Add http->http redirection for Matrix/Riot

Doing this means that matrix-nginx-proxy now starts
occupying port 80, which necessitates that
SSL renewal happens slightly differently.
This commit is contained in:
Slavi Pantaleev 2017-08-06 19:10:50 +03:00
parent 0d1a2071de
commit a3ecb7bfd9
5 changed files with 49 additions and 4 deletions

View file

@ -11,22 +11,27 @@
- include: tasks/setup_ssl.yml - include: tasks/setup_ssl.yml
tags: tags:
- setup-main - setup-main
- setup-ssl
- include: tasks/setup_postgres.yml - include: tasks/setup_postgres.yml
tags: tags:
- setup-main - setup-main
- setup-postgres
- include: tasks/setup_synapse.yml - include: tasks/setup_synapse.yml
tags: tags:
- setup-main - setup-main
- setup-synapse
- include: tasks/setup_riot_web.yml - include: tasks/setup_riot_web.yml
tags: tags:
- setup-main - setup-main
- setup-riot-web
- include: tasks/setup_nginx_proxy.yml - include: tasks/setup_nginx_proxy.yml
tags: tags:
- setup-main - setup-main
- setup-nginx-proxy
- include: tasks/start.yml - include: tasks/start.yml
tags: tags:

View file

@ -2,13 +2,20 @@ MAILTO="{{ ssl_support_email }}"
# The goal of this cronjob is to ask acmetool to check # The goal of this cronjob is to ask acmetool to check
# the current SSL certificates and to see if some need renewal. # the current SSL certificates and to see if some need renewal.
# It so, it would attempt to renew. # If so, it would attempt to renew.
# #
# Various services depend on these certificates and would need to be restarted. # Various services depend on these certificates and would need to be restarted.
# This is not our concern here. We simply make sure the certificates are up to date. # This is not our concern here. We simply make sure the certificates are up to date.
# Restarting of services happens on its own different schedule (other cronjobs). # Restarting of services happens on its own different schedule (other cronjobs).
# #
# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly. #
# We can afford to do that, because all our services run on other ports. # How renewal works?
#
# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there),
# and will fall back to its "webroot" validation method.
#
# Thus, it would put validation files in `/var/run/acme/acme-challenge`.
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
# because it aliases `/.well-known/acme-challenge` to that same directory.
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug 15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug

View file

@ -1,3 +1,19 @@
server {
listen 80;
server_name {{ hostname_riot }};
server_tokens off;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /acmetool-certs/run/acme-challenge;
}
location / {
return 301 https://$http_host$request_uri;
}
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;

View file

@ -1,3 +1,19 @@
server {
listen 80;
server_name {{ hostname_matrix }};
server_tokens off;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /acmetool-certs/run/acme-challenge;
}
location / {
return 301 https://$http_host$request_uri;
}
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;

View file

@ -12,6 +12,7 @@ Type=simple
ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
-p 80:80 \
-p 443:443 \ -p 443:443 \
--link matrix-synapse:synapse \ --link matrix-synapse:synapse \
--link matrix-riot-web:riot \ --link matrix-riot-web:riot \