matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

#jinja2: lstrip_blocks: "True"

{% macro render_vhost_directives() %}
	gzip on;
	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	add_header X-Content-Type-Options nosniff;
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
	{{- configuration_block }}
{% endfor %}

	location / {
		{% if matrix_nginx_proxy_enabled %}
			{# Use the embedded DNS resolver in Docker containers to discover the service #}
			resolver 127.0.0.11 valid=5s;
			set $backend "matrix-jitsi-web:80";
			proxy_pass http://$backend;
		{% else %}
			{# Generic configuration for use outside of our container setup #}
			proxy_pass http://127.0.0.1:12080;
		{% endif %}

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	# colibri (JVB) websockets
	location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
		{% if matrix_nginx_proxy_enabled %}
			resolver 127.0.0.11 valid=5s;
			set $backend "matrix-jitsi-jvb:9090";
			proxy_pass http://$backend;
		{% else %}
			{# Generic configuration for use outside of our container setup #}
			proxy_pass http://127.0.0.1:12090;
		{% endif %}

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		proxy_http_version 1.1;

		tcp_nodelay on;
	}
{% endmacro %}

server {
	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
	server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};

	server_tokens off;
	root /dev/null;

	{% if matrix_nginx_proxy_https_enabled %}
		location /.well-known/acme-challenge {
			{% if matrix_nginx_proxy_enabled %}
				{# Use the embedded DNS resolver in Docker containers to discover the service #}
				resolver 127.0.0.11 valid=5s;
				set $backend "matrix-certbot:8080";
				proxy_pass http://$backend;
			{% else %}
				{# Generic configuration for use outside of our container setup #}
				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
			{% endif %}
		}

		location / {
			return 301 https://$http_host$request_uri;
		}
	{% else %}
		{{ render_vhost_directives() }}
	{% endif %}
}

{% if matrix_nginx_proxy_https_enabled %}
server {
	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

	server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};

	server_tokens off;
	root /dev/null;

	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;

	{% if matrix_nginx_proxy_ssl_config == "Modern" %}
	ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

	{% elif matrix_nginx_proxy_ssl_config == "Intermediate" %}
	ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

	{% elif matrix_nginx_proxy_ssl_config == "Old" %}
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

	{% elif matrix_nginx_proxy_ssl_config == "Custom" %}
	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

	{% endif %}

	{{ render_vhost_directives() }}
}
{% endif %}
Add Jitsi support 2020-03-23 15:19:15 +00:00			`#jinja2: lstrip_blocks: "True"`

			`{% macro render_vhost_directives() %}`
			`gzip on;`
			`gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;`
Update matrix-jitsi.conf.j2 2020-07-22 17:39:24 +00:00			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
			`add_header X-Content-Type-Options nosniff;`
Add Jitsi support 2020-03-23 15:19:15 +00:00			`{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}`
			`{{- configuration_block }}`
			`{% endfor %}`

			`location / {`
			`{% if matrix_nginx_proxy_enabled %}`
			`{# Use the embedded DNS resolver in Docker containers to discover the service #}`
			`resolver 127.0.0.11 valid=5s;`
			`set $backend "matrix-jitsi-web:80";`
			`proxy_pass http://$backend;`
			`{% else %}`
			`{# Generic configuration for use outside of our container setup #}`
			`proxy_pass http://127.0.0.1:12080;`
			`{% endif %}`

			`proxy_set_header Host $host;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`}`
Make JVB websockets reverse-proxying work 2020-11-27 15:57:07 +00:00
			`# colibri (JVB) websockets`
			`location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {`
			`{% if matrix_nginx_proxy_enabled %}`
			`resolver 127.0.0.11 valid=5s;`
			`set $backend "matrix-jitsi-jvb:9090";`
			`proxy_pass http://$backend;`
			`{% else %}`
			`{# Generic configuration for use outside of our container setup #}`
			`proxy_pass http://127.0.0.1:12090;`
			`{% endif %}`

			`proxy_set_header Host $host;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`

			`proxy_http_version 1.1;`

			`tcp_nodelay on;`
			`}`
Add Jitsi support 2020-03-23 15:19:15 +00:00			`{% endmacro %}`

			`server {`
			`listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};`
			`server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};`

			`server_tokens off;`
			`root /dev/null;`

			`{% if matrix_nginx_proxy_https_enabled %}`
			`location /.well-known/acme-challenge {`
			`{% if matrix_nginx_proxy_enabled %}`
			`{# Use the embedded DNS resolver in Docker containers to discover the service #}`
			`resolver 127.0.0.11 valid=5s;`
			`set $backend "matrix-certbot:8080";`
			`proxy_pass http://$backend;`
			`{% else %}`
			`{# Generic configuration for use outside of our container setup #}`
			`proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};`
			`{% endif %}`
			`}`

			`location / {`
			`return 301 https://$http_host$request_uri;`
			`}`
			`{% else %}`
			`{{ render_vhost_directives() }}`
			`{% endif %}`
			`}`

			`{% if matrix_nginx_proxy_https_enabled %}`
			`server {`
			`listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;`
			`listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;`

Fix incorrect server_name for Jitsi Fixes #417 (Github Issue) 2020-03-24 15:57:33 +00:00			`server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};`
Add Jitsi support 2020-03-23 15:19:15 +00:00
			`server_tokens off;`
			`root /dev/null;`

			`ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;`
			`ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;`
Add `matrix_nginx_proxy_ssl_config` A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable. 2020-12-16 09:35:37 +00:00
			`{% if matrix_nginx_proxy_ssl_config == "Modern" %}`
			`ssl_protocols TLSv1.3;`
			`ssl_prefer_server_ciphers off;`

			`{% elif matrix_nginx_proxy_ssl_config == "Intermediate" %}`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;`
			`ssl_prefer_server_ciphers off;`

			`{% elif matrix_nginx_proxy_ssl_config == "Old" %}`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;`
			ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
			`ssl_prefer_server_ciphers on;`

			`{% elif matrix_nginx_proxy_ssl_config == "Custom" %}`
Add Jitsi support 2020-03-23 15:19:15 +00:00			`ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};`
Add `matrix_nginx_proxy_ssl_config` A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable. 2020-12-16 09:35:37 +00:00			`ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};`
			`ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};`

			`{% endif %}`
Add Jitsi support 2020-03-23 15:19:15 +00:00
			`{{ render_vhost_directives() }}`
			`}`
			`{% endif %}`