From 2ac695f628d1a509c2ae2daf97b5beccd0f71738 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 17 Mar 2021 13:03:09 -0700
Subject: [PATCH] Manage jitsi-meet meet.conf as a template input for the
 container

The jitsi meet containers want to generate configuration from the
templates found in /defaults on the container to config files in the
bind mounted /config (/var/jitsi-meet/ on the host side). This means
that the configs ansible is writing to /var/jitsi-meet are complete
ignored and overwritten by the container using its templating system and
env vars.

This is causing us problems because we would like to use a different
etherpad prxoy config in nginx to ensure the Host header is set
properly. To make this happen we bind mount in our own template file so
that the container can template what we want rather than what is found
in the image.

Change-Id: Ifdde66a01bb7e632fc19ca0a512216584f1ea9f0
---
 .../meet-docker-compose.yaml                  |  1 +
 playbooks/roles/jitsi-meet/files/meet.conf    | 82 +++++++++++++++----
 playbooks/roles/jitsi-meet/tasks/main.yaml    | 17 +++-
 .../roles/jitsi-meet/templates/jvb-env.j2     |  3 +
 .../roles/jitsi-meet/templates/meet-env.j2    |  3 +
 5 files changed, 86 insertions(+), 20 deletions(-)

diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
index 0273fdd098..7f8caeef9b 100644
--- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
+++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
@@ -12,6 +12,7 @@ services:
             - ${CONFIG}/web:/config
             - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
             - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
+            - ${DEFAULTS}/web/nginx/meet.conf:/defaults/meet.conf
         environment:
             - ENABLE_AUTH
             - ENABLE_GUESTS
diff --git a/playbooks/roles/jitsi-meet/files/meet.conf b/playbooks/roles/jitsi-meet/files/meet.conf
index f9a82d33c2..de9fc5f7dd 100644
--- a/playbooks/roles/jitsi-meet/files/meet.conf
+++ b/playbooks/roles/jitsi-meet/files/meet.conf
@@ -1,50 +1,96 @@
+{{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }}
+
 server_name _;
 
 client_max_body_size 0;
 
 root /usr/share/jitsi-meet;
-index index.html
+
+# ssi on with javascript for multidomain variables in config.js
+ssi on;
+ssi_types application/x-javascript application/javascript;
+
+index index.html index.htm;
 error_page 404 /static/404.html;
 
-location ~ ^/([a-zA-Z0-9=\?_-]+)$ {
-    rewrite ^/(.*)$ / break;
-}
+# Security headers
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
 
-location ^~ /config.js {
+location = /config.js {
     alias /config/config.js;
 }
 
-location ^~ /interface_config.js {
+location = /interface_config.js {
     alias /config/interface_config.js;
 }
 
-location ^~ /external_api.js {
+location = /external_api.js {
     alias /usr/share/jitsi-meet/libs/external_api.min.js;
 }
 
-location / {
-    ssi on;
+# ensure all static content can always be found first
+location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
+{
+    add_header 'Access-Control-Allow-Origin' '*';
+    alias /usr/share/jitsi-meet/$1/$2;
+}
+
+# colibri (JVB) websockets
+location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
+    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    tcp_nodelay on;
 }
 
 # BOSH
-location ^~ /http-bind {
-    proxy_pass http://localhost:5280/http-bind;
+location = /http-bind {
+    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/http-bind;
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Host localhost;
+    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
 }
 
+{{ if $ENABLE_XMPP_WEBSOCKET }}
+# xmpp websockets
+location = /xmpp-websocket {
+    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/xmpp-websocket;
+    proxy_http_version 1.1;
+
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Upgrade $http_upgrade;
+
+    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
+    proxy_set_header X-Forwarded-For $remote_addr;
+    tcp_nodelay on;
+}
+{{ end }}
+
+location ~ ^/([^/?&:'"]+)$ {
+    try_files $uri @root_path;
+}
+
+location @root_path {
+    rewrite ^/(.*)$ / break;
+}
+
+{{ if .Env.ETHERPAD_URL_BASE }}
 # Etherpad-lite
-location ^~ /etherpad/ {
+location /etherpad/ {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection 'upgrade';
-    proxy_set_header Host 'etherpad.opendev.org';
+    # Commented out as we want the default behavior of using
+    # $proxy_host as the Host header value
+    #proxy_set_header Host $host;
     proxy_cache_bypass $http_upgrade;
-    proxy_pass_header Server;
 
-    proxy_pass https://etherpad.opendev.org/;
+    proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
     proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_ssl_server_name on;
     proxy_buffering off;
+    # Commented out as we want the default behavior of using
+    # $proxy_host as the Host header value
+    #proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
 }
+{{ end }}
diff --git a/playbooks/roles/jitsi-meet/tasks/main.yaml b/playbooks/roles/jitsi-meet/tasks/main.yaml
index 975529e077..4cfa599570 100644
--- a/playbooks/roles/jitsi-meet/tasks/main.yaml
+++ b/playbooks/roles/jitsi-meet/tasks/main.yaml
@@ -24,6 +24,13 @@
     - web
     - web/nginx
     - web/nginx/site-confs
+    - defaults
+    - defaults/web
+    - defaults/web/nginx
+
+# TODO files managed here seem to be completely ignored by the containers
+# we should clean them up. And if necessary replace them with templates
+# below like meet.conf.
 - name: Write web config
   copy:
     src: config.js
@@ -36,10 +43,16 @@
   copy:
     src: default.conf
     dest: /var/jitsi-meet/web/nginx/site-confs/default
-- name: Write nginx meet config
+# END TODO
+
+# These files are interpreted by the container at startup and are templated
+# using the frep tool. Ideally we'll keep the content in templates to a
+# minumum and rely on upstream as much as possible.
+- name: Write nginx meet config template
   copy:
     src: meet.conf
-    dest: /var/jitsi-meet/web/nginx/meet.conf
+    dest: /var/jitsi-meet/defaults/web/nginx/meet.conf
+
 - name: Run docker-compose pull
   shell:
     cmd: docker-compose pull
diff --git a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 b/playbooks/roles/jitsi-meet/templates/jvb-env.j2
index aebecdeb1d..f0d5eac4c4 100644
--- a/playbooks/roles/jitsi-meet/templates/jvb-env.j2
+++ b/playbooks/roles/jitsi-meet/templates/jvb-env.j2
@@ -6,6 +6,9 @@
 # Directory where all configuration will be stored.
 CONFIG=/var/jitsi-meet
 
+# Directory where templates to generate configs are stored.
+DEFAULTS=/var/jitsi-meet/defaults
+
 # System time zone.
 TZ=Etc/UTC
 
diff --git a/playbooks/roles/jitsi-meet/templates/meet-env.j2 b/playbooks/roles/jitsi-meet/templates/meet-env.j2
index 4ccc6bfff5..6602cfee68 100644
--- a/playbooks/roles/jitsi-meet/templates/meet-env.j2
+++ b/playbooks/roles/jitsi-meet/templates/meet-env.j2
@@ -6,6 +6,9 @@
 # Directory where all configuration will be stored.
 CONFIG=/var/jitsi-meet
 
+# Directory where templates to generate configs are stored.
+DEFAULTS=/var/jitsi-meet/defaults
+
 # System time zone.
 TZ=Etc/UTC