Add support to matrix-nginx-proxy to work in HTTP-only mode
This commit is contained in:
parent
d0d2d80e56
commit
ca3b158d94
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -1,3 +1,15 @@
|
||||||
|
# 2019-12-06
|
||||||
|
|
||||||
|
## Added support for an alternative method for using another webserver
|
||||||
|
|
||||||
|
We have added support for making `matrix-nginx-proxy` not being so invasive, so that it would be easier to [use your own webserver](docs/configuring-playbook-own-webserver.md).
|
||||||
|
|
||||||
|
The documentation has been updated with a **Method 2**, which might make "own webserver" setup easier in some cases (such as [reverse-proxying using Traefik](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/296)).
|
||||||
|
|
||||||
|
**Existing users** are not affected by this and **don't need to change anything**.
|
||||||
|
The defaults are still the same (`matrix-nginx-proxy` obtaining SSL certificates and doing everything for you automatically).
|
||||||
|
|
||||||
|
|
||||||
# 2019-11-10
|
# 2019-11-10
|
||||||
|
|
||||||
## Tightened security around room directory publishing
|
## Tightened security around room directory publishing
|
||||||
|
|
|
@ -6,8 +6,19 @@ If that's alright, you can skip this.
|
||||||
If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,
|
If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,
|
||||||
and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.
|
and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.
|
||||||
|
|
||||||
|
There are **2 ways you can go about it**, if you'd like to use your own webserver:
|
||||||
|
|
||||||
## Preparation
|
- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver)
|
||||||
|
|
||||||
|
- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)
|
||||||
|
|
||||||
|
|
||||||
|
## Method 1: Disabling the integrated nginx reverse-proxy webserver
|
||||||
|
|
||||||
|
This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver.
|
||||||
|
For an alternative, make sure to check Method #2 as well.
|
||||||
|
|
||||||
|
### Preparation
|
||||||
|
|
||||||
No matter which external webserver you decide to go with, you'll need to:
|
No matter which external webserver you decide to go with, you'll need to:
|
||||||
|
|
||||||
|
@ -28,7 +39,7 @@ matrix_ssl_retrieval_method: none
|
||||||
**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards.
|
**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards.
|
||||||
|
|
||||||
|
|
||||||
## Using your own external nginx webserver
|
### Using your own external nginx webserver
|
||||||
|
|
||||||
Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server.
|
Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server.
|
||||||
|
|
||||||
|
@ -45,17 +56,64 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Using your own external Apache webserver
|
### Using your own external Apache webserver
|
||||||
|
|
||||||
Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration.
|
Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration.
|
||||||
|
|
||||||
## Using your own external caddy webserver
|
### Using your own external caddy webserver
|
||||||
|
|
||||||
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration.
|
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration.
|
||||||
|
|
||||||
## Using your own HAproxy reverse proxy
|
### Using your own HAproxy reverse proxy
|
||||||
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files.
|
After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files.
|
||||||
|
|
||||||
## Using another external webserver
|
### Using another external webserver
|
||||||
|
|
||||||
Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/).
|
Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/).
|
||||||
|
|
||||||
|
|
||||||
|
## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy
|
||||||
|
|
||||||
|
This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).
|
||||||
|
|
||||||
|
If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).
|
||||||
|
|
||||||
|
You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network).
|
||||||
|
|
||||||
|
You would need some configuration like this:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# Do not retrieve SSL certificates. This shall be managed by another webserver or other means.
|
||||||
|
matrix_ssl_retrieval_method: none
|
||||||
|
|
||||||
|
# Do not try to serve HTTPS, since we have no SSL certificates.
|
||||||
|
# Disabling this also means services will be served on the HTTP port
|
||||||
|
# (`matrix_nginx_proxy_container_http_host_bind_port`).
|
||||||
|
matrix_nginx_proxy_https_enabled: false
|
||||||
|
|
||||||
|
# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
|
||||||
|
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
|
||||||
|
matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'
|
||||||
|
|
||||||
|
# Likewise, expose the Matrix Federation port on the loopback interface.
|
||||||
|
# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
|
||||||
|
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
|
||||||
|
#
|
||||||
|
# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).
|
||||||
|
matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
|
||||||
|
|
||||||
|
# Coturn relies on SSL certificates that have already been obtained.
|
||||||
|
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
|
||||||
|
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
|
||||||
|
matrix_coturn_enabled: false
|
||||||
|
```
|
||||||
|
|
||||||
|
With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
|
||||||
|
|
||||||
|
All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above).
|
||||||
|
|
||||||
|
You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports.
|
||||||
|
The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional).
|
||||||
|
|
||||||
|
We don't have sample webserver configuration for this use-case yet, but hope to expand on this documentation entry in the future.
|
||||||
|
For [Traefik](https://traefik.io/), you can [see some work in progress examples here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/296).
|
||||||
|
|
|
@ -25,6 +25,41 @@ matrix_nginx_proxy_container_additional_volumes: []
|
||||||
# A list of extra arguments to pass to the container
|
# A list of extra arguments to pass to the container
|
||||||
matrix_nginx_proxy_container_extra_arguments: []
|
matrix_nginx_proxy_container_extra_arguments: []
|
||||||
|
|
||||||
|
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
|
||||||
|
#
|
||||||
|
# If enabled:
|
||||||
|
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
|
||||||
|
# - the HTTP vhost would be made a redirect to the HTTPS vhost
|
||||||
|
#
|
||||||
|
# If not enabled:
|
||||||
|
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
|
||||||
|
# - naturally, there's no HTTPS vhost
|
||||||
|
# - services are served directly from the HTTP vhost
|
||||||
|
matrix_nginx_proxy_https_enabled: true
|
||||||
|
|
||||||
|
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
||||||
|
#
|
||||||
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
||||||
|
matrix_nginx_proxy_container_http_host_bind_port: '80'
|
||||||
|
|
||||||
|
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
|
||||||
|
#
|
||||||
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
|
||||||
|
#
|
||||||
|
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
|
||||||
|
# Otherwise, there are no HTTPS vhosts to expose.
|
||||||
|
matrix_nginx_proxy_container_https_host_bind_port: '443'
|
||||||
|
|
||||||
|
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
|
||||||
|
#
|
||||||
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
|
||||||
|
#
|
||||||
|
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
|
||||||
|
# Otherwise, there is no Matrix Federation port to expose.
|
||||||
|
#
|
||||||
|
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
|
||||||
|
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
|
||||||
|
matrix_nginx_proxy_container_federation_host_bind_port: '8448'
|
||||||
|
|
||||||
# Controls whether matrix-nginx-proxy should serve the base domain.
|
# Controls whether matrix-nginx-proxy should serve the base domain.
|
||||||
#
|
#
|
||||||
|
@ -149,6 +184,8 @@ matrix_nginx_proxy_self_check_validate_certificates: true
|
||||||
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
||||||
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
||||||
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
||||||
|
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
|
||||||
|
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
|
||||||
matrix_ssl_retrieval_method: "lets-encrypt"
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
||||||
|
|
||||||
# The list of domains that this role will obtain certificates for.
|
# The list of domains that this role will obtain certificates for.
|
||||||
|
|
|
@ -1,45 +1,9 @@
|
||||||
#jinja2: lstrip_blocks: "True"
|
#jinja2: lstrip_blocks: "True"
|
||||||
server {
|
|
||||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
||||||
resolver 127.0.0.11 valid=5s;
|
|
||||||
set $backend "matrix-certbot:8080";
|
|
||||||
proxy_pass http://$backend;
|
|
||||||
{% else %}
|
|
||||||
{# Generic configuration for use outside of our container setup #}
|
|
||||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$http_host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
||||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
||||||
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
root /dev/null;
|
|
||||||
|
|
||||||
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
|
@ -54,4 +18,52 @@ server {
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||||
|
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
root /dev/null;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
|
resolver 127.0.0.11 valid=5s;
|
||||||
|
set $backend "matrix-certbot:8080";
|
||||||
|
proxy_pass http://$backend;
|
||||||
|
{% else %}
|
||||||
|
{# Generic configuration for use outside of our container setup #}
|
||||||
|
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
{% else %}
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
|
server {
|
||||||
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
|
|
||||||
|
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
root /dev/null;
|
||||||
|
|
||||||
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
||||||
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
||||||
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -1,10 +1,30 @@
|
||||||
#jinja2: lstrip_blocks: "True"
|
#jinja2: lstrip_blocks: "True"
|
||||||
|
|
||||||
|
{% macro render_vhost_directives() %}
|
||||||
|
root /nginx-data/matrix-domain;
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_types text/plain application/json;
|
||||||
|
|
||||||
|
location /.well-known/matrix {
|
||||||
|
root {{ matrix_static_files_base_path }};
|
||||||
|
{#
|
||||||
|
A somewhat long expires value is used to prevent outages
|
||||||
|
in case this is unreachable due to network failure.
|
||||||
|
#}
|
||||||
|
expires 4h;
|
||||||
|
default_type application/json;
|
||||||
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||||
server_name {{ matrix_nginx_proxy_base_domain_hostname }};
|
|
||||||
|
|
||||||
|
server_name {{ matrix_nginx_proxy_base_domain_hostname }};
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
|
@ -20,34 +40,23 @@ server {
|
||||||
location / {
|
location / {
|
||||||
return 301 https://$http_host$request_uri;
|
return 301 https://$http_host$request_uri;
|
||||||
}
|
}
|
||||||
|
{% else %}
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
server {
|
server {
|
||||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
|
|
||||||
server_name {{ matrix_nginx_proxy_base_domain_hostname }};
|
server_name {{ matrix_nginx_proxy_base_domain_hostname }};
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
root /nginx-data/matrix-domain;
|
|
||||||
|
|
||||||
gzip on;
|
|
||||||
gzip_types text/plain application/json;
|
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
|
||||||
location /.well-known/matrix {
|
|
||||||
root {{ matrix_static_files_base_path }};
|
|
||||||
{#
|
|
||||||
A somewhat long expires value is used to prevent outages
|
|
||||||
in case this is unreachable due to network failure.
|
|
||||||
#}
|
|
||||||
expires 4h;
|
|
||||||
default_type application/json;
|
|
||||||
add_header Access-Control-Allow-Origin *;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -1,45 +1,9 @@
|
||||||
#jinja2: lstrip_blocks: "True"
|
#jinja2: lstrip_blocks: "True"
|
||||||
server {
|
|
||||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
||||||
resolver 127.0.0.11 valid=5s;
|
|
||||||
set $backend "matrix-certbot:8080";
|
|
||||||
proxy_pass http://$backend;
|
|
||||||
{% else %}
|
|
||||||
{# Generic configuration for use outside of our container setup #}
|
|
||||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$http_host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
||||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
||||||
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
root /dev/null;
|
|
||||||
|
|
||||||
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/fullchain.pem;
|
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/privkey.pem;
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
|
@ -54,4 +18,53 @@ server {
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||||
|
|
||||||
|
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
root /dev/null;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
|
resolver 127.0.0.11 valid=5s;
|
||||||
|
set $backend "matrix-certbot:8080";
|
||||||
|
proxy_pass http://$backend;
|
||||||
|
{% else %}
|
||||||
|
{# Generic configuration for use outside of our container setup #}
|
||||||
|
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
{% else %}
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
|
server {
|
||||||
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
|
|
||||||
|
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
root /dev/null;
|
||||||
|
|
||||||
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/fullchain.pem;
|
||||||
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/privkey.pem;
|
||||||
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -12,51 +12,11 @@
|
||||||
}
|
}
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
||||||
resolver 127.0.0.11 valid=5s;
|
|
||||||
set $backend "matrix-certbot:8080";
|
|
||||||
proxy_pass http://$backend;
|
|
||||||
{% else %}
|
|
||||||
{# Generic configuration for use outside of our container setup #}
|
|
||||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
|
||||||
{% endif %}
|
|
||||||
}
|
|
||||||
|
|
||||||
{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
|
|
||||||
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://$http_host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
||||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
||||||
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
|
||||||
|
|
||||||
server_tokens off;
|
|
||||||
root /dev/null;
|
|
||||||
|
|
||||||
|
{% macro render_vhost_directives() %}
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json;
|
gzip_types text/plain application/json;
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
||||||
|
|
||||||
location /.well-known/matrix {
|
location /.well-known/matrix {
|
||||||
root {{ matrix_static_files_base_path }};
|
root {{ matrix_static_files_base_path }};
|
||||||
{#
|
{#
|
||||||
|
@ -212,26 +172,88 @@ server {
|
||||||
location / {
|
location / {
|
||||||
rewrite ^/$ /_matrix/static/ last;
|
rewrite ^/$ /_matrix/static/ last;
|
||||||
}
|
}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||||
|
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
root /dev/null;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
|
resolver 127.0.0.11 valid=5s;
|
||||||
|
set $backend "matrix-certbot:8080";
|
||||||
|
proxy_pass http://$backend;
|
||||||
|
{% else %}
|
||||||
|
{# Generic configuration for use outside of our container setup #}
|
||||||
|
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
|
||||||
|
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
{% else %}
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
server {
|
server {
|
||||||
listen 8448 ssl http2;
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
listen [::]:8448 ssl http2;
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||||
|
|
||||||
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
root /dev/null;
|
root /dev/null;
|
||||||
|
|
||||||
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
||||||
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
||||||
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
|
||||||
|
{{ render_vhost_directives() }}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
||||||
|
{#
|
||||||
|
This federation vhost is a little special.
|
||||||
|
It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.
|
||||||
|
#}
|
||||||
|
server {
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
|
listen 8448 ssl http2;
|
||||||
|
listen [::]:8448 ssl http2;
|
||||||
|
{% else %}
|
||||||
|
listen 8448;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
root /dev/null;
|
||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_types text/plain application/json;
|
gzip_types text/plain application/json;
|
||||||
|
|
||||||
|
{% if matrix_nginx_proxy_https_enabled %}
|
||||||
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
||||||
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
||||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
|
|
|
@ -21,10 +21,14 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
|
||||||
--read-only \
|
--read-only \
|
||||||
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
|
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
|
||||||
--network={{ matrix_docker_network }} \
|
--network={{ matrix_docker_network }} \
|
||||||
-p 80:8080 \
|
{% if matrix_nginx_proxy_container_http_host_bind_port %}
|
||||||
-p 443:8443 \
|
-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \
|
||||||
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
{% endif %}
|
||||||
-p 8448:8448 \
|
{% if matrix_nginx_proxy_https_enabled and matrix_nginx_proxy_container_https_host_bind_port %}
|
||||||
|
-p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \
|
||||||
|
{% endif %}
|
||||||
|
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %}
|
||||||
|
-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \
|
||||||
{% endif %}
|
{% endif %}
|
||||||
-v {{ matrix_nginx_proxy_base_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
|
-v {{ matrix_nginx_proxy_base_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
|
||||||
-v {{ matrix_nginx_proxy_data_path }}:/nginx-data:ro \
|
-v {{ matrix_nginx_proxy_data_path }}:/nginx-data:ro \
|
||||||
|
|
Loading…
Reference in a new issue