# nginx reverse proxy for the AVC phone agent. # Terminates TLS for voip.activeblue.net and proxies to the app on 127.0.0.1:8200, # forwarding the /ws WebSocket (Twilio Media Stream) with long timeouts. # # Install: # sudo cp deploy/nginx-voip.activeblue.net.conf /etc/nginx/sites-available/voip.activeblue.net # sudo cp deploy/nginx-ws-upgrade.conf /etc/nginx/conf.d/ws-upgrade.conf # sudo ln -s /etc/nginx/sites-available/voip.activeblue.net /etc/nginx/sites-enabled/ # sudo nginx -t && sudo systemctl reload nginx # (Get the cert FIRST — see README — or the 443 block fails to load.) # ── HTTP :80 — ACME challenge + redirect everything else to HTTPS ───────────── server { listen 80; listen [::]:80; server_name voip.activeblue.net; # Let's Encrypt HTTP-01 webroot challenge (served, not redirected). location /.well-known/acme-challenge/ { root /var/www/html; } location / { return 301 https://$host$request_uri; } } # ── HTTPS :443 — TLS termination + proxy to the app ────────────────────────── server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name voip.activeblue.net; ssl_certificate /etc/letsencrypt/live/voip.activeblue.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/voip.activeblue.net/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Twilio Media Streams hold the WebSocket open for the whole call — allow it. proxy_read_timeout 3600s; proxy_send_timeout 3600s; location / { proxy_pass http://127.0.0.1:8200; proxy_http_version 1.1; # WebSocket upgrade (for /ws). $connection_upgrade comes from ws-upgrade.conf. proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }