From 0cbfbfd6cba53961761146bd644514f58a27c9f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Tue, 14 Jun 2022 11:28:33 +0200 Subject: [PATCH] web: don't proxy HTTP traffic to WS endpoints A 405 is returned if there is no upgrade request. --- web/rootfs/defaults/meet.conf | 38 ++++++++++++++++++---------------- web/rootfs/defaults/nginx.conf | 15 +++++++------- 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf index 2d091d0..97f230e 100644 --- a/web/rootfs/defaults/meet.conf +++ b/web/rootfs/defaults/meet.conf @@ -41,8 +41,7 @@ location = /external_api.js { } # ensure all static content can always be found first -location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ -{ +location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ { add_header 'Access-Control-Allow-Origin' '*'; alias /usr/share/jitsi-meet/$1/$2; @@ -55,47 +54,51 @@ location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|. {{ if $ENABLE_COLIBRI_WEBSOCKET }} # colibri (JVB) websockets location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { - proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; + tcp_nodelay on; + proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - tcp_nodelay on; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; } {{ end }} # BOSH location = /http-bind { - proxy_pass {{ $XMPP_BOSH_URL_BASE }}/http-bind; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host {{ $XMPP_DOMAIN }}; + + proxy_pass {{ $XMPP_BOSH_URL_BASE }}/http-bind; } {{ if $ENABLE_XMPP_WEBSOCKET }} # xmpp websockets location = /xmpp-websocket { - proxy_pass {{ $XMPP_BOSH_URL_BASE }}/xmpp-websocket; + tcp_nodelay on; + proxy_http_version 1.1; - - proxy_set_header Connection "upgrade"; + proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host {{ $XMPP_DOMAIN }}; proxy_set_header X-Forwarded-For $remote_addr; - tcp_nodelay on; + + proxy_pass {{ $XMPP_BOSH_URL_BASE }}/xmpp-websocket; } {{ end }} {{ if .Env.ETHERPAD_URL_BASE }} # Etherpad-lite location ^~ /etherpad/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; + proxy_buffering off; proxy_cache_bypass $http_upgrade; - proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $remote_addr; - proxy_buffering off; + + proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/; } {{ end }} @@ -108,8 +111,7 @@ location @root_path { } {{ if $ENABLE_SUBDOMAINS }} - location ~ ^/([^/?&:'"]+)/config.js$ - { + location ~ ^/([^/?&:'"]+)/config.js$ { set $subdomain "$1."; set $subdir "$1/"; diff --git a/web/rootfs/defaults/nginx.conf b/web/rootfs/defaults/nginx.conf index 1accccf..8260c2e 100644 --- a/web/rootfs/defaults/nginx.conf +++ b/web/rootfs/defaults/nginx.conf @@ -51,17 +51,18 @@ http { gzip_vary on; gzip_min_length 860; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + ## + # Connection header for WebSocket reverse proxy + ## + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } ## # Virtual Host Configs ## - include /config/nginx/site-confs/*; + include /config/nginx/site-confs/*; }