Make self-hosted jitsi-meet publicly inaccessible but still use it through jitsi-iframes on different virtual host (server block)

Hello,

I have a working jitsi-meet instance publicly accessible through jitsi.server.com
I have a different web-site working as a nginx server block on the same server as app.server.com.
In the app website I use jitsi-iframes to set-up a communication channel (using the jitsi.server.com as entry point) and that works fine.

--> app.server.com ----+
                       |
                    ngninx --> jitsi-meet
                       |
--> jitsi.server.com --+

What I’m trying to accomplish is that the jitsi service is only accessibly through the app website.

Question: how do I make the jitsi server block (virtual host) publicly inaccessible but still accessible for the jitsi-iframes on the app website?

--> app.server.com ----+
                       |
                     ngninx --> jitsi-meet
                       |
  X jitsi.server.com --+

OR (preferred)
How do I remove the jitsi.server.com server block altogether but still use jitsi-meet through jitsi-iframes on the app.server.com?

--> app.server.com ----+
                       |
                     ngninx --> jitsi-meet

I guess the Iframe should look something like this:

        var domain = "localhost";
        var options = {
            roomName: "JitsiMeetAPIExample",
            parentNode: undefined,
            configOverwrite: {},
            interfaceConfigOverwrite: {}
        }

But I have no idea how to configure nginx and/or jitsi-meet or even where to start looking for an answer.
I have set-up jitsi-meet as self-hosted following the quick install guild on Unbuntu 18.0.4
Thanks for your help.

I didn’t test it but according to the IFRame API doc there is an argument for jwt while creating the api object.

api = new JitsiMeetExternalAPI(domain, options)

If you activate the JWT authentication, nobody can use your server directly without having a valid token. You can create the token on your application server

You may read about Access-Control-Allow-Origin … maybe you can modify your nginx config to allow access only from the app.server.com domain as origin … never tested it, but sounds like it should work …