web: don't proxy HTTP traffic to WS endpoints

A 405 is returned if there is no upgrade request.

web/rootfs/defaults/meet.conf

@@ -41,8 +41,7 @@ location = /external_api.js {
 }
 
 # ensure all static content can always be found first
-location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
-{
+location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ {
     add_header 'Access-Control-Allow-Origin' '*';
     alias /usr/share/jitsi-meet/$1/$2;
 
@@ -55,47 +54,51 @@ location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.
 {{ if $ENABLE_COLIBRI_WEBSOCKET }}
 # colibri (JVB) websockets
 location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
-    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
+    tcp_nodelay on;
+
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    tcp_nodelay on;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
 }
 {{ end }}
 
 # BOSH
 location = /http-bind {
-    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/http-bind;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Host {{ $XMPP_DOMAIN }};
+
+    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/http-bind;
 }
 
 {{ if $ENABLE_XMPP_WEBSOCKET }}
 # xmpp websockets
 location = /xmpp-websocket {
-    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/xmpp-websocket;
-    proxy_http_version 1.1;
+    tcp_nodelay on;
 
-    proxy_set_header Connection "upgrade";
+    proxy_http_version 1.1;
+    proxy_set_header Connection $connection_upgrade;
     proxy_set_header Upgrade $http_upgrade;
-
     proxy_set_header Host {{ $XMPP_DOMAIN }};
     proxy_set_header X-Forwarded-For $remote_addr;
-    tcp_nodelay on;
+
+    proxy_pass {{ $XMPP_BOSH_URL_BASE }}/xmpp-websocket;
 }
 {{ end }}
 
 {{ if .Env.ETHERPAD_URL_BASE }}
 # Etherpad-lite
 location ^~ /etherpad/ {
+    proxy_buffering off;
+    proxy_cache_bypass $http_upgrade;
+
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection 'upgrade';
-    proxy_cache_bypass $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header X-Forwarded-For $remote_addr;
 
     proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_buffering off;
 }
 {{ end }}
 
@@ -108,8 +111,7 @@ location @root_path {
 }
 
 {{ if $ENABLE_SUBDOMAINS }}
-    location ~ ^/([^/?&:'"]+)/config.js$
-    {
+    location ~ ^/([^/?&:'"]+)/config.js$ {
         set $subdomain "$1.";
         set $subdir "$1/";
 

web/rootfs/defaults/nginx.conf

@@ -51,17 +51,18 @@ http {
 	gzip_vary on;
 	gzip_min_length 860;
 
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+	##
+	# Connection header for WebSocket reverse proxy
+	##
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		''      close;
+	}
 
 	##
 	# Virtual Host Configs
 	##
-        include /config/nginx/site-confs/*;
+	include /config/nginx/site-confs/*;
 }