
+    ssl_prefer_server_ciphers on;
+
+    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    #ssl_prefer_server_ciphers on;
+    #ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
+
+    add_header Strict-Transport-Security "max-age=31536000";
+
+    ssl_certificate /etc/ssl/@jetsi-meet.domain.tld@.crt;
+    ssl_certificate_key /etc/ssl/@jetsi-meet.domain.tld@.key;
+
+    root /usr/share/jitsi-meet;
+
+    # ssi on with javascript for multidomain variables in config.js
+    ssi on;
+    ssi_types application/x-javascript application/javascript;
+
+    index index.html index.htm;
+    error_page 404 /static/404.html;
+
+    gzip on;
+    gzip_types text/plain text/css application/javascript application/json;
+    gzip_vary on;
+
+    location = /config.js {
+        alias /etc/jitsi/meet/@jetsi-meet.domain.tld@-config.js;
+    }
+
+    location = /external_api.js {
+        alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    }
+
+    #ensure all static content can always be found first
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /usr/share/jitsi-meet/$1/$2;
+    }
+
+    # BOSH
+    location = /http-bind {
+        proxy_pass      http://localhost:5280/http-bind;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+
+    # xmpp websockets
+    location = /xmpp-websocket {
+        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        tcp_nodelay on;
+    }
+
+    location ~ ^/([^/?&:'"]+)$ {
+        try_files $uri @root_path;
+    }
+
+    location @root_path {
+        rewrite ^/(.*)$ / break;
+    }
+
+    location ~ ^/([^/?&:'"]+)/config.js$
+    {
+       set $subdomain "$1.";
+       set $subdir "$1/";
+
+       alias /etc/jitsi/meet/@jetsi-meet.domain.tld@-config.js;
+    }
+
+    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+    }
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /http-bind;
+    }
+
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+        rewrite ^/(.*)$ /xmpp-websocket;
+    }
+}