From 26a1992d845eb73941a5becdd5b7265aea23ea6c Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 30 Sep 2025 11:14:15 +0200 Subject: [PATCH] Nextcloud/Talk: add Janus config & fix WebSocket proxying Nginx: define 'map $http_upgrade $connection_upgrade' once in http{} and reuse; drop duplicate map from ws_generic vhost; tidy ws location headers/spacing. Nextcloud: add WS location for standalone signaling; render & mount Janus config (NAT 1:1, ICE enforce/ignore lists, libnice hardening); extend CSP (connect-src/frame-src for cloud & collabora, worker-src blob:); disable keeporsweep app; replace nginx reload handler with compose up; add NEXTCLOUD_HOST_JANUS_CONF_PATH and related vars. Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa --- roles/sys-svc-proxy/templates/location/ws.conf.j2 | 14 +++++++------- .../templates/vhost/ws_generic.conf.j2 | 5 ----- .../sys-svc-webserver-core/templates/nginx.conf.j2 | 9 +++++++++ 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/roles/sys-svc-proxy/templates/location/ws.conf.j2 b/roles/sys-svc-proxy/templates/location/ws.conf.j2 index 8bf24ddd..b7939f59 100644 --- a/roles/sys-svc-proxy/templates/location/ws.conf.j2 +++ b/roles/sys-svc-proxy/templates/location/ws.conf.j2 @@ -1,14 +1,14 @@ location {{ location_ws }} { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://127.0.0.1:{{ ws_port }}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://127.0.0.1:{{ ws_port }}; # Proxy buffering needs to be disabled for websockets. proxy_buffering off; proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; tcp_nodelay on; } \ No newline at end of file diff --git a/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2 b/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2 index 51819b13..4fca3871 100644 --- a/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2 +++ b/roles/sys-svc-proxy/templates/vhost/ws_generic.conf.j2 @@ -1,8 +1,3 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - server { server_name {{ domain }}; diff --git a/roles/sys-svc-webserver-core/templates/nginx.conf.j2 b/roles/sys-svc-webserver-core/templates/nginx.conf.j2 index 919d014b..6820eff6 100644 --- a/roles/sys-svc-webserver-core/templates/nginx.conf.j2 +++ b/roles/sys-svc-webserver-core/templates/nginx.conf.j2 @@ -7,6 +7,15 @@ events http { + {# + Map the client's Upgrade header to the proper Connection value for WebSocket proxying: + use "upgrade" when an Upgrade is requested, otherwise "close". Define once in http{} and use $connection_upgrade. + #} + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + include mime.types; {# default_type application/octet-stream; If html filter does not work, this one needs to be used#}