tonkku107 · April 27, 2025 09:56
diff --git a/1_livekit_stream.conf b/1_livekit_stream.conf
 stream {
  server {
    listen 3479 ssl proxy_protocol;
    proxy_pass localhost:3478;
    include snippets/stream-ssl.conf; # A copy of the usual ssl/tls config with some unsupported stuff in streams removed
  }

  map $ssl_preread_server_name $targetBackend {
    # If the request is to turn, route to our ssl/tls handler for it above
    # If you have external_tls: false you may also directly point to the turn here
    turn.domain.tld localhost:3479;
    # If the request isn't to turn, route to the http listeners which had to be moved to a different port
    default        localhost:444;
  }

  server {
    listen 443;
    ssl_preread on;
    # Proxy protocol helps grab the IP of the connecting user in the http configs
    proxy_protocol on;
    proxy_pass $targetBackend;
  }
 }
diff --git a/2_example_http.conf b/2_example_http.conf
 # An example HTTP server block
 server {
  # You have to move ALL of your http listeners to a different port or the stream listener won't be able to bind
  listen 444 ssl http2 proxy_protocol;
  include snippets/tls.conf;
  
  server_name subdomain.domain.tld;
  
  upstream backend {
    # ip_hash won't work since it uses your server's IP due to the stream proxy
    # Use the IP from proxy protocol instead
    hash $proxy_protocol_addr;
    server localhost:8080;
    server localhost:8081;
  }

  location / {
    proxy_pass http://backend;
    # Use the IP from proxy protocol instead of $proxy_add_x_forwarded_for or $remote_addr
    # since those will contain your server's IP instead due to the stream proxy
    proxy_set_header X-Real-IP $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For $proxy_protocol_addr;
    # If there are redirects you might notice the redirects contain :444 without disabling this
    port_in_redirect off;
  }
 }
	stream {
	server {
	listen 3479 ssl proxy_protocol;
	proxy_pass localhost:3478;
	include snippets/stream-ssl.conf; # A copy of the usual ssl/tls config with some unsupported stuff in streams removed
	}

	map $ssl_preread_server_name $targetBackend {
	# If the request is to turn, route to our ssl/tls handler for it above
	# If you have external_tls: false you may also directly point to the turn here
	turn.domain.tld localhost:3479;
	# If the request isn't to turn, route to the http listeners which had to be moved to a different port
	default localhost:444;
	}

	server {
	listen 443;
	ssl_preread on;
	# Proxy protocol helps grab the IP of the connecting user in the http configs
	proxy_protocol on;
	proxy_pass $targetBackend;
	}
	}
	# An example HTTP server block
	server {
	# You have to move ALL of your http listeners to a different port or the stream listener won't be able to bind
	listen 444 ssl http2 proxy_protocol;
	include snippets/tls.conf;

	server_name subdomain.domain.tld;

	upstream backend {
	# ip_hash won't work since it uses your server's IP due to the stream proxy
	# Use the IP from proxy protocol instead
	hash $proxy_protocol_addr;
	server localhost:8080;
	server localhost:8081;
	}

	location / {
	proxy_pass http://backend;
	# Use the IP from proxy protocol instead of $proxy_add_x_forwarded_for or $remote_addr
	# since those will contain your server's IP instead due to the stream proxy
	proxy_set_header X-Real-IP $proxy_protocol_addr;
	proxy_set_header X-Forwarded-For $proxy_protocol_addr;
	# If there are redirects you might notice the redirects contain :444 without disabling this
	port_in_redirect off;
	}
	}