From f5490f667704642bcb8a179df3929cc5a698e2b7 Mon Sep 17 00:00:00 2001
From: henne <accounts@hfellerhoff.de>
Date: Fri, 12 Mar 2021 13:07:37 +0000
Subject: [PATCH] added nginx config to readme

---
 README.md | 182 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 182 insertions(+)

diff --git a/README.md b/README.md
index 3683134..978d0c4 100644
--- a/README.md
+++ b/README.md
@@ -20,3 +20,185 @@ On the very bottom of the page is a List with all current users in the Meeting R
 
 Ask your users that they give themself a uniqe username. Best are simple names without blanks and any special symbols. Please avoid duplicate names.
 
+## NGINX Config
+
+Taken from an installation manual of Jitsi we use this nginx config for our instance. This allows CORS to function with the custom client hosted within another domain. If you prefer to have CORS disabled for other domanis, you can either change the wildcard to allowed domains, or add a location to your config to host the client at e.g. https://meet.example.com/streamclient/
+
+```
+server_names_hash_bucket_size 64;
+
+ 
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name meet.theater.digital;
+
+ 
+
+    location ^~ /.well-known/acme-challenge/ {
+       default_type "text/plain";
+       root         /usr/share/jitsi-meet;
+    }
+    location = /.well-known/acme-challenge/ {
+       return 404;
+    }
+    location / {
+       return 301 https://$host$request_uri;
+    }
+}
+
+
+
+server {
+    listen 4444 ssl http2;
+    listen [::]:4444 ssl http2;
+    server_name meet.theater.digital;
+
+ 
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
+
+ 
+
+    add_header Strict-Transport-Security "max-age=31536000";
+    add_header Access-Control-Allow-Origin *;
+    add_header access-control-expose-headers "Content-Type, X-Jitsi-Region, X-Jitsi-Shard, X-Proxy-Region";
+
+ 
+
+
+    ssl_certificate /etc/letsencrypt/live/meet.theater.digital/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/meet.theater.digital/privkey.pem;
+
+ 
+
+    root /usr/share/jitsi-meet;
+
+ 
+
+    # ssi on with javascript for multidomain variables in config.js
+    ssi on;
+    ssi_types application/x-javascript application/javascript;
+
+ 
+
+    index index.html index.htm;
+    error_page 404 /static/404.html;
+
+ 
+
+    gzip on;
+    gzip_types text/plain text/css application/javascript application/json;
+    gzip_vary on;
+
+ 
+
+    location = /config.js {
+        alias /etc/jitsi/meet/meet.theater.digital-config.js;
+    }
+
+ 
+
+    location = /external_api.js {
+        alias /usr/share/jitsi-meet/libs/external_api.min.js;
+    }
+
+ 
+
+    #ensure all static content can always be found first
+    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+    {
+        add_header 'Access-Control-Allow-Origin' '*';
+        alias /usr/share/jitsi-meet/$1/$2;
+    }
+
+ 
+
+    # BOSH
+    location = /http-bind {
+        proxy_pass      http://localhost:5280/http-bind;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $http_host;
+        add_header access-control-allow-origin *;
+        add_header access-control-allow-credentials "true";
+        add_header access-control-allow-methods  "GET, POST, OPTIONS";
+        add_header access-control-allow-headers  "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";
+        add_header access-control-expose-headers "Content-Type, X-Jitsi-Region, X-Jitsi-Shard, X-Proxy-Region";
+    }
+
+ 
+
+    # xmpp websockets
+    location = /xmpp-websocket {
+        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        tcp_nodelay on;
+    }
+
+ 
+
+    location ~ ^/([^/?&:'"]+)$ {
+        try_files $uri @root_path;
+    }
+
+ 
+
+    location @root_path {
+        rewrite ^/(.*)$ / break;
+    }
+
+ 
+
+    location ~ ^/([^/?&:'"]+)/config.js$
+    {
+       set $subdomain "$1.";
+       set $subdir "$1/";
+
+ 
+
+       alias /etc/jitsi/meet/meet.theater.digital-config.js;
+    }
+
+ 
+
+    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+    location ~ ^/([^/?&:'"]+)/(.*)$ {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+    }
+
+ 
+
+    # BOSH for subdomains
+    location ~ ^/([^/?&:'"]+)/http-bind {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+ 
+
+        rewrite ^/(.*)$ /http-bind;
+    }
+
+ 
+
+    # websockets for subdomains
+    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+        set $subdomain "$1.";
+        set $subdir "$1/";
+        set $prefix "$1";
+
+ 
+
+        rewrite ^/(.*)$ /xmpp-websocket;
+    }
+}
+```
+