Merge "Manage jitsi-meet meet.conf as a template input for the container"

playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml

@@ -12,6 +12,7 @@ services:
             - ${CONFIG}/web:/config
             - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
             - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
+            - ${DEFAULTS}/web/nginx/meet.conf:/defaults/meet.conf
         environment:
             - ENABLE_AUTH
             - ENABLE_GUESTS

playbooks/roles/jitsi-meet/files/meet.conf

@@ -1,50 +1,96 @@
+{{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }}
+
 server_name _;
 
 client_max_body_size 0;
 
 root /usr/share/jitsi-meet;
-index index.html
+
+# ssi on with javascript for multidomain variables in config.js
+ssi on;
+ssi_types application/x-javascript application/javascript;
+
+index index.html index.htm;
 error_page 404 /static/404.html;
 
-location ~ ^/([a-zA-Z0-9=\?_-]+)$ {
+# Security headers
-    rewrite ^/(.*)$ / break;
+add_header X-Content-Type-Options nosniff;
-}
+add_header X-XSS-Protection "1; mode=block";
 
-location ^~ /config.js {
+location = /config.js {
     alias /config/config.js;
 }
 
-location ^~ /interface_config.js {
+location = /interface_config.js {
     alias /config/interface_config.js;
 }
 
-location ^~ /external_api.js {
+location = /external_api.js {
     alias /usr/share/jitsi-meet/libs/external_api.min.js;
 }
 
-location / {
+# ensure all static content can always be found first
-    ssi on;
+location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+{
+    add_header 'Access-Control-Allow-Origin' '*';
+    alias /usr/share/jitsi-meet/$1/$2;
+}
+
+# colibri (JVB) websockets
+location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
+    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    tcp_nodelay on;
 }
 
 # BOSH
-location ^~ /http-bind {
+location = /http-bind {
-    proxy_pass http://localhost:5280/http-bind;
+    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/http-bind;
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Host localhost;
+    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
 }
 
+{{ if $ENABLE_XMPP_WEBSOCKET }}
+# xmpp websockets
+location = /xmpp-websocket {
+    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/xmpp-websocket;
+    proxy_http_version 1.1;
+
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Upgrade $http_upgrade;
+
+    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+}
+{{ end }}
+
+location ~ ^/([^/?&:'"]+)$ {
+    try_files $uri @root_path;
+}
+
+location @root_path {
+    rewrite ^/(.*)$ / break;
+}
+
+{{ if .Env.ETHERPAD_URL_BASE }}
 # Etherpad-lite
-location ^~ /etherpad/ {
+location /etherpad/ {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection 'upgrade';
-    proxy_set_header Host 'etherpad.opendev.org';
+    # Commented out as we want the default behavior of using
+    # $proxy_host as the Host header value
+    #proxy_set_header Host $host;
     proxy_cache_bypass $http_upgrade;
-    proxy_pass_header Server;
 
-    proxy_pass https://etherpad.opendev.org/;
+    proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_ssl_server_name on;
     proxy_buffering off;
+    # Commented out as we want the default behavior of using
+    # $proxy_host as the Host header value
+    #proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
 }
+{{ end }}

playbooks/roles/jitsi-meet/tasks/main.yaml

@@ -24,6 +24,13 @@
     - web
     - web/nginx
     - web/nginx/site-confs
+    - defaults
+    - defaults/web
+    - defaults/web/nginx
+
+# TODO files managed here seem to be completely ignored by the containers
+# we should clean them up. And if necessary replace them with templates
+# below like meet.conf.
 - name: Write web config
   copy:
     src: config.js
@@ -36,10 +43,16 @@
   copy:
     src: default.conf
     dest: /var/jitsi-meet/web/nginx/site-confs/default
-- name: Write nginx meet config
+# END TODO
+
+# These files are interpreted by the container at startup and are templated
+# using the frep tool. Ideally we'll keep the content in templates to a
+# minumum and rely on upstream as much as possible.
+- name: Write nginx meet config template
   copy:
     src: meet.conf
-    dest: /var/jitsi-meet/web/nginx/meet.conf
+    dest: /var/jitsi-meet/defaults/web/nginx/meet.conf
+
 - name: Run docker-compose pull
   shell:
     cmd: docker-compose pull

playbooks/roles/jitsi-meet/templates/jvb-env.j2

@@ -6,6 +6,9 @@
 # Directory where all configuration will be stored.
 CONFIG=/var/jitsi-meet
 
+# Directory where templates to generate configs are stored.
+DEFAULTS=/var/jitsi-meet/defaults
+
 # System time zone.
 TZ=Etc/UTC
 

playbooks/roles/jitsi-meet/templates/meet-env.j2

@@ -6,6 +6,9 @@
 # Directory where all configuration will be stored.
 CONFIG=/var/jitsi-meet
 
+# Directory where templates to generate configs are stored.
+DEFAULTS=/var/jitsi-meet/defaults
+
 # System time zone.
 TZ=Etc/UTC