112 lines
3.6 KiB
Plaintext
112 lines
3.6 KiB
Plaintext
|
## The Chinwag ejabberd setup does not do any HTTP SSL termination in ejabberd
|
||
|
## itself at all. ejabberd uses unencrypted HTTP connections, but only listens
|
||
|
## on the localhost interface. This simplifies the config a great deal.
|
||
|
|
||
|
map $http_upgrade $connection_upgrade {
|
||
|
default upgrade;
|
||
|
'' close;
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
## If using Let's Encrypt domain validation directly through ejabberd,
|
||
|
## it might be handy to have a section here as a virtual host definition
|
||
|
## for all XMPP-related subdomains that need certificates.
|
||
|
##
|
||
|
## If using DNS validation, this can all be skipped, but you'll need a
|
||
|
## script run via LE renewal hooks to reload ejabberd when the certificates
|
||
|
## are refreshed.
|
||
|
##
|
||
|
## Note this is in HTTP config only, not HTTPS.
|
||
|
|
||
|
listen 80;
|
||
|
listen [::]:80;
|
||
|
server_name chat.chinwag.org;
|
||
|
|
||
|
access_log /var/log/nginx/chat.chinwag.org-access.log;
|
||
|
error_log /var/log/nginx/chat.chinwag.org-error.log;
|
||
|
|
||
|
location /.well-known/acme-challenge {
|
||
|
proxy_pass http://[::]:5280/.well-known/acme-challenge;
|
||
|
}
|
||
|
|
||
|
## Send everything to HTTPS host
|
||
|
location / {
|
||
|
return 301 https://$host$request_uri;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
listen 443 ssl;
|
||
|
listen [::]:443 ssl;
|
||
|
|
||
|
## chat.chinwag.org is the only hostname advertised for user-facing services. You
|
||
|
## might want to have a catch all redirect for things like pubsub, conference, etc
|
||
|
## subdomains that redirect here, or to a general landing page.
|
||
|
|
||
|
## "chat" was chosen as a more informative domain option than "xmpp" which I've
|
||
|
## deliberately avoided using in any place a user might encounter it.
|
||
|
server_name chat.chinwag.org;
|
||
|
|
||
|
index index.html;
|
||
|
|
||
|
access_log /var/log/nginx/chat.chinwag.org-access.log;
|
||
|
error_log /var/log/nginx/chat.chinwag.org-error.log;
|
||
|
|
||
|
ssl_certificate /etc/letsencrypt/live/chat.chinwag.org/fullchain.pem;
|
||
|
ssl_certificate_key /etc/letsencrypt/live/chat.chinwag.org/privkey.pem;
|
||
|
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
||
|
|
||
|
# A minimal index page that loads a ConverseJS client lives here
|
||
|
location / {
|
||
|
root /srv/www/chat.chinwag.org/;
|
||
|
}
|
||
|
|
||
|
location /logo/conversejs-filled.svg {
|
||
|
return 301 https://static.chinwag.org/chinwag-logo-simple-mono.svg;
|
||
|
}
|
||
|
|
||
|
# Adding IP-based restrictions to access this area might be desirable
|
||
|
location /admin {
|
||
|
proxy_pass http://127.0.0.1:5280/admin/;
|
||
|
proxy_http_version 1.1;
|
||
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
proxy_set_header Connection "upgrade";
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
}
|
||
|
|
||
|
# BOSH endpoint
|
||
|
location /bosh {
|
||
|
proxy_pass http://127.0.0.1:5280/bosh/;
|
||
|
proxy_http_version 1.1;
|
||
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
proxy_set_header Connection "upgrade";
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
proxy_read_timeout 3600;
|
||
|
}
|
||
|
|
||
|
# All HTTP image etc uploads are handled under https://chat.chinwag.org/files
|
||
|
# see ejabberd.yml for the other side of this, files are kept in /srv/www/ejabberd
|
||
|
# which will need write permissions for the ejabberd process user.
|
||
|
#
|
||
|
# CORS headers are handled by ejabberd.
|
||
|
location /files {
|
||
|
proxy_pass http://127.0.0.1:5280/files/;
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
}
|
||
|
|
||
|
# Websocket endpoint
|
||
|
location /ws {
|
||
|
proxy_pass http://127.0.0.1:5280/ws/;
|
||
|
proxy_http_version 1.1;
|
||
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
proxy_set_header Connection "upgrade";
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
proxy_read_timeout 3600;
|
||
|
}
|
||
|
}
|