david_bai
7950aec063
nginx(website on server) listens on port 4443 and then forwards to the frontend and backend. nginx main configuration adds a stream block to uniformly listen on port 443, then forwards based on domain to coturn(5349) and website(4443). The TURN port used in WebRTC is changed to 443. The deployment document adds a script action to delete extra configurations generated by certbot.
121 lines
2.6 KiB
Nginx Configuration File
121 lines
2.6 KiB
Nginx Configuration File
# The user that nginx runs as, needs file directory access permissions
|
|
user root;
|
|
# The number of worker processes, usually set to be equal to the number of CPUs
|
|
# worker_processes 1;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
#include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
events {
|
|
worker_connections 768;
|
|
# multi_accept on;
|
|
}
|
|
|
|
stream {
|
|
# Define backend services
|
|
upstream turns_backend {
|
|
# Coturn's TURNS service, listening on local port 5349
|
|
server 127.0.0.1:5349;
|
|
}
|
|
upstream website_backend {
|
|
# Your website is now listening on the internal HTTPS port
|
|
server 127.0.0.1:4443;
|
|
}
|
|
|
|
# Use SNI hostname to determine traffic destination
|
|
map $ssl_preread_server_name $backend {
|
|
turn.privydrop.app turns_backend; # If accessing the turn subdomain, hand it over to Coturn
|
|
default website_backend; # All other domains are handed over to the website
|
|
}
|
|
|
|
# Listening for all TCP traffic on port 443
|
|
server {
|
|
listen 443;
|
|
listen [::]:443;
|
|
|
|
# Enable SSL pre-read feature to obtain SNI hostname
|
|
ssl_preread on;
|
|
|
|
# Proxy traffic to the corresponding backend based on map results
|
|
proxy_pass $backend;
|
|
proxy_timeout 1d; # Suggest setting a longer timeout for TURN
|
|
proxy_connect_timeout 5s;
|
|
}
|
|
}
|
|
|
|
http {
|
|
|
|
##
|
|
# Basic Settings
|
|
##
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
# server_tokens off;
|
|
|
|
# server_names_hash_bucket_size 64;
|
|
# server_name_in_redirect off;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
##
|
|
# SSL Settings
|
|
##
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
##
|
|
# Logging Settings
|
|
##
|
|
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
##
|
|
# Gzip Settings
|
|
##
|
|
|
|
gzip on;
|
|
|
|
# gzip_vary on;
|
|
# gzip_proxied any;
|
|
# gzip_comp_level 6;
|
|
# gzip_buffers 16 8k;
|
|
# gzip_http_version 1.1;
|
|
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
|
|
|
##
|
|
# Virtual Host Configs
|
|
##
|
|
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/sites-enabled/*;
|
|
}
|
|
|
|
|
|
#mail {
|
|
# # See sample authentication script at:
|
|
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
|
#
|
|
# # auth_http localhost/auth.php;
|
|
# # pop3_capabilities "TOP" "USER";
|
|
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
|
#
|
|
# server {
|
|
# listen localhost:110;
|
|
# protocol pop3;
|
|
# proxy on;
|
|
# }
|
|
#
|
|
# server {
|
|
# listen localhost:143;
|
|
# protocol imap;
|
|
# proxy on;
|
|
# }
|
|
#}
|