From 9c52a8b3a11ba51e0fd3de90e28994f1373bce21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Darveau?= Date: Mon, 10 Oct 2022 16:05:40 -0400 Subject: [PATCH 1/6] update Jitsi on LAN configuration doc --- docs/configuring-playbook-jitsi.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f7e8a949..51ad29b7 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -87,7 +87,7 @@ For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/d By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok. -The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work. +The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker/#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `JVB_ADVERTISE_IPS` in enviornment variable to make it work. Here is how to do it in the playbook. @@ -95,7 +95,7 @@ Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configu ```yaml matrix_jitsi_jvb_container_extra_arguments: - - '--env "DOCKER_HOST_ADDRESS="' + - '--env "JVB_ADVERTISE_IPS="' ``` ## (Optional) Fine tune Jitsi From 3a1847e193f6d99bdf5e4551856c302a7a60de55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Darveau?= Date: Mon, 10 Oct 2022 16:25:17 -0400 Subject: [PATCH 2/6] moved bind port variables documentation for webserver on different docker network or host in a more generic section --- docs/configuring-playbook-own-webserver.md | 30 ++++++++++++---------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 7e5d6001..ecae105b 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -27,11 +27,23 @@ No matter which external webserver you decide to go with, you'll need to: 1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. -2) Edit your configuration file (`inventory/host_vars/matrix./vars.yml`) to disable the integrated nginx server: +2) Edit your configuration file (`inventory/host_vars/matrix./vars.yml`) + - to disable the integrated nginx server: -```yaml -matrix_nginx_proxy_enabled: false -``` + ```yaml + matrix_nginx_proxy_enabled: false + ``` + - if using an external server on another docker network or host, add the `_http_host_bind_port` or `_http_bind_port` variables for the services that will be exposed by the external server on the other docker network or host. The actual name of the variable is listed in the `roles//defaults/vars.yml` file for each service. Most variables follow the `_http_host_bind_port` format. + + These variables will make Docker expose the ports to the local network instead of localhost only. + [Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints) + + Here are the variables required for the default configuration (Synapse and Element) + ``` + matrix_synapse_container_client_api_host_bind_port: '8008' + matrix_synapse_container_federation_api_plain_host_bind_port: '8048' + matrix_client_element_container_http_host_bind_port: "8765" + ``` 3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix./vars.yml`) to disable SSL certificate retrieval: @@ -41,7 +53,6 @@ matrix_ssl_retrieval_method: none **Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards. - ### Using your own external nginx webserver Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server. @@ -60,15 +71,6 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.2" If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue. -If you are not going to be running your webserver on the same docker network, or the same machine as matrix, these variables can be set to bind synapse to an exposed port. [Keep in mind that there are some security concerns if you simply proxy everything to it](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints) -```yaml -# Takes an ":" or "" value (e.g. "127.0.0.1:8048" or "192.168.1.3:80"), or empty string to not expose. -matrix_synapse_container_client_api_host_bind_port: '' -matrix_synapse_container_federation_api_plain_host_bind_port: '' -``` - - - ### Using your own external Apache webserver Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration. From 527184097131b22ef913cc031355d3e5ace8fd0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Darveau?= Date: Mon, 10 Oct 2022 16:43:42 -0400 Subject: [PATCH 3/6] caddy2 Caddyfile : add CORS handling, update click-jacking protection to handle different subdomains and add example for cases with other well-knowns --- examples/caddy2/Caddyfile | 45 ++++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index 162e539e..a19ce6dd 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -1,3 +1,15 @@ +(cors) { + @cors_preflight method OPTIONS + + handle @cors_preflight { + header Access-Control-Allow-Origin "{args.0}" + header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" + header Access-Control-Allow-Headers "Content-Type, Authorization" + header Access-Control-Max-Age "3600" + } +} + + matrix.DOMAIN.tld { # creates letsencrypt certificate @@ -81,6 +93,13 @@ matrix.DOMAIN.tld { header Access-Control-Allow-Origin * file_server } + + # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain + #handle @wellknown { + # # .well-known is handled by base domain + # reverse_proxy https://DOMAIN.tld { + # header_up Host {http.reverse_proxy.upstream.hostport} + #} handle { encode zstd gzip @@ -114,6 +133,8 @@ element.DOMAIN.tld { # creates letsencrypt certificate # tls your@email.com + import cors https://*.DOMAIN.tld + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -123,6 +144,8 @@ element.DOMAIN.tld { X-Content-Type-Options "nosniff" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" + # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered + # Content-Security-Policy frame-src https://*.DOMAIN.tld # X-Robots-Tag X-Robots-Tag "noindex, noarchive, nofollow" } @@ -144,6 +167,8 @@ element.DOMAIN.tld { # # creates letsencrypt certificate # # tls your@email.com # +# import cors https://*.DOMAIN.tld +# # header { # # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -151,8 +176,8 @@ element.DOMAIN.tld { # X-XSS-Protection "1; mode=block" # # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # X-Content-Type-Options "nosniff" -# # Disallow the site to be rendered within a frame (clickjacking protection) -# X-Frame-Options "DENY" +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) +# # Content-Security-Policy frame-ancestors https://*.DOMAIN.tld # # X-Robots-Tag # X-Robots-Tag "noindex, noarchive, nofollow" # } @@ -176,6 +201,8 @@ element.DOMAIN.tld { # creates letsencrypt certificate # tls your@email.com # +# import cors https://*.DOMAIN.tld +# # header { # # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -185,9 +212,9 @@ element.DOMAIN.tld { # # # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # X-Content-Type-Options "nosniff" -# -# # Disallow the site to be rendered within a frame (clickjacking protection) -# X-Frame-Options "SAMEORIGIN" + +# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain +# # Content-Security-Policy frame-ancestors https://*.DOMAIN.tld # # # Disable some features # Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" @@ -225,6 +252,14 @@ element.DOMAIN.tld { # header_up Host {http.reverse_proxy.upstream.hostport} # } # } +# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain +# # handle /.well-known/* { +# # encode zstd gzip +# # header Cache-Control max-age=14400 +# # header Content-Type application/json +# # header Access-Control-Allow-Origin * +# #} +# # # Configration for the base domain goes here # # handle { # # header -Server From 21bed90e13c46b6ed5fb3f0945bf9435e76ede90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Darveau?= Date: Tue, 11 Oct 2022 07:26:29 -0400 Subject: [PATCH 4/6] remove mention of other docker host in external webserver documentation (binding ports section) --- docs/configuring-playbook-own-webserver.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ecae105b..50d9d1da 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -33,16 +33,16 @@ No matter which external webserver you decide to go with, you'll need to: ```yaml matrix_nginx_proxy_enabled: false ``` - - if using an external server on another docker network or host, add the `_http_host_bind_port` or `_http_bind_port` variables for the services that will be exposed by the external server on the other docker network or host. The actual name of the variable is listed in the `roles//defaults/vars.yml` file for each service. Most variables follow the `_http_host_bind_port` format. + - if using an external server on another host, add the `_http_host_bind_port` or `_http_bind_port` variables for the services that will be exposed by the external server on the other host. The actual name of the variable is listed in the `roles//defaults/vars.yml` file for each service. Most variables follow the `_http_host_bind_port` format. These variables will make Docker expose the ports to the local network instead of localhost only. [Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints) Here are the variables required for the default configuration (Synapse and Element) ``` - matrix_synapse_container_client_api_host_bind_port: '8008' - matrix_synapse_container_federation_api_plain_host_bind_port: '8048' - matrix_client_element_container_http_host_bind_port: "8765" + matrix_synapse_container_client_api_host_bind_port: '0.0.0.0:8008' + matrix_synapse_container_federation_api_plain_host_bind_port: '0.0.0.0:8048' + matrix_client_element_container_http_host_bind_port: "0.0.0.0:8765" ``` 3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix./vars.yml`) to disable SSL certificate retrieval: From a061ea54b3e302e1582daa442690ad8d71d6ddc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Darveau?= Date: Tue, 11 Oct 2022 07:32:02 -0400 Subject: [PATCH 5/6] Caddyfile example : enable Content-Security-Policy by default instead of having the line commented --- examples/caddy2/Caddyfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile index a19ce6dd..43005ca4 100644 --- a/examples/caddy2/Caddyfile +++ b/examples/caddy2/Caddyfile @@ -177,7 +177,7 @@ element.DOMAIN.tld { # # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # X-Content-Type-Options "nosniff" # # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# # Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld # # X-Robots-Tag # X-Robots-Tag "noindex, noarchive, nofollow" # } @@ -214,7 +214,7 @@ element.DOMAIN.tld { # X-Content-Type-Options "nosniff" # # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# # Content-Security-Policy frame-ancestors https://*.DOMAIN.tld +# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld # # # Disable some features # Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" From 35e80b708781e7db6c04a778ce0892c7db225605 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Darveau?= Date: Wed, 12 Oct 2022 09:15:03 -0400 Subject: [PATCH 6/6] Update docs/configuring-playbook-own-webserver.md Co-authored-by: Slavi Pantaleev --- docs/configuring-playbook-own-webserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 50d9d1da..87201e3e 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -35,7 +35,7 @@ No matter which external webserver you decide to go with, you'll need to: ``` - if using an external server on another host, add the `_http_host_bind_port` or `_http_bind_port` variables for the services that will be exposed by the external server on the other host. The actual name of the variable is listed in the `roles//defaults/vars.yml` file for each service. Most variables follow the `_http_host_bind_port` format. - These variables will make Docker expose the ports to the local network instead of localhost only. + These variables will make Docker expose the ports on all network interfaces instead of localhost only. [Keep in mind that there are some security concerns if you simply proxy everything.](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints) Here are the variables required for the default configuration (Synapse and Element)