gpt4 book ai didi

ssl - 让我们与 Jitsi Meet 一起为站点加密证书

转载 作者:行者123 更新时间:2023-12-04 22:35:00 28 4
gpt4 key购买 nike

我有一台运行 Ubuntu 18.04 和 Nginx 的服务器,并在其上托管了一个功能齐全的 Jitsi Meet 实例。
另一方面,我有 2 个其他站点(一个是响应前端,另一个是后端),我需要它们拥有 ssl 证书,因为我们从前端使用 Jitsi Meet api,而 chrome 不允许我们授予权限麦克风和摄像头,因为前端不安全。

所以我尝试安装 certbot 并获取 Let's Encrypt 证书,但是当我得到它并尝试重新启动 nginx 时,它失败了。

我认为这与使用端口 443 的 Jitsi 或其他什么有关,但我真的不知道......

这是 jitsi 域的 nginx conf:

server_names_hash_bucket_size 64;

server {
listen 80;
listen [::]:80;
server_name video.<base-domain>;

location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root <path-to-jitsi>;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name video.<base-domain>;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:E$

add_header Strict-Transport-Security "max-age=31536000";

ssl_certificate /etc/letsencrypt/live/video.<base-domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/video.<base-domain>/privkey.pem;

root <path-to-jitsi>;

# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;

index index.html index.htm;
error_page 404 /static/404.html;

gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;

location = /config.js {
alias /etc/jitsi/meet/video.<base-domain>-config.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias <path-to-jitsi>/$1/$2;
}

# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}

# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}

location @root_path {
rewrite ^/(.*)$ / break;
}

location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";

alias /etc/jitsi/meet/video.<base-domain>-config.js;
}

#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";

rewrite ^/(.*)$ /http-bind;
}

# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";

rewrite ^/(.*)$ /xmpp-websocket;
}
}

这是前端域的 nginx conf:
server{
server_name app.<base-domain> www.app.<base-domain>;
root <path-to-front>;
index index.html index.htm;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

charset utf-8;

location / {
try_files $uri /index.html;
}


location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }

access_log off;
error_log /var/log/nginx/default-error.log error;

error_page 404 /index.php;

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}

location ~ /\.(?!well-known).* {
deny all;
}



listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/app.<base-domain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/app.<base-domain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = app.<base-domain>) {
return 301 https://$host$request_uri;
} # managed by Certbot


server_name app.<base-domain> www.app.<base-domain>;
listen 80;
return 404; # managed by Certbot
}

这是 nginx 错误日志:
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: bind() to 0.0.0.0:443 failed (98: Address already in use)
2020/05/15 12:21:58 [emerg] 20330#20330: still could not bind()

我希望有人能告诉我应该如何配置它以确保 jitsi 和前端的安全。

我还要补充一点,这两个域实际上都是子域……意思是 jitsi 域是 video..com
前面是 app..com

真正的配置具有正确指定的基域和路径...如果我从前端 nginx 配置中删除所有 ssl 配置,一切都会再次运行。

最佳答案

  • 您应该使用 devops-guide-quickstart .有Generate a Let's Encrypt certificate部分。如果在安装 jitsi 之前你的系统上有 nginx,jitsi 将使用它的 nginx 配置运行。

  • 如果你需要自定义的 nginx 文件,这里是。但是出于安全考虑,您应该继续努力。

    ** 对于独立(无 Docker)删除
    “解析器 127.0.0.1 有效=5s ipv6=off;”
    然后将 127.0.0.1 的其余部分更改为 localhost

    Docker-jitsi-meet Custom Nginx Configuration


    server {
    resolver 127.0.0.1 valid=5s ipv6=off;
    listen 80;
    listen [::]:80;
    server_name jitsiConf.domain.com; # managed by Certbot
    location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
    default_type "text/plain";
    try_files $uri =404;
    }
    location / {
    return 301 https://$host$request_uri;
    }
    #rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https

    }
    server {
    resolver 127.0.0.1 valid=5s ipv6=off;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name jitsiConf.domain.com; # managed by Certbot

    ssl on;
    ssl_certificate /etc/letsencrypt/live/jitsiConf.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/jitsiConf.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_session_cache shared:SSL:50m;

    proxy_cookie_path / "/; HTTPOnly; Secure";
    add_header Expect-CT "enforce, max-age=21600";
    add_header Feature-Policy "payment none";

    keepalive_timeout 70;
    sendfile on;
    client_max_body_size 0;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # this tells the browser that jitsi can't be embedded in a Frame
    add_header X-Frame-Options "DENY";

    # List of Browser-Features which are allowed / denied for this Site
    add_header Feature-Policy "geolocation 'none'; camera 'self'; microphone 'self'; speaker 'self'; autoplay 'none'; battery 'none'; accelerometer 'none'; autoplay 'none'; payment 'none';";


    ssi on;
    ssi_types application/x-javascript application/javascript;



    # ensure all static content can always be found first
    #location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    #{
    # add_header 'Access-Control-Allow-Origin' '*';
    #}

    #location ~ ^/(?!(http-bind|external_api\.|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ {
    # rewrite ^/(.*)$ / break;
    #}

    location / {
    expires max;
    log_not_found off;
    proxy_cache_valid 200 120m;
    ssi on;
    set $upstream_endpoint http://127.0.0.1:8100;
    proxy_pass $upstream_endpoint;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    }
    # BOSH
    location /http-bind {
    set $upstream_endpoint http://127.0.0.1:5280;
    proxy_pass $upstream_endpoint/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    }
    # xmpp websockets
    location /xmpp-websocket {
    set $upstream_endpoint http://127.0.0.1:5280;
    proxy_pass $upstream_endpoint;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    tcp_nodelay on;
    }
    }

    此外,此配置将卡在 CSP 错误上。仅用于测试开发,此代码将允许所有 CSP 风险。你可以在下面添加

    ssl_session_cache shared:SSL:50m;


    set $CSP_image  "img-src      'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
    set $CSP_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
    set $CSP_style "style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
    set $CSP_font "font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
    set $CSP_frame "frame-src 'self' *.vimeocdn.com *.vimeo.com; ";
    set $CSP_object "object-src 'self' ; ";
    set $CSP "default-src 'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";

    add_header Content-Security-Policy $CSP;

    CSPallow **抱歉找不到原帖*

    关于ssl - 让我们与 Jitsi Meet 一起为站点加密证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61819224/

    28 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com