Nextcloud/Talk: add Janus config & fix WebSocket proxying

Nginx: define 'map $http_upgrade $connection_upgrade' once in http{} and reuse; drop duplicate map from ws_generic vhost; tidy ws location headers/spacing. Nextcloud: add WS location for standalone signaling; render & mount Janus config (NAT 1:1, ICE enforce/ignore lists, libnice hardening); extend CSP (connect-src/frame-src for cloud & collabora, worker-src blob:); disable keeporsweep app; replace nginx reload handler with compose up; add NEXTCLOUD_HOST_JANUS_CONF_PATH and related vars. Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
2025-10-09 18:28:10 +02:00 · 2025-09-30 11:14:15 +02:00
parent 2439beb95a
commit 26a1992d84
3 changed files with 16 additions and 12 deletions
--- a/roles/sys-svc-proxy/templates/location/ws.conf.j2
+++ b/roles/sys-svc-proxy/templates/location/ws.conf.j2
@@ -1,14 +1,14 @@
 location {{ location_ws }} {
-  proxy_set_header Host              $host;
-  proxy_set_header X-Real-IP         $remote_addr;
-  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto $scheme;
-  proxy_pass                         http://127.0.0.1:{{ ws_port }};
+  proxy_set_header      Host              $host;
+  proxy_set_header      X-Real-IP         $remote_addr;
+  proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
+  proxy_set_header      X-Forwarded-Proto $scheme;
+  proxy_pass            http://127.0.0.1:{{ ws_port }};
  
  # Proxy buffering needs to be disabled for websockets. 
  proxy_buffering      off;
  proxy_http_version   1.1;
-  proxy_set_header     Upgrade        $http_upgrade;
-  proxy_set_header     Connection     $connection_upgrade;
+  proxy_set_header     Upgrade            $http_upgrade;
+  proxy_set_header     Connection         $connection_upgrade;
  tcp_nodelay          on;
 }
--- a/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2
+++ b/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2
@@ -1,8 +1,3 @@
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  ''      close;
-}
-
 server {
  server_name {{ domain }};

--- a/roles/sys-svc-webserver-core/templates/nginx.conf.j2
+++ b/roles/sys-svc-webserver-core/templates/nginx.conf.j2
@@ -7,6 +7,15 @@ events

 http
 {
+  {#
+    Map the client's Upgrade header to the proper Connection value for WebSocket proxying:
+    use "upgrade" when an Upgrade is requested, otherwise "close". Define once in http{} and use $connection_upgrade.
+  #}
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+  }
+
  include mime.types;

  {# default_type  application/octet-stream; If html filter does not work, this one needs to be used#}