# This file is part of Ghostream # Copyright (C) 2020 by Crans # SPDX-License-Identifier: GPL-2.0-or-later # Automatic Connection header for WebSocket support # See http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name stream.crans.org; location / { return 301 https://$host$request_uri; } } # HTTPS server server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name stream.crans.org; # SSL configuration based on https://ssl-config.mozilla.org/ ssl_certificate /etc/letsencrypt/live/stream.crans.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/stream.crans.org/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/dhparam ssl_dhparam /etc/letsencrypt/dhparam; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # Log into separate log files access_log /var/log/nginx/ghostream.log; error_log /var/log/nginx/ghostream_error.log; # Pass HTTP to Flask web server location / { proxy_pass http://127.0.0.1:8080; proxy_redirect off; } # Pass WebSocket to OvenMediaEngine for WebRTC signalling location /app/ { proxy_pass http://127.0.0.1:3333; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } }