Add http->http redirection for Matrix/Riot
Doing this means that matrix-nginx-proxy now starts occupying port 80, which necessitates that SSL renewal happens slightly differently.
This commit is contained in:
parent
0d1a2071de
commit
a3ecb7bfd9
|
@ -11,22 +11,27 @@
|
|||
- include: tasks/setup_ssl.yml
|
||||
tags:
|
||||
- setup-main
|
||||
- setup-ssl
|
||||
|
||||
- include: tasks/setup_postgres.yml
|
||||
tags:
|
||||
- setup-main
|
||||
- setup-postgres
|
||||
|
||||
- include: tasks/setup_synapse.yml
|
||||
tags:
|
||||
- setup-main
|
||||
- setup-synapse
|
||||
|
||||
- include: tasks/setup_riot_web.yml
|
||||
tags:
|
||||
- setup-main
|
||||
- setup-riot-web
|
||||
|
||||
- include: tasks/setup_nginx_proxy.yml
|
||||
tags:
|
||||
- setup-main
|
||||
- setup-nginx-proxy
|
||||
|
||||
- include: tasks/start.yml
|
||||
tags:
|
||||
|
|
|
@ -2,13 +2,20 @@ MAILTO="{{ ssl_support_email }}"
|
|||
|
||||
# The goal of this cronjob is to ask acmetool to check
|
||||
# the current SSL certificates and to see if some need renewal.
|
||||
# It so, it would attempt to renew.
|
||||
# If so, it would attempt to renew.
|
||||
#
|
||||
# Various services depend on these certificates and would need to be restarted.
|
||||
# This is not our concern here. We simply make sure the certificates are up to date.
|
||||
# Restarting of services happens on its own different schedule (other cronjobs).
|
||||
#
|
||||
# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly.
|
||||
# We can afford to do that, because all our services run on other ports.
|
||||
#
|
||||
# How renewal works?
|
||||
#
|
||||
# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there),
|
||||
# and will fall back to its "webroot" validation method.
|
||||
#
|
||||
# Thus, it would put validation files in `/var/run/acme/acme-challenge`.
|
||||
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
|
||||
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
||||
|
||||
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
||||
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name {{ hostname_riot }};
|
||||
|
||||
server_tokens off;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /acmetool-certs/run/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name {{ hostname_matrix }};
|
||||
|
||||
server_tokens off;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /acmetool-certs/run/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
|
|
@ -12,6 +12,7 @@ Type=simple
|
|||
ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
|
||||
ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
|
||||
ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
|
||||
-p 80:80 \
|
||||
-p 443:443 \
|
||||
--link matrix-synapse:synapse \
|
||||
--link matrix-riot-web:riot \
|
||||
|
|
Loading…
Reference in a new issue