Commit graph

103 commits

Author SHA1 Message Date
Agustin Ferrario 2082242499 Add matrix_nginx_proxy_ssl_config
A new variable called `matrix_nginx_proxy_ssl_config` is created for
configuring how the nginx proxy configures SSL. Also a new configuration
validation option and other auxiliary variables are created.

A new variable configuration called `matrix_nginx_proxy_ssl_config` is
created. This allow to set the SSL configuration easily using the
default options proposed by Mozilla. The default configuration is set to
"Intermediate", removing the weak ciphers used in the old
configurations.

The new variable can also be set to "Custom" for a more granular control.
This allows to set another three variables called:

- `matrix_nginx_proxy_ssl_protocols`,
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`
- `matrix_nginx_proxy_ssl_ciphers`

Also a new task is added to validate the SSL configuration variable.
2020-12-16 10:35:37 +01:00
Marcel Partap 851c25c47f matrix-synapse nginx template: fix invalid jinja comment syntax 2020-12-01 21:55:07 +01:00
Marcel Partap b73ac965ac Merge remote-tracking branch 'origin/master' into synapse-workers 2020-12-01 21:24:26 +01:00
Slavi Pantaleev b354155d7c Make JVB websockets reverse-proxying work 2020-11-27 17:57:15 +02:00
Marcel Partap 4678c5d7bd Merge remote-tracking branch 'origin/master' into synapse-workers
Also, replace vague FIXME by a proper NOTE on the complete
story of the user_dir endpoints..
2020-11-11 21:26:08 +01:00
Marcel Partap b05d298ae4 synapse workers nginx rule: add client_max_body_size on media endpoints
so transfer limits are properly set in accord to the relevant setting
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719996778
2020-11-10 21:43:33 +01:00
Marcel Partap e5072c20d9 synapse workers/nginx: handle media_repository worker endpoints on federation port
to prevent "404 on the federation port for the path `/_matrix/media`,
if a remote server is trying to get the media object on federation
port, see https://github.com/matrix-org/synapse/issues/8695 "

https://github.com/matrix-org/synapse/pull/8701
2020-11-10 20:35:39 +01:00
Slavi Pantaleev 9a46647010 Make https://matrix.DOMAIN/ redirect to https://element.DOMAIN/
Fixes #696 (Github Issue)
2020-10-28 10:39:12 +02:00
Slavi Pantaleev ef07aa8e5d Prevent certain nginx location blocks from being ignored
The regex introduced in 63a49bb2dc seems to take precedence
over the bare location blocks, causing a regression.

> It is important to understand that, by default, Nginx will serve regular expression matches in preference to prefix matches.
> However, it evaluates prefix locations first, allowing for the administer to override this tendency by specifying locations using the = and ^~ modifiers.

Source: https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms
2020-10-28 09:38:04 +02:00
Marcel Partap 2d1b9f2dbf synapse workers: reworkings + get endpoints from upstream docs via awk
(yes, a bit awkward and brittle… xD)
2020-10-28 07:13:19 +01:00
Slavi Pantaleev 63a49bb2dc Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
2020-10-26 10:36:38 +02:00
Max Klenk 06bc430c7c
refactor to use new workers and routes they serve 2020-08-28 13:53:39 +02:00
Max Klenk 59d1fb76b6
only apply worker redirects if workers are enabled 2020-08-27 15:25:32 +02:00
Max Klenk 567d0318b0
Merge branch 'synapse-workers' into feature/add-worker-support 2020-08-27 15:22:12 +02:00
Justin Croonenberghs 31e2a1f06b
Undo ill-advised change
In #628 I proposed a CORS change that turns out not to be the root of the issue. Caffeine-addled diagnosis leads to sloppy thinking, and this change should be reverted. In fact, if left it will cause problems for new installations.
2020-08-09 14:20:37 -05:00
Justin Croonenberghs c5d18733d2
Update CORS for ma1sd
Even with the v2 updates listed in #503 and partially addressed in #614, this is still needed to enable identity services to function with Element Desktop/Web. Testing on multiple clients with a clean config has confirmed this, at least for my installation.
2020-08-08 23:19:07 -05:00
Slavi Pantaleev 54195b22c7 Allow framing Jitsi
Hopefully fixes a regression caused by b106a9592e.

Related to #597 (Github Pull Request).
2020-08-04 16:08:11 +03:00
Slavi Pantaleev 3f8e5b4363 Allow framing Dimension
Fix regression since 2a50b8b6bb (#597).

Dimension is intended to be embedded in various clients,
be it the Element service that we host (at element.DOMAIN),
some other Element (element-desktop running locally), etc.
2020-07-25 07:08:32 +03:00
TwoTwenty b106a9592e
Update matrix-jitsi.conf.j2 2020-07-22 10:39:24 -07:00
TwoTwenty c97e7c5a3e
Update matrix-dimension.conf.j2 2020-07-22 10:39:07 -07:00
TwoTwenty 18ba885ca2
Update matrix-client-element.conf.j2 2020-07-22 10:38:50 -07:00
Slavi Pantaleev c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Slavi Pantaleev 65e5020596 Proxy other /_synapse endpoints to the client API
Besides /_synapse/admin, there are other things like
/_synapse/oidc, etc.

We should just proxy everything.

Fixes #534 (Github Issue).
2020-06-09 08:12:58 +03:00
Marcel Partap 46984a4f99 Nginx conf: more testing less b0rk 2020-04-19 21:42:34 +02:00
Christoph Johannes Kleine 765c046beb
add missing ; to matrix-synapse.conf.j2 2020-04-19 19:50:42 +02:00
Marcel Partap e4763c21bc nginx config: route traffic to workers on matrix-synapse
FIXME: horrid duplication in template file
2020-04-19 19:05:03 +02:00
Marcel Partap a14b9c09ad Add to synapse nginx template conditional URL rewrites for workers
· 😅 How to keep this in sync with the matrix-synapse documentation?
· regex location matching is expensive
· nginx syntax limit: one location only per block / statement
· thus, lots of duplicate statements in this file
2020-04-19 19:05:03 +02:00
Slavi Pantaleev 0f39cb9987 Fix incorrect server_name for Jitsi
Fixes #417 (Github Issue)
2020-03-24 17:57:39 +02:00
Slavi Pantaleev cdd9ee1962 Add Jitsi support 2020-03-23 17:19:15 +02:00
Daniel Hoffend b280b05c25 matrix-nginx-proxy: adding additional configuration blocks 2020-02-10 23:42:41 +01:00
Yuri Moens 0866f98957 Render vhost directives in https server block 2019-12-08 00:58:32 +01:00
Slavi Pantaleev ca3b158d94 Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 11:53:15 +02:00
Slavi Pantaleev 3e57a1463a Serve nginx status page over HTTPS as well
Continuation of #234 (Github Pull Request).

I had unintentionally updated the documentation for the feature,
saying the page is available at `https://matrix.DOMAIN/nginx_status`.

Looks like it wasn't the case, going against my expectations.

I'm correcting this with this patch.
The status page is being made available on both HTTP and HTTPS.
Serving over HTTP is likely necessary for services like
Longview
(https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
2019-08-07 12:53:53 +03:00
p5t2vspoqqw 4b8190dc3f serve status page for matrix.DOMAIN only 2019-08-07 10:54:14 +02:00
p5t2vspoqqw 4b657b3822 Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-06-03 10:13:25 +02:00
Slavi Pantaleev 7d8dde8a53 Add support for proxying /_synapse/admin APIs
Fixes #191 (Github Issue).
2019-05-29 08:32:24 +03:00
p5t2vspoqqw 4315b472af Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy 2019-05-09 09:34:09 +02:00
Dan Arnfield 171c6db41e Add option to proxy 3pid registration endpoints 2019-05-08 13:49:51 -05:00
Hugues De Keyzer c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
p5t2vspoqqw 7ee6927ca9 add suggested change; correct indent 2019-04-23 09:44:02 +02:00
p5t2vspoqqw deeefac84c add ngnix-status to config
add doc
2019-04-17 13:45:42 +02:00
Slavi Pantaleev c545d3eb85 Add support for serving base domain via matrix-nginx-proxy 2019-03-12 23:01:16 +02:00
Slavi Pantaleev e645b0e372 Rename matrix_nginx_proxy_data_path to matrix_nginx_proxy_base_path
`matrix_nginx_proxy_data_path` has always served as a base path,
so we're renaming it to reflect that.

Along with this, we're also introducing a new "data path" variable
(`matrix_nginx_proxy_data_path`), which is really a data path this time.
It's used for storing additional, non-configuration, files related to
matrix-nginx-proxy.
2019-03-12 23:01:16 +02:00
Slavi Pantaleev 6c5cc173b0 Fix permission mode for some files 2019-03-09 21:15:16 +02:00
Edgars Voroboks 9735a2f600 Implement self-hosted Dimension server 2019-03-07 07:22:08 +02:00
Slavi Pantaleev 119016e858 Cache /.well-known/matrix files for longer 2019-02-05 13:06:17 +02:00
Slavi Pantaleev 74710427e5 Allow for the federation port (tcp/8448)'s certificate to be changed
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.

Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.

Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a.
2019-02-05 12:09:46 +02:00
Slavi Pantaleev f6ebd4ce62 Initial work on Synapse 0.99/1.0 preparation 2019-02-05 12:09:46 +02:00
Aaron Raimist 1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Aaron Raimist 58ca2e7dfd
Turn off IPv6 when using your own Nginx server
Docker apparently doesn't like IPv6.
2019-02-04 09:03:43 -06:00
dhose 87e3deebfd Enable exposure of Prometheus metrics. 2019-02-01 20:02:11 +01:00
Slavi Pantaleev 0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00