Initial Nginx config with annotations

nginx/chat.chinwag.org.conf

@@ -0,0 +1,111 @@
+## The Chinwag ejabberd setup does not do any HTTP SSL termination in ejabberd
+## itself at all. ejabberd uses unencrypted HTTP connections, but only listens
+## on the localhost interface. This simplifies the config a great deal.
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    ## If using Let's Encrypt domain validation directly through ejabberd,
+    ## it might be handy to have a section here as a virtual host definition
+    ## for all XMPP-related subdomains that need certificates.
+    ##
+    ## If using DNS validation, this can all be skipped, but you'll need a 
+    ## script run via LE renewal hooks to reload ejabberd when the certificates
+    ## are refreshed.
+    ##
+    ## Note this is in HTTP config only, not HTTPS.
+
+	listen 80;
+	listen [::]:80;
+	server_name chat.chinwag.org;
+
+	access_log /var/log/nginx/chat.chinwag.org-access.log;
+	error_log /var/log/nginx/chat.chinwag.org-error.log;
+
+	location /.well-known/acme-challenge {
+		proxy_pass http://[::]:5280/.well-known/acme-challenge;
+	}
+
+	## Send everything to HTTPS host
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+    ## chat.chinwag.org is the only hostname advertised for user-facing services. You
+    ## might want to have a catch all redirect for things like pubsub, conference, etc
+    ## subdomains that redirect here, or to a general landing page.
+
+    ## "chat" was chosen as a more informative domain option than "xmpp" which I've
+    ## deliberately avoided using in any place a user might encounter it.
+	server_name chat.chinwag.org;
+
+	index index.html;
+
+	access_log /var/log/nginx/chat.chinwag.org-access.log;
+	error_log /var/log/nginx/chat.chinwag.org-error.log;
+
+	ssl_certificate                 /etc/letsencrypt/live/chat.chinwag.org/fullchain.pem;
+	ssl_certificate_key             /etc/letsencrypt/live/chat.chinwag.org/privkey.pem;
+	ssl_protocols			TLSv1.1 TLSv1.2 TLSv1.3;
+
+	# A minimal index page that loads a ConverseJS client lives here
+	location / {
+		root /srv/www/chat.chinwag.org/;
+	}
+
+	location /logo/conversejs-filled.svg {
+		return 301 https://static.chinwag.org/chinwag-logo-simple-mono.svg;
+	}
+
+	# Adding IP-based restrictions to access this area might be desirable
+	location /admin {
+		proxy_pass http://127.0.0.1:5280/admin/;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}       
+
+	# BOSH endpoint
+	location /bosh {
+		proxy_pass http://127.0.0.1:5280/bosh/;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_read_timeout 3600;
+	}       
+
+	# All HTTP image etc uploads are handled under https://chat.chinwag.org/files
+	# see ejabberd.yml for the other side of this, files are kept in /srv/www/ejabberd
+    # which will need write permissions for the ejabberd process user.
+    #
+    # CORS headers are handled by ejabberd.
+	location /files {
+		proxy_pass http://127.0.0.1:5280/files/;
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}       
+
+	# Websocket endpoint
+	location /ws {
+		proxy_pass http://127.0.0.1:5280/ws/;
+		proxy_http_version 1.1;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_read_timeout 3600;
+	}       
+}