Add http->http redirection for Matrix/Riot
Doing this means that matrix-nginx-proxy now starts occupying port 80, which necessitates that SSL renewal happens slightly differently.
This commit is contained in:
parent
0d1a2071de
commit
a3ecb7bfd9
|
@ -11,22 +11,27 @@
|
||||||
- include: tasks/setup_ssl.yml
|
- include: tasks/setup_ssl.yml
|
||||||
tags:
|
tags:
|
||||||
- setup-main
|
- setup-main
|
||||||
|
- setup-ssl
|
||||||
|
|
||||||
- include: tasks/setup_postgres.yml
|
- include: tasks/setup_postgres.yml
|
||||||
tags:
|
tags:
|
||||||
- setup-main
|
- setup-main
|
||||||
|
- setup-postgres
|
||||||
|
|
||||||
- include: tasks/setup_synapse.yml
|
- include: tasks/setup_synapse.yml
|
||||||
tags:
|
tags:
|
||||||
- setup-main
|
- setup-main
|
||||||
|
- setup-synapse
|
||||||
|
|
||||||
- include: tasks/setup_riot_web.yml
|
- include: tasks/setup_riot_web.yml
|
||||||
tags:
|
tags:
|
||||||
- setup-main
|
- setup-main
|
||||||
|
- setup-riot-web
|
||||||
|
|
||||||
- include: tasks/setup_nginx_proxy.yml
|
- include: tasks/setup_nginx_proxy.yml
|
||||||
tags:
|
tags:
|
||||||
- setup-main
|
- setup-main
|
||||||
|
- setup-nginx-proxy
|
||||||
|
|
||||||
- include: tasks/start.yml
|
- include: tasks/start.yml
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -2,13 +2,20 @@ MAILTO="{{ ssl_support_email }}"
|
||||||
|
|
||||||
# The goal of this cronjob is to ask acmetool to check
|
# The goal of this cronjob is to ask acmetool to check
|
||||||
# the current SSL certificates and to see if some need renewal.
|
# the current SSL certificates and to see if some need renewal.
|
||||||
# It so, it would attempt to renew.
|
# If so, it would attempt to renew.
|
||||||
#
|
#
|
||||||
# Various services depend on these certificates and would need to be restarted.
|
# Various services depend on these certificates and would need to be restarted.
|
||||||
# This is not our concern here. We simply make sure the certificates are up to date.
|
# This is not our concern here. We simply make sure the certificates are up to date.
|
||||||
# Restarting of services happens on its own different schedule (other cronjobs).
|
# Restarting of services happens on its own different schedule (other cronjobs).
|
||||||
#
|
#
|
||||||
# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly.
|
#
|
||||||
# We can afford to do that, because all our services run on other ports.
|
# How renewal works?
|
||||||
|
#
|
||||||
|
# acmetool will fail to bind to port :80 (because matrix-nginx-proxy is running there),
|
||||||
|
# and will fall back to its "webroot" validation method.
|
||||||
|
#
|
||||||
|
# Thus, it would put validation files in `/var/run/acme/acme-challenge`.
|
||||||
|
# These files can be retrieved via any vhost on port 80 of matrix-nginx-proxy,
|
||||||
|
# because it aliases `/.well-known/acme-challenge` to that same directory.
|
||||||
|
|
||||||
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-host-grab --net=host -v {{ ssl_certs_path }}:/certs -v {{ ssl_certs_path }}/run:/var/run/acme -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name {{ hostname_riot }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /acmetool-certs/run/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
|
@ -1,3 +1,19 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name {{ hostname_matrix }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /acmetool-certs/run/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
|
@ -12,6 +12,7 @@ Type=simple
|
||||||
ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
|
ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
|
||||||
ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
|
ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
|
||||||
ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
|
ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
|
||||||
|
-p 80:80 \
|
||||||
-p 443:443 \
|
-p 443:443 \
|
||||||
--link matrix-synapse:synapse \
|
--link matrix-synapse:synapse \
|
||||||
--link matrix-riot-web:riot \
|
--link matrix-riot-web:riot \
|
||||||
|
|
Loading…
Reference in a new issue