From 265dc2949d411a868b65955dd3702ea1c2861ab3 Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:36:03 +0200 Subject: [PATCH 1/4] Added example Caddyfiles for the containers --- examples/caddy/Caddyfile | 46 +++++++++++++++++++++++++++++++++ examples/caddy/matrix-dimension | 7 +++++ examples/caddy/matrix-riot-web | 7 +++++ examples/caddy/matrix-synapse | 26 +++++++++++++++++++ examples/caddy/matrix-util | 7 +++++ 5 files changed, 93 insertions(+) create mode 100755 examples/caddy/Caddyfile create mode 100644 examples/caddy/matrix-dimension create mode 100644 examples/caddy/matrix-riot-web create mode 100644 examples/caddy/matrix-synapse create mode 100644 examples/caddy/matrix-util diff --git a/examples/caddy/Caddyfile b/examples/caddy/Caddyfile new file mode 100755 index 00000000..3a2e247b --- /dev/null +++ b/examples/caddy/Caddyfile @@ -0,0 +1,46 @@ +https://matrix.finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + root /matrix_static + header / { + Access-Control-Allow-Origin * + Strict-Transport-Security "max-age=31536000;" + X-Frame-Options "DENY" + X-XSS-Protection "1; mode=block" + } + proxy /_matrix/identity matrix-mxisd:8090 { + transparent + } + proxy /_matrix matrix-synapse:8008 { + transparent + } +} + +https://dimension.matrix.finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + header / { + Access-Control-Allow-Origin * + } + proxy / http://matrix-dimension:8184 { + transparent + header_upstream X-Forwarded-For {remote} + header_upstream Host {host} + websocket + } +} + +https://chat.finallycoffee.eu { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + proxy / matrix-riot-web:8080 { + transparent + } +} + +# Federation listens on all IPs because older Synapse versions do not support SNI +https://:8448 { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + proxy /_matrix matrix-synapse:8048 { + transparent + } +} + + diff --git a/examples/caddy/matrix-dimension b/examples/caddy/matrix-dimension new file mode 100644 index 00000000..6defb0d2 --- /dev/null +++ b/examples/caddy/matrix-dimension @@ -0,0 +1,7 @@ +https://dimension.DOMAIN { + tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem + + proxy / http://127.0.0.1:8134/ { + transparent + } +} diff --git a/examples/caddy/matrix-riot-web b/examples/caddy/matrix-riot-web new file mode 100644 index 00000000..28df6cd2 --- /dev/null +++ b/examples/caddy/matrix-riot-web @@ -0,0 +1,7 @@ +https://riot.DOMAIN { + tls /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem /matrix/ssl/config/live/riot.DOMAIN/privkey.pem + + proxy / http://127.0.0.1:8765 { + transparent + } +} diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse new file mode 100644 index 00000000..800d7f7b --- /dev/null +++ b/examples/caddy/matrix-synapse @@ -0,0 +1,26 @@ +https://matrix.DOMAIN { + tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem + + root /matrix/static-files + + header { + Access-Control-Allow-Origin * + Strict-Transport-Security "mag=age=31536000;" + X-Frame-Options "DENY" + X-XSS-Protection "1; mode=block" + } + + proxy /_matrix/identity matrix-msisd:8090 { + transparent + } + + proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 { + transparent + } + + proxy / matrix-synapse:8008 { + transparent + without /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search + } + +} diff --git a/examples/caddy/matrix-util b/examples/caddy/matrix-util new file mode 100644 index 00000000..191f7758 --- /dev/null +++ b/examples/caddy/matrix-util @@ -0,0 +1,7 @@ +:80 { + # Redirect ACME-Challenge traffic to port 2402 + proxy /.well-known/acme-challenge http://127.0.0.1:2402 + + # Redirect all other traffic to HTTPS + redir / https://{host}{uri} 301 +} From 6d49fdea215d319c44282edfa155e8e8af1e8812 Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:38:43 +0200 Subject: [PATCH 2/4] Remove single all-host config file (used as source for examples) --- examples/caddy/Caddyfile | 46 ---------------------------------------- 1 file changed, 46 deletions(-) delete mode 100755 examples/caddy/Caddyfile diff --git a/examples/caddy/Caddyfile b/examples/caddy/Caddyfile deleted file mode 100755 index 3a2e247b..00000000 --- a/examples/caddy/Caddyfile +++ /dev/null @@ -1,46 +0,0 @@ -https://matrix.finallycoffee.eu { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - root /matrix_static - header / { - Access-Control-Allow-Origin * - Strict-Transport-Security "max-age=31536000;" - X-Frame-Options "DENY" - X-XSS-Protection "1; mode=block" - } - proxy /_matrix/identity matrix-mxisd:8090 { - transparent - } - proxy /_matrix matrix-synapse:8008 { - transparent - } -} - -https://dimension.matrix.finallycoffee.eu { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - header / { - Access-Control-Allow-Origin * - } - proxy / http://matrix-dimension:8184 { - transparent - header_upstream X-Forwarded-For {remote} - header_upstream Host {host} - websocket - } -} - -https://chat.finallycoffee.eu { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - proxy / matrix-riot-web:8080 { - transparent - } -} - -# Federation listens on all IPs because older Synapse versions do not support SNI -https://:8448 { - tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem - proxy /_matrix matrix-synapse:8048 { - transparent - } -} - - From 084be8a1948efc17954502bfc14000c1cb466c4c Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:41:38 +0200 Subject: [PATCH 3/4] Added comments noting that the TLS Certs might differ when using own certs --- examples/caddy/matrix-riot-web | 1 + examples/caddy/matrix-synapse | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/caddy/matrix-riot-web b/examples/caddy/matrix-riot-web index 28df6cd2..8c195725 100644 --- a/examples/caddy/matrix-riot-web +++ b/examples/caddy/matrix-riot-web @@ -1,4 +1,5 @@ https://riot.DOMAIN { + # These might differ if you are supplying your own certificates tls /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem /matrix/ssl/config/live/riot.DOMAIN/privkey.pem proxy / http://127.0.0.1:8765 { diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse index 800d7f7b..8cb9805a 100644 --- a/examples/caddy/matrix-synapse +++ b/examples/caddy/matrix-synapse @@ -1,4 +1,5 @@ https://matrix.DOMAIN { + # If you use your own certificates, your path may differ tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem root /matrix/static-files @@ -10,14 +11,15 @@ https://matrix.DOMAIN { X-XSS-Protection "1; mode=block" } + # Identity server traffic proxy /_matrix/identity matrix-msisd:8090 { transparent } - proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 { transparent } + # Synapse Client<>Server API proxy / matrix-synapse:8008 { transparent without /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search From aba8327991c7ff3e284d90d9318d7590c31ce68d Mon Sep 17 00:00:00 2001 From: jreichmann Date: Tue, 16 Apr 2019 19:46:17 +0200 Subject: [PATCH 4/4] Give a hint to look into the examples if using caddy --- docs/configuring-playbook-own-webserver.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 448f5d03..1f4ff863 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -49,6 +49,9 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration. +## Using your own external caddy webserver + +After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration. ## Using another external webserver