jitsi-k8s/containers/non-root/web/defaults/meet.conf

{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "0" | toBool }}
{{ $COLIBRI_WEBSOCKET_PORT := .Env.COLIBRI_WEBSOCKET_PORT | default "9090" }}
{{ $COLIBRI_WEBSOCKET_REGEX := .Env.COLIBRI_WEBSOCKET_REGEX | default "jvb" }}
{{ $ENABLE_JAAS_COMPONENTS := .Env.ENABLE_JAAS_COMPONENTS | default "0" | toBool }}
{{ $ENABLE_LOAD_TEST_CLIENT := .Env.ENABLE_LOAD_TEST_CLIENT | default "0" | toBool }}
{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
{{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }}
{{ $ENABLE_SUBDOMAINS := .Env.ENABLE_SUBDOMAINS | default "true" | toBool -}}
{{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}}
{{ $XMPP_BOSH_URL_BASE := .Env.XMPP_BOSH_URL_BASE | default "http://xmpp.meet.jitsi:5280" -}}
{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN := .Env.CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN | default "*" }}

server_name _;

charset utf8;

client_max_body_size 0;

root /usr/share/jitsi-meet;

# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;

index index.html index.htm;
error_page 404 /static/404.html;

# Security headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

set $prefix "";

{{ if .Env.DEPLOYMENTINFO_SHARD }}
add_header X-Jitsi-Shard {{ .Env.DEPLOYMENTINFO_SHARD }};
{{ end }}

# Opt out of FLoC (deprecated)
add_header Permissions-Policy "interest-cohort=()";

location = /config.js {
    alias /config/config.js;
}

location = /interface_config.js {
    alias /config/interface_config.js;
}

location = /external_api.js {
    alias /usr/share/jitsi-meet/libs/external_api.min.js;
}

{{ if $ENABLE_JAAS_COMPONENTS }}
location = /_api/room-info {
    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/room-info?prefix=$prefix&$args;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}
{{ end }}

# ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ {
    add_header 'Access-Control-Allow-Origin' '{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN }}';
    alias /usr/share/jitsi-meet/$1/$2;

    # cache all versioned files
    if ($arg_v) {
        expires 1y;
    }
}

{{ if $ENABLE_COLIBRI_WEBSOCKET }}
# colibri (JVB) websockets
location ~ ^/colibri-ws/({{ $COLIBRI_WEBSOCKET_REGEX }})/(.*) {
    tcp_nodelay on;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_pass http://$1:{{ $COLIBRI_WEBSOCKET_PORT }}/colibri-ws/$1/$2$is_args$args;
}

{{ if $ENABLE_OCTO }}
# colibri (JVB) Relay to Relay websockets
location ~ ^/colibri-relay-ws/([a-zA-Z0-9-\._]+)/(.*) {
    tcp_nodelay on;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_pass http://$1:{{ $COLIBRI_WEBSOCKET_PORT }}/colibri-relay-ws/$1/$2$is_args$args;
}
{{ end }}
{{ end }}

# BOSH
location = /http-bind {
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host {{ $XMPP_DOMAIN }};

    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/http-bind?prefix=$prefix&$args;
}

{{ if $ENABLE_XMPP_WEBSOCKET }}
# xmpp websockets
location = /xmpp-websocket {
    tcp_nodelay on;

    proxy_http_version 1.1;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Host {{ $XMPP_DOMAIN }};
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/xmpp-websocket?prefix=$prefix&$args;
}
{{ end }}

{{ if .Env.ETHERPAD_URL_BASE }}
# Etherpad-lite
location ^~ /etherpad/ {
    proxy_buffering off;
    proxy_cache_bypass $http_upgrade;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
}
{{ end }}

{{ if .Env.WHITEBOARD_COLLAB_SERVER_URL_BASE }}
# whiteboard (excalidraw-backend)
location = /socket.io/ {
    proxy_buffering off;
    proxy_cache_bypass $http_upgrade;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_pass {{ .Env.WHITEBOARD_COLLAB_SERVER_URL_BASE }}/socket.io/?$args;
}
{{ end }}

location ~ ^/([^/?&:'"]+)$ {
    try_files $uri @root_path;
}

location @root_path {
    rewrite ^/(.*)$ / break;
}

{{ if $ENABLE_SUBDOMAINS }}
    # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
    location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
    }

    location ~ ^/([^/?&:'"]+)/config.js$ {
        set $subdomain "$1.";
        set $subdir "$1/";

        alias /config/config.js;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    {{ if $ENABLE_XMPP_WEBSOCKET }}
    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
    {{ end }}

    {{ if $ENABLE_JAAS_COMPONENTS }}
    location ~ ^/([^/?&:'"]+)/_api/room-info {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /_api/room-info;
    }
    {{ end }}

    {{- if $ENABLE_LOAD_TEST_CLIENT }}
    # load test minimal client, uncomment when used
    location ~ ^/_load-test/([^/?&:'"]+)$ {
        rewrite ^/_load-test/(.*)$ /load-test/index.html break;
    }
    location ~ ^/_load-test/libs/(.*)$ {
        add_header 'Access-Control-Allow-Origin' '{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN }}';
        alias /usr/share/jitsi-meet/load-test/libs/$1;
    }

    # load-test for subdomains
    location ~ ^/([^/?&:'"]+)/_load-test/([^/?&:'"]+)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /load-test/index.html break;
    }

    # load-test for subdomains
    location ~ ^/([^/?&:'"]+)/_load-test/libs/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        alias /usr/share/jitsi-meet/load-test/libs/$2;
    }

    {{- end }}
    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }
{{ end }}
web:non-root 2024-07-15 14:39:02 +00:00			`{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET \| default "0" \| toBool }}`
			`{{ $COLIBRI_WEBSOCKET_PORT := .Env.COLIBRI_WEBSOCKET_PORT \| default "9090" }}`
			`{{ $COLIBRI_WEBSOCKET_REGEX := .Env.COLIBRI_WEBSOCKET_REGEX \| default "jvb" }}`
			`{{ $ENABLE_JAAS_COMPONENTS := .Env.ENABLE_JAAS_COMPONENTS \| default "0" \| toBool }}`
			`{{ $ENABLE_LOAD_TEST_CLIENT := .Env.ENABLE_LOAD_TEST_CLIENT \| default "0" \| toBool }}`
			`{{ $ENABLE_OCTO := .Env.ENABLE_OCTO \| default "0" \| toBool -}}`
			`{{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET \| default "1" \| toBool }}`
			`{{ $ENABLE_SUBDOMAINS := .Env.ENABLE_SUBDOMAINS \| default "true" \| toBool -}}`
			`{{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN \| default "meet.jitsi" -}}`
			`{{ $XMPP_BOSH_URL_BASE := .Env.XMPP_BOSH_URL_BASE \| default "http://xmpp.meet.jitsi:5280" -}}`
			`{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN := .Env.CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN \| default "*" }}`

			`server_name _;`

			`charset utf8;`

			`client_max_body_size 0;`

			`root /usr/share/jitsi-meet;`

			`# ssi on with javascript for multidomain variables in config.js`
			`ssi on;`
			`ssi_types application/x-javascript application/javascript;`

			`index index.html index.htm;`
			`error_page 404 /static/404.html;`

			`# Security headers`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`

			`set $prefix "";`

			`{{ if .Env.DEPLOYMENTINFO_SHARD }}`
			`add_header X-Jitsi-Shard {{ .Env.DEPLOYMENTINFO_SHARD }};`
			`{{ end }}`

			`# Opt out of FLoC (deprecated)`
			`add_header Permissions-Policy "interest-cohort=()";`

			`location = /config.js {`
			`alias /config/config.js;`
			`}`

			`location = /interface_config.js {`
			`alias /config/interface_config.js;`
			`}`

			`location = /external_api.js {`
			`alias /usr/share/jitsi-meet/libs/external_api.min.js;`
			`}`

			`{{ if $ENABLE_JAAS_COMPONENTS }}`
			`location = /_api/room-info {`
			`proxy_pass {{ $XMPP_BOSH_URL_BASE }}/room-info?prefix=$prefix&$args;`
			`proxy_http_version 1.1;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header Host $http_host;`
			`}`
			`{{ end }}`

			`# ensure all static content can always be found first`
			`location ~ ^/(libs\|css\|static\|images\|fonts\|lang\|sounds\|connection_optimization\|.well-known)/(.*)$ {`
			`add_header 'Access-Control-Allow-Origin' '{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN }}';`
			`alias /usr/share/jitsi-meet/$1/$2;`

			`# cache all versioned files`
			`if ($arg_v) {`
			`expires 1y;`
			`}`
			`}`

			`{{ if $ENABLE_COLIBRI_WEBSOCKET }}`
			`# colibri (JVB) websockets`
			`location ~ ^/colibri-ws/({{ $COLIBRI_WEBSOCKET_REGEX }})/(.*) {`
			`tcp_nodelay on;`

			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`

			`proxy_pass http://$1:{{ $COLIBRI_WEBSOCKET_PORT }}/colibri-ws/$1/$2$is_args$args;`
			`}`

			`{{ if $ENABLE_OCTO }}`
			`# colibri (JVB) Relay to Relay websockets`
			`location ~ ^/colibri-relay-ws/([a-zA-Z0-9-\._]+)/(.*) {`
			`tcp_nodelay on;`

			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`

			`proxy_pass http://$1:{{ $COLIBRI_WEBSOCKET_PORT }}/colibri-relay-ws/$1/$2$is_args$args;`
			`}`
			`{{ end }}`
			`{{ end }}`

			`# BOSH`
			`location = /http-bind {`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header Host {{ $XMPP_DOMAIN }};`

			`proxy_pass {{ $XMPP_BOSH_URL_BASE }}/http-bind?prefix=$prefix&$args;`
			`}`

			`{{ if $ENABLE_XMPP_WEBSOCKET }}`
			`# xmpp websockets`
			`location = /xmpp-websocket {`
			`tcp_nodelay on;`

			`proxy_http_version 1.1;`
			`proxy_set_header Connection $connection_upgrade;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Host {{ $XMPP_DOMAIN }};`
			`proxy_set_header X-Forwarded-For $remote_addr;`

			`proxy_pass {{ $XMPP_BOSH_URL_BASE }}/xmpp-websocket?prefix=$prefix&$args;`
			`}`
			`{{ end }}`

			`{{ if .Env.ETHERPAD_URL_BASE }}`
			`# Etherpad-lite`
			`location ^~ /etherpad/ {`
			`proxy_buffering off;`
			`proxy_cache_bypass $http_upgrade;`

			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header X-Forwarded-For $remote_addr;`

			`proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;`
			`}`
			`{{ end }}`

			`{{ if .Env.WHITEBOARD_COLLAB_SERVER_URL_BASE }}`
			`# whiteboard (excalidraw-backend)`
			`location = /socket.io/ {`
			`proxy_buffering off;`
			`proxy_cache_bypass $http_upgrade;`

			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header X-Forwarded-For $remote_addr;`

			`proxy_pass {{ .Env.WHITEBOARD_COLLAB_SERVER_URL_BASE }}/socket.io/?$args;`
			`}`
			`{{ end }}`

			`location ~ ^/([^/?&:'"]+)$ {`
			`try_files $uri @root_path;`
			`}`

			`location @root_path {`
			`rewrite ^/(.*)$ / break;`
			`}`

			`{{ if $ENABLE_SUBDOMAINS }}`
			`# Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file`
			`location ~ ^/([^/?&:'"]+)/(pwa-worker.js\|manifest.json)$ {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`rewrite ^/([^/?&:'"]+)/(pwa-worker.js\|manifest.json)$ /$2;`
			`}`

			`location ~ ^/([^/?&:'"]+)/config.js$ {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`

			`alias /config/config.js;`
			`}`

			`# BOSH for subdomains`
			`location ~ ^/([^/?&:'"]+)/http-bind {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`set $prefix "$1";`

			`rewrite ^/(.*)$ /http-bind;`
			`}`

			`{{ if $ENABLE_XMPP_WEBSOCKET }}`
			`# websockets for subdomains`
			`location ~ ^/([^/?&:'"]+)/xmpp-websocket {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`set $prefix "$1";`

			`rewrite ^/(.*)$ /xmpp-websocket;`
			`}`
			`{{ end }}`

			`{{ if $ENABLE_JAAS_COMPONENTS }}`
			`location ~ ^/([^/?&:'"]+)/_api/room-info {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`set $prefix "$1";`

			`rewrite ^/(.*)$ /_api/room-info;`
			`}`
			`{{ end }}`

			`{{- if $ENABLE_LOAD_TEST_CLIENT }}`
			`# load test minimal client, uncomment when used`
			`location ~ ^/_load-test/([^/?&:'"]+)$ {`
			`rewrite ^/_load-test/(.*)$ /load-test/index.html break;`
			`}`
			`location ~ ^/_load-test/libs/(.*)$ {`
			`add_header 'Access-Control-Allow-Origin' '{{ $CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN }}';`
			`alias /usr/share/jitsi-meet/load-test/libs/$1;`
			`}`

			`# load-test for subdomains`
			`location ~ ^/([^/?&:'"]+)/_load-test/([^/?&:'"]+)$ {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`set $prefix "$1";`

			`rewrite ^/(.*)$ /load-test/index.html break;`
			`}`

			`# load-test for subdomains`
			`location ~ ^/([^/?&:'"]+)/_load-test/libs/(.*)$ {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`set $prefix "$1";`

			`alias /usr/share/jitsi-meet/load-test/libs/$2;`
			`}`

			`{{- end }}`
			`# Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /`
			`location ~ ^/([^/?&:'"]+)/(.*)$ {`
			`set $subdomain "$1.";`
			`set $subdir "$1/";`
			`rewrite ^/([^/?&:'"]+)/(.*)$ /$2;`
			`}`
			`{{ end }}`