Initial Nginx config with annotations

This commit is contained in:
Mike Barnes 2021-02-22 00:11:09 +00:00
parent 75e6197b0e
commit 579d9edac6

111
nginx/chat.chinwag.org.conf Normal file
View file

@ -0,0 +1,111 @@
## The Chinwag ejabberd setup does not do any HTTP SSL termination in ejabberd
## itself at all. ejabberd uses unencrypted HTTP connections, but only listens
## on the localhost interface. This simplifies the config a great deal.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
## If using Let's Encrypt domain validation directly through ejabberd,
## it might be handy to have a section here as a virtual host definition
## for all XMPP-related subdomains that need certificates.
##
## If using DNS validation, this can all be skipped, but you'll need a
## script run via LE renewal hooks to reload ejabberd when the certificates
## are refreshed.
##
## Note this is in HTTP config only, not HTTPS.
listen 80;
listen [::]:80;
server_name chat.chinwag.org;
access_log /var/log/nginx/chat.chinwag.org-access.log;
error_log /var/log/nginx/chat.chinwag.org-error.log;
location /.well-known/acme-challenge {
proxy_pass http://[::]:5280/.well-known/acme-challenge;
}
## Send everything to HTTPS host
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
## chat.chinwag.org is the only hostname advertised for user-facing services. You
## might want to have a catch all redirect for things like pubsub, conference, etc
## subdomains that redirect here, or to a general landing page.
## "chat" was chosen as a more informative domain option than "xmpp" which I've
## deliberately avoided using in any place a user might encounter it.
server_name chat.chinwag.org;
index index.html;
access_log /var/log/nginx/chat.chinwag.org-access.log;
error_log /var/log/nginx/chat.chinwag.org-error.log;
ssl_certificate /etc/letsencrypt/live/chat.chinwag.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.chinwag.org/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# A minimal index page that loads a ConverseJS client lives here
location / {
root /srv/www/chat.chinwag.org/;
}
location /logo/conversejs-filled.svg {
return 301 https://static.chinwag.org/chinwag-logo-simple-mono.svg;
}
# Adding IP-based restrictions to access this area might be desirable
location /admin {
proxy_pass http://127.0.0.1:5280/admin/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# BOSH endpoint
location /bosh {
proxy_pass http://127.0.0.1:5280/bosh/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 3600;
}
# All HTTP image etc uploads are handled under https://chat.chinwag.org/files
# see ejabberd.yml for the other side of this, files are kept in /srv/www/ejabberd
# which will need write permissions for the ejabberd process user.
#
# CORS headers are handled by ejabberd.
location /files {
proxy_pass http://127.0.0.1:5280/files/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Websocket endpoint
location /ws {
proxy_pass http://127.0.0.1:5280/ws/;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 3600;
}
}