diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml index 0273fdd098..7f8caeef9b 100644 --- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml +++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml @@ -12,6 +12,7 @@ services: - ${CONFIG}/web:/config - ${CONFIG}/web/letsencrypt:/etc/letsencrypt - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts + - ${DEFAULTS}/web/nginx/meet.conf:/defaults/meet.conf environment: - ENABLE_AUTH - ENABLE_GUESTS diff --git a/playbooks/roles/jitsi-meet/files/meet.conf b/playbooks/roles/jitsi-meet/files/meet.conf index f9a82d33c2..de9fc5f7dd 100644 --- a/playbooks/roles/jitsi-meet/files/meet.conf +++ b/playbooks/roles/jitsi-meet/files/meet.conf @@ -1,50 +1,96 @@ +{{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }} + server_name _; client_max_body_size 0; root /usr/share/jitsi-meet; -index index.html + +# ssi on with javascript for multidomain variables in config.js +ssi on; +ssi_types application/x-javascript application/javascript; + +index index.html index.htm; error_page 404 /static/404.html; -location ~ ^/([a-zA-Z0-9=\?_-]+)$ { - rewrite ^/(.*)$ / break; -} +# Security headers +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; -location ^~ /config.js { +location = /config.js { alias /config/config.js; } -location ^~ /interface_config.js { +location = /interface_config.js { alias /config/interface_config.js; } -location ^~ /external_api.js { +location = /external_api.js { alias /usr/share/jitsi-meet/libs/external_api.min.js; } -location / { - ssi on; +# ensure all static content can always be found first +location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ +{ + add_header 'Access-Control-Allow-Origin' '*'; + alias /usr/share/jitsi-meet/$1/$2; +} + +# colibri (JVB) websockets +location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { + proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + tcp_nodelay on; } # BOSH -location ^~ /http-bind { - proxy_pass http://localhost:5280/http-bind; +location = /http-bind { + proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/http-bind; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host localhost; + proxy_set_header Host {{ .Env.XMPP_DOMAIN }}; } +{{ if $ENABLE_XMPP_WEBSOCKET }} +# xmpp websockets +location = /xmpp-websocket { + proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/xmpp-websocket; + proxy_http_version 1.1; + + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + + proxy_set_header Host {{ .Env.XMPP_DOMAIN }}; + proxy_set_header X-Forwarded-For $remote_addr; + tcp_nodelay on; +} +{{ end }} + +location ~ ^/([^/?&:'"]+)$ { + try_files $uri @root_path; +} + +location @root_path { + rewrite ^/(.*)$ / break; +} + +{{ if .Env.ETHERPAD_URL_BASE }} # Etherpad-lite -location ^~ /etherpad/ { +location /etherpad/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; - proxy_set_header Host 'etherpad.opendev.org'; + # Commented out as we want the default behavior of using + # $proxy_host as the Host header value + #proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; - proxy_pass_header Server; - proxy_pass https://etherpad.opendev.org/; + proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/; proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_ssl_server_name on; proxy_buffering off; + # Commented out as we want the default behavior of using + # $proxy_host as the Host header value + #proxy_set_header Host {{ .Env.XMPP_DOMAIN }}; } +{{ end }} diff --git a/playbooks/roles/jitsi-meet/tasks/main.yaml b/playbooks/roles/jitsi-meet/tasks/main.yaml index 975529e077..4cfa599570 100644 --- a/playbooks/roles/jitsi-meet/tasks/main.yaml +++ b/playbooks/roles/jitsi-meet/tasks/main.yaml @@ -24,6 +24,13 @@ - web - web/nginx - web/nginx/site-confs + - defaults + - defaults/web + - defaults/web/nginx + +# TODO files managed here seem to be completely ignored by the containers +# we should clean them up. And if necessary replace them with templates +# below like meet.conf. - name: Write web config copy: src: config.js @@ -36,10 +43,16 @@ copy: src: default.conf dest: /var/jitsi-meet/web/nginx/site-confs/default -- name: Write nginx meet config +# END TODO + +# These files are interpreted by the container at startup and are templated +# using the frep tool. Ideally we'll keep the content in templates to a +# minumum and rely on upstream as much as possible. +- name: Write nginx meet config template copy: src: meet.conf - dest: /var/jitsi-meet/web/nginx/meet.conf + dest: /var/jitsi-meet/defaults/web/nginx/meet.conf + - name: Run docker-compose pull shell: cmd: docker-compose pull diff --git a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 b/playbooks/roles/jitsi-meet/templates/jvb-env.j2 index aebecdeb1d..f0d5eac4c4 100644 --- a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 +++ b/playbooks/roles/jitsi-meet/templates/jvb-env.j2 @@ -6,6 +6,9 @@ # Directory where all configuration will be stored. CONFIG=/var/jitsi-meet +# Directory where templates to generate configs are stored. +DEFAULTS=/var/jitsi-meet/defaults + # System time zone. TZ=Etc/UTC diff --git a/playbooks/roles/jitsi-meet/templates/meet-env.j2 b/playbooks/roles/jitsi-meet/templates/meet-env.j2 index 4ccc6bfff5..6602cfee68 100644 --- a/playbooks/roles/jitsi-meet/templates/meet-env.j2 +++ b/playbooks/roles/jitsi-meet/templates/meet-env.j2 @@ -6,6 +6,9 @@ # Directory where all configuration will be stored. CONFIG=/var/jitsi-meet +# Directory where templates to generate configs are stored. +DEFAULTS=/var/jitsi-meet/defaults + # System time zone. TZ=Etc/UTC