mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-10-10 02:38:10 +02:00
Kevin Veen-Birkenbach
26a1992d84
Nginx: define 'map $http_upgrade $connection_upgrade' once in http{} and reuse; drop duplicate map from ws_generic vhost; tidy ws location headers/spacing. Nextcloud: add WS location for standalone signaling; render & mount Janus config (NAT 1:1, ICE enforce/ignore lists, libnice hardening); extend CSP (connect-src/frame-src for cloud & collabora, worker-src blob:); disable keeporsweep app; replace nginx reload handler with compose up; add NEXTCLOUD_HOST_JANUS_CONF_PATH and related vars.
Context: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
78 lines
3.2 KiB
Django/Jinja
78 lines
3.2 KiB
Django/Jinja
worker_processes {{ WEBSERVER_WORKER_PROCESSES }};
|
|
|
|
events
|
|
{
|
|
worker_connections {{ WEBSERVER_WORKER_CONNECTIONS }};
|
|
}
|
|
|
|
http
|
|
{
|
|
{#
|
|
Map the client's Upgrade header to the proper Connection value for WebSocket proxying:
|
|
use "upgrade" when an Upgrade is requested, otherwise "close". Define once in http{} and use $connection_upgrade.
|
|
#}
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
include mime.types;
|
|
|
|
{# default_type application/octet-stream; If html filter does not work, this one needs to be used#}
|
|
|
|
default_type text/html;
|
|
|
|
{# Ensure caches (browsers, proxies, CDNs) treat responses as dependent on the Origin header
|
|
to prevent cross-domain cache poisoning issues.
|
|
Discussion: https://chat.openai.com/share/2671b961-c1b0-472d-bae2-2804d0455e8a #}
|
|
add_header 'Vary' 'Origin' always;
|
|
|
|
{# caching #}
|
|
proxy_cache_path {{ NGINX.DIRECTORIES.CACHE.GENERAL }} levels=1:2 keys_zone=cache:20m max_size=20g inactive=14d use_temp_path=off;
|
|
proxy_cache_path {{ NGINX.DIRECTORIES.CACHE.IMAGE }} levels=1:2 keys_zone=imgcache:10m inactive=60m use_temp_path=off;
|
|
|
|
# --------------------------------------------------------------------------------
|
|
# Tweak the hash table used to store your server_name entries:
|
|
server_names_hash_bucket_size 64; # size of each bucket for server_name lookups (in bytes)
|
|
server_names_hash_max_size 512; # maximum total buckets for the server_name hash table
|
|
# --------------------------------------------------------------------------------
|
|
|
|
{# logging and debugging #}
|
|
{% if MODE_DEBUG | bool %}
|
|
{# individual log format for better debugging #}
|
|
log_format debug '$host - $remote_addr [$time_local] '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"Referer: $http_referer" '
|
|
'"User-Agent: $http_user_agent" '
|
|
'"ReqTime: $request_time" "UpstreamTime: $upstream_response_time" '
|
|
'"ReqLength: $request_length" "BytesSent: $bytes_sent" '
|
|
'"ConnRequests: $connection_requests" '
|
|
'"X-Forwarded-For: $http_x_forwarded_for" '
|
|
'"Scheme: $scheme" "Protocol: $server_protocol" "ServerName: $server_name"';
|
|
access_log /dev/stdout debug;
|
|
{% endif %}
|
|
error_log /dev/stderr info;
|
|
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
|
|
{# gzip #}
|
|
gzip on;
|
|
gzip_proxied any;
|
|
gzip_vary on;
|
|
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; # Disable for Internetexplorer 6
|
|
gzip_comp_level 4;
|
|
gzip_min_length 256;
|
|
gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml;
|
|
|
|
types_hash_max_size 4096;
|
|
{% for dir in NGINX.DIRECTORIES.HTTP.values() %}
|
|
include {{ dir }}*.conf;
|
|
{% endfor %}
|
|
}
|
|
|
|
# For port proxies
|
|
stream{
|
|
include {{ NGINX.DIRECTORIES.STREAMS }}*.conf;
|
|
}
|