Jitsi detrás de un proxy reverso

Proxy reverso

$ apt install nginx-full

Luego de finalizada la instalación, verificamos que el servicio está funcionando.

$ systemctl status nginx

Salida

● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-09-17 04:23:45 UTC; 4min 23s ago
Docs: man:nginx(8)
Main PID: 3942 (nginx)
Tasks: 3 (limit: 4719)
Memory: 6.1M
CGroup: /system.slice/nginx.service
├─3942 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─3943 nginx: worker process
└─3944 nginx: worker process
As you can see above, the service appears to have started successfully. However, the best way to test this is to actually request a page from Nginx.

Para verificar que el software se está ejecutando correctamente navegamos a la dirección IP de nuestro servidor:

http://127.0.0.1

Deberías ver la página de inicio de Nginx:

Vamos a eliminar la configuración predeterminada

$ rm /etc/nginx/sites-available/default

$ rm /etc/nginx/sites-enabled/default

Y ahora, crearemos una nueva

$ nano /etc/nginx/sites-available/jitsi.dominio.edu.ar.conf

Donde agregaremos los parámetros necesarios para nuestro jitsi

types {
application/wasm wasm;
}

server {
listen 80;
server_name jitsi.dominio.edu.ar;
server_tokens off;
# Don't show the nginx version number

include /etc/nginx/snippets/location-letsencrypt.conf;

return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;

server_name jitsi.dominio.edu.ar;
server_tokens off;
# Don't show the nginx version number

include /etc/nginx/snippets/location-letsencrypt.conf;

ssl_certificate /etc/letsencrypt/live/jitsi.dominio.edu.ar/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jitsi.dominio.edu.ar/privkey.pem;

# Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; # about 40000 sessions
# Defining option to share SSL Connection with Passed Proxy
ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=63072000" always;
set $prefix "";

ssl_dhparam /etc/ssl/dhparams.pem;
ssl_ecdh_curve secp384r1;

location / {
ssi on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

proxy_pass http://RANGO.IP.PRIVADO.120/;

# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

location ~ ^/(?!(http-bind|external_api\.|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ {
rewrite ^/(.*)$ / break;
}
# BOSH
location /http-bind {
proxy_pass http://RANGO.IP.PRIVADO.120:5280/http-bind;
#IP servidor jitsi
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
tcp_nodelay on;
}
# xmpp websockets
location /xmpp-websocket {
proxy_pass http://RANGO.IP.PRIVADO.120:5280/xmpp-websocket;
#IP servidor jitsi
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
tcp_nodelay on;
}

access_log /var/log/nginx/jitsi.dominio.edu.ar/access.log;
error_log /var/log/nginx/jitsi.dominio.edu.ar/error.log;

}

Habilitamos esta configuración en nuestro servidor

$ ln -s /etc/nginx/sites-available/jitsi.dominio.edu.ar.conf /etc/nginx/sites-enabled/jitsi.dominio.edu.ar.conf

Para evitar un posible problema de memoria que puede surgir de la adición de nombres de servidores adicionales a nuestra configuración, es necesario ajustar un solo valor en el archivo /etc/nginx/nginx.conf. Abrí el archivo:

$ nano /etc/nginx/nginx.conf

Encontrá la directiva server_names_hash_bucket_size y descomentá la línea.

Guardamos los cambios y reiniciamos nginx

$ systemctl restart nginx