From 3bace0c7b9d43ce860078a20a24a9c7a2c19114b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 14 Feb 2023 11:05:39 +0200 Subject: [PATCH] Add matrix_synapse_admin_hostname and rename matrix_synapse_admin_public_endpoint (to matrix_synapse_admin_path_prefix) --- docs/configuring-playbook-synapse-admin.md | 28 ------------------- .../matrix-synapse-admin/defaults/main.yml | 15 ++++++---- .../tasks/inject_into_nginx_proxy.yml | 6 ++-- .../tasks/validate_config.yml | 1 + 4 files changed, 14 insertions(+), 36 deletions(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index ad1bda02..1099553b 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -35,34 +35,6 @@ To use Synapse Admin, you need to have [registered at least one administrator ac The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN` -### Sample configuration for running behind Traefik 2.0 - -Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. - -This an extension to Traefik config sample in [own-webserver-documentation](./configuring-playbook-own-webserver.md). - -```yaml -# Don't bind any HTTP or federation port to the host -# (Traefik will proxy directly into the containers) -matrix_synapse_admin_container_http_host_bind_port: "" - -matrix_synapse_admin_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Synapse Admin container will only receive traffic from this subdomain and path - - '--label "traefik.http.routers.matrix-synapse-admin.rule=(Host(`{{ matrix_server_fqn_matrix }}`) && Path(`{{matrix_synapse_admin_public_endpoint}}`))"' - - # (Define your entrypoint) - - '--label "traefik.http.routers.matrix-synapse-admin.entrypoints=web-secure"' - - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-synapse-admin.tls.certResolver=default"' - - # The Synapse Admin container uses port 80 by default - - '--label "traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80"' -``` - ### Sample configuration for running behind Caddy v2 Below is a sample configuration for using this playbook with a [Caddy](https://caddyserver.com/v2) 2.0 reverse proxy (non-default configuration where `matrix-nginx-proxy` is disabled - `matrix_nginx_proxy_enabled: false`). diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 4345a026..91383a9e 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -41,9 +41,9 @@ matrix_synapse_admin_container_extra_arguments: [] # To inject your own other container labels, see `matrix_synapse_admin_container_labels_additional_labels`. matrix_synapse_admin_container_labels_traefik_enabled: true matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_synapse_admin_container_network }}" -matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_synapse_admin_container_labels_traefik_hostname: "{{ matrix_synapse_admin_hostname }}" # The path prefix must either be `/` or not end with a slash (e.g. `/synapse-admin`). -matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_public_endpoint }}" +matrix_synapse_admin_container_labels_traefik_path_prefix: "{{ matrix_synapse_admin_path_prefix }}" matrix_synapse_admin_container_labels_traefik_rule: "Host(`{{ matrix_synapse_admin_container_labels_traefik_hostname }}`){% if matrix_synapse_admin_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_synapse_admin_container_labels_traefik_path_prefix | quote }}`){% endif %}" matrix_synapse_admin_container_labels_traefik_priority: 0 matrix_synapse_admin_container_labels_traefik_entrypoints: web-secure @@ -131,9 +131,14 @@ matrix_synapse_admin_floc_optout_enabled: true # See: `matrix_synapse_admin_http_header_strict_transport_security` matrix_synapse_admin_hsts_preload_enabled: false -# The path at which Synapse Admin will be exposed on `matrix.DOMAIN` when matrix-nginx-proxy is used. -# A path of `/` is likely not a good choice when matrix-nginx-proxy is used. +# The hostname at which Synapse Admin is served. +# Only works with with Traefik reverse-proxying. +# For matrix-nginx-proxy, `matrix_server_fqn_matrix` is used and this variable has no effect. +matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}" + +# The path at which Synapse Admin is exposed. +# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. # # If Traefik is used, the hostname is also configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). -matrix_synapse_admin_public_endpoint: /synapse-admin +matrix_synapse_admin_path_prefix: /synapse-admin diff --git a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml index 6a4af859..a06f47a1 100644 --- a/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml +++ b/roles/custom/matrix-synapse-admin/tasks/inject_into_nginx_proxy.yml @@ -12,9 +12,9 @@ - name: Generate Synapse Admin proxying configuration for matrix-nginx-proxy ansible.builtin.set_fact: matrix_synapse_admin_matrix_nginx_proxy_configuration: | - rewrite ^{{ matrix_synapse_admin_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_public_endpoint }}/ permanent; + rewrite ^{{ matrix_synapse_admin_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_synapse_admin_path_prefix }}/ permanent; - location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) { + location ~ ^{{ matrix_synapse_admin_path_prefix }}/(.*) { {% if matrix_nginx_proxy_enabled | default(False) %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; @@ -40,7 +40,7 @@ msg: >- NOTE: You've enabled the Synapse Admin tool but are not using the matrix-nginx-proxy reverse proxy. - Please make sure that you're proxying the `{{ matrix_synapse_admin_public_endpoint }}` + Please make sure that you're proxying the `{{ matrix_synapse_admin_path_prefix }}` URL endpoint to the matrix-synapse-admin container. You can expose the container's port using the `matrix_synapse_admin_container_http_host_bind_port` variable. when: "not matrix_nginx_proxy_enabled | default(False) | bool" diff --git a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml index 48243555..d0281986 100644 --- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml @@ -10,6 +10,7 @@ - {'old': 'matrix_synapse_admin_docker_repo', 'new': 'matrix_synapse_admin_container_self_build_repo'} - {'old': 'matrix_synapse_admin_container_self_build', 'new': 'matrix_synapse_admin_container_image_self_build'} - {'old': 'matrix_synapse_admin_container_self_build_repo', 'new': 'matrix_synapse_admin_container_image_self_build_repo'} + - {'old': 'matrix_synapse_admin_public_endpoint', 'new': 'matrix_synapse_admin_path_prefix'} - when: matrix_synapse_admin_container_labels_traefik_enabled | bool block: