GoliathLabs
33851f1dfa
Updated: nginx to 1.21.6-alpine
2022-02-05 10:58:09 +01:00
Wm Salt Hale
3aa8c1f62c
only enable openssl if necessary
2022-01-19 21:58:39 -08:00
GoliathLabs
b608c3d342
Updated: worker_processes to auto
2022-01-17 10:55:36 +01:00
GoliathLabs
8a66db850e
Updated: Certbot to v1.22.0
2022-01-17 10:53:15 +01:00
Slavi Pantaleev
29bc22a085
Add matrix_nginx_proxy_container_additional_networks
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498
2022-01-10 11:51:57 +02:00
Slavi Pantaleev
27a4871aea
Fix variable name typo
2022-01-09 12:14:23 +02:00
Slavi Pantaleev
3b9d5b13e9
Add support for not serving Dendrite federation APIs on the client port
...
Seems like Dendrite encourages serving both the Client and Federation
API at the same port.
Coming from Synapse and how things are done there, we have separate
ports. Using separate ports probably makes matrix-corporal (etc.)
integration easier, so separating the APIs by default probably makes
sense.
2022-01-07 15:59:35 +02:00
Slavi Pantaleev
ecc237bbad
Initial work on getting nginx reverse proxying working with Dendrite
2022-01-07 15:59:35 +02:00
rakshazi
5788a16a2e
added matrix-client-cinny
2022-01-05 18:33:21 +02:00
Slavi Pantaleev
b1b4ba501f
Replace ExecStop with ExecStopPost
...
ExecStopPost should allow us to clean up (docker kill + docker rm)
even if the ExecStart (docker run ..) command failed, and not just after
a graceful service stop was initiated.
Source: https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStopPost=
2022-01-04 17:27:25 +02:00
Slavi Pantaleev
8515ac55e6
Upgrade nginx (1.21.4 -> 1.21.5)
2022-01-04 17:04:01 +02:00
Slavi Pantaleev
948c411106
Remove sudo requirement for generating SSL certificates
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1492
2021-12-30 10:47:06 +02:00
Slavi Pantaleev
afd7f03bb5
Minor comment changes
2021-12-17 17:30:40 +02:00
Slavi Pantaleev
fa704f104b
Add support for using custom ACME CA servers (other than Let's Encrypt')
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1468
2021-12-17 17:30:21 +02:00
Slavi Pantaleev
3a9fe48deb
Make matrix-nginx-proxy's X-Forwarded-For header customizable
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1393
2021-11-24 11:32:06 +02:00
Slavi Pantaleev
3b27ce2ff6
Merge pull request #1404 from aaronraimist/v3
...
Allow workers to serve new v3 APIs
2021-11-19 10:54:47 +02:00
Aaron Raimist
f8fe68b385
Allow workers to serve new v3 APIs
...
1f196f59cb
2021-11-17 14:54:49 +00:00
Slavi Pantaleev
b4fb819481
Merge pull request #1403 from borisrunakov/rename-matrix-ma1sd-default-port
...
remove default from variable name
2021-11-17 10:35:54 +02:00
boris runakov
394ecb0acc
remove default from variable name
2021-11-16 21:14:28 +02:00
boris runakov
d3a9ec98de
refactoring
2021-11-16 21:03:21 +02:00
boris runakov
1ec67f49b0
replaced 8008 where possible
2021-11-15 22:43:05 +02:00
Slavi Pantaleev
994c0e504c
Ensure some matrix-nginx-proxy variables are defined
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1397
2021-11-15 14:46:44 +02:00
b
07496069c8
rellocating variables for consistency
2021-11-15 12:07:54 +02:00
b
7756cc4c8e
replace port 8048 with matrix_synapse_container_default_federation_port
2021-11-14 20:30:13 +02:00
JokerGermany
c0656448f7
Port 80 for IPv6
2021-11-13 01:18:22 +01:00
sakkiii
cd26af2f6f
Certbot Update (v1.20.0 -> v1.21.0)
2021-11-10 22:58:45 +05:30
sakkiii
7a4f49c457
Nginx Minio Update (1.21.3 -> 1.21.4)
2021-11-10 22:52:23 +05:30
Slavi Pantaleev
735c966ab6
Disable systemd services when stopping to uninstall them
...
Until now, we were leaving services "enabled"
(symlinks in /etc/systemd/system/multi-user.target.wants/).
We clean these up now. Broken symlinks may still exist in older
installations that enabled/disabled services. We're not taking care
to fix these up. It's just a cosmetic defect anyway.
2021-11-10 17:39:21 +02:00
b
6eaa8ac65a
add server_name to matrix-synapsel.conf only if matrix_nginx_proxy_enabled
2021-11-05 15:31:10 +02:00
b
dcda17595a
change port 8090 to matrix_ma1sd_default_port
2021-10-31 21:06:22 +02:00
Slavi Pantaleev
06bcdcf9d2
Merge pull request #1311 from HarHarLinks/master
...
add auto proxy synapse worker metrics
2021-10-25 09:21:11 +03:00
Kim Brose
5f6bbafa17
fix space before tab in indent
2021-10-24 16:00:42 +02:00
HarHarLinks
7b33fc8e19
fixup! auto-generate prometheus.yml for workers metrics
2021-10-20 13:30:38 +02:00
HarHarLinks
ce41674e61
auto-generate prometheus.yml for workers metrics
2021-10-20 12:51:00 +02:00
HarHarLinks
4209c4208c
add own variable for worker metrics
...
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1311#issuecomment-945718866
2021-10-20 12:51:00 +02:00
Slavi Pantaleev
2bf052369d
Upgrade certbot (v1.19.0 -> v1.20.0)
2021-10-06 15:14:38 +03:00
Kim Brose
1ba7760ea4
add how to generate htpasswd
...
for matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
resolves #1308
2021-10-04 22:18:05 +02:00
HarHarLinks
d9fa2f7ed4
add auto proxy synapse worker metrics
...
when matrix_nginx_proxy_proxy_synapse_metrics is enabled
2021-10-04 21:44:50 +02:00
Slavi Pantaleev
31396f0615
Merge pull request #1295 from nogweii/feat-support-upstream-https-forwarded
...
Support trusting the upstream server when it says the protocol is HTTPS
2021-09-26 09:54:15 +03:00
Aaron Raimist
a676b5358c
Fix hydrogen OCSP typo
...
From 6f80292745
2021-09-24 20:09:06 -05:00
Colin Shea
2578ca4cee
rename matrix_nginx_proxy_x_forwarded_header_value -> matrix_nginx_proxy_x_forwarded_proto_value
2021-09-24 05:22:30 -07:00
Colin Shea
d0cd67044e
replace $scheme with X-Forwarded-Proto when enabled
2021-09-24 05:14:38 -07:00
sakkiii
3055b3996e
Updates Certbot -> v1.19.0, nginx ->1.21.3-alpine
2021-09-14 16:51:01 +05:30
sakkiii
ae6caf158a
Added variable matrix_nginx_proxy_request_timeout ( #1265 )
...
* add timeout param for nginx proxy
default value matrix_nginx_proxy_request_timeout is 60s
* default matrix_nginx_proxy_request_timeout - 60s
* few more variables for request timeout
* Update nginx.conf.j2
* Update nginx.conf.j2
2021-09-03 10:00:45 +03:00
Slavi Pantaleev
a911207854
Revert "nginx update v1.21.2"
...
This reverts commit 732051b8fc
.
There's no such container image published yet.
2021-09-03 09:07:58 +03:00
sakkiii
732051b8fc
nginx update v1.21.2
...
http://nginx.org/en/CHANGES
2021-09-03 10:46:21 +05:30
sakkiii
f5a7e6d78b
Certbot update v1.18.0
2021-08-20 19:47:11 +05:30
Michael Collins
4d57a41b3f
remove matrix_awx_enabled from these
2021-08-11 17:18:57 +08:00
Michael Collins
2e30802b87
use group variables instead
2021-08-11 15:21:09 +08:00
Michael Collins
8238d65e5f
simplify template conditional
2021-08-11 14:19:19 +08:00
Michael Collins
bfb61e776e
GMH v0.5.7... maybe!
2021-08-10 12:58:10 +08:00
Slavi Pantaleev
4105ba854b
Merge pull request #1147 from datenkollektiv-net/allow-custom-federation-fqn
...
Make federation domain customizable
2021-07-20 09:12:16 +03:00
JokerGermany
9345d840be
root path for the base domain is wrong ( #1189 )
...
* root path for the base domain
* Fix path when running in a container
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2021-07-20 08:48:11 +03:00
sakkiii
7a51268dfc
Upgrade certbot & nginx
...
Upgrade certbot (v1.16.0 -> v1.17.0) nginx (1.21.0 -> 1.21.1)
2021-07-09 17:51:27 +05:30
Slavi Pantaleev
6294e58304
Fix Content-Security-Policy for Element
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1154
According to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ,
having both a header and the `<meta>`-tag provided by Element itself is
not a problem. The 2 CSP policies get combined.
2021-07-01 12:41:05 +03:00
oxmie
5df4d68829
Make federation domain customizable
2021-06-30 23:02:27 +02:00
sakkiii
0217644b48
Content-Security-Policy For Element Web
...
https://github.com/vector-im/element-web#configuration-best-practices
2021-06-18 23:27:23 +05:30
Slavi Pantaleev
963f38ee7b
Upgrade certbot (v1.14.0 -> v1.16.0)
2021-06-10 12:18:42 +03:00
pushytoxin
bee14550ab
Fix local/bin scripts autocompletion by adding rx perms to everyone
...
It's mildly annoying when trying to execute these scripts while logged
in as a regular user, as the missing execute permissions will hinder
autocompletion even when trying to use with sudo.
These shell scripts don't contain secrets, but may fail when ran by a
regular user. The failure is due to the lack of access to the /matrix
directory, and does not result in any damage.
2021-05-28 10:39:27 +02:00
Slavi Pantaleev
4880dcceb0
Fix OCSP-stapling-related errors due to missing resolver
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-28 11:14:33 +03:00
rakshazi
4ddd8bbb84
Updated nginx-proxy (1.20.0 -> 1.21.0)
2021-05-25 17:06:39 +00:00
Slavi Pantaleev
1ed0857019
Fix syntax error
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024
2021-05-25 11:45:17 +03:00
sakkiii
4a4a7f136e
changes added to hydrogen client
2021-05-25 11:42:51 +05:30
sakkiii
25e67b51d1
Merge branch 'spantaleev:master' into master
2021-05-25 11:40:56 +05:30
sakkiii
3436f9c10a
rename to matrix_nginx_proxy_hsts_preload_enabled
2021-05-25 00:56:59 +05:30
sakkiii
7cc5328ede
Comments & Ref
2021-05-24 17:20:54 +05:30
sakkiii
df2d91970d
matrix_nginx_proxy_xss_protection
2021-05-24 17:02:47 +05:30
Slavi Pantaleev
6f80292745
Add OCSP stapling support and other SSL optimizations to Hydrogen vhost
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-21 13:40:37 +03:00
Slavi Pantaleev
d0de21ab34
Delete Hydrogen nginx configuration file when disabled
2021-05-21 12:58:32 +03:00
Aaron Raimist
04548f8df2
Merge branch 'master' into hydrogen
2021-05-21 04:09:18 -05:00
Aaron Raimist
9437f78c9e
Build using custom config.json, add CSP, update to 0.1.53
2021-05-21 03:45:21 -05:00
sakkiii
e9b878b9e9
Optimize SSL session
2021-05-18 19:39:43 +05:30
Slavi Pantaleev
e6afa05f7b
Enable OCSP stapling for the federation port
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
Not sure if this is beneficial though.
2021-05-18 08:15:42 +03:00
Slavi Pantaleev
57a6a98a50
Fix incorrect SSL certificate path
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-18 07:58:47 +03:00
Slavi Pantaleev
b9c4e8ce16
Merge pull request #1057 from sakkiii/ssl_staple
...
Enable OCSP Stapling
2021-05-18 07:50:35 +03:00
sakkiii
d31b55b2a7
SSL-enabled block only
2021-05-18 03:24:06 +05:30
Slavi Pantaleev
e4dd933cf0
Make missing /_synapse/admin correctly return 404 responses
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.
For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
2021-05-17 11:45:35 +03:00
sakkiii
2c3da6599b
Added warning
2021-05-15 16:07:52 +05:30
sakkiii
0dd4459799
matrix_nginx_proxy_ocsp_stapling_enabled variable added
2021-05-15 16:01:49 +05:30
sakkiii
c05021640d
Enable OCSP Stapling
2021-05-15 15:57:05 +05:30
Aaron Raimist
ca361af616
Add Hydrogen
2021-05-15 04:23:36 -05:00
sakkiii
29cf6a0087
Merge branch 'spantaleev:master' into master
2021-05-10 15:10:18 +05:30
sakkiii
bb0810302d
Merge branch 'spantaleev:master' into master
2021-05-07 23:03:55 +05:30
Béla Becker
b10655ebb1
Jitsi XMPP Websocket support
...
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
2021-05-05 19:10:58 +02:00
Dan Arnfield
cfaa3e598a
Update nginx (1.19.10 -> 1.20.0)
2021-05-03 16:00:11 -05:00
sakkiii
40fe6bd5c1
variable matrix_nginx_proxy_hsts_preload_enable added
2021-04-24 20:04:20 +05:30
Slavi Pantaleev
389dc26615
Fix Synapse generic worker balancing
...
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
2021-04-24 11:52:45 +03:00
sakkiii
5b4fdf9b87
Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy
2021-04-24 12:15:34 +05:30
sakkiii
0ccf0fbf1c
HSTS preload + X-XSS enables
...
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts ) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
2021-04-24 12:12:34 +05:30
sakkiii
3564635f0f
Merge branch 'master' into master
2021-04-24 11:46:52 +05:30
sakkiii
29bba5161b
Element More security headers
...
More Production ready nginx headers for Matrix client element.
2021-04-24 11:10:40 +05:30
Slavi Pantaleev
d691cc0920
Move variable definition a bit
2021-04-21 13:59:20 +03:00
Slavi Pantaleev
e00ef04b57
Add opt-out-of-FLoC headers by default
2021-04-21 13:58:24 +03:00
Slavi Pantaleev
4a1739f604
Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version
...
Don't expose nginx version with each response
2021-04-18 21:33:11 +03:00
teutat3s
2bf7c26cfa
Don't expose nginx version with each response
2021-04-18 16:24:13 +02:00
sakkiii
1958d0792d
Update matrix-client-element.conf.j2
2021-04-17 21:33:07 +05:30
sakkiii
b6d45c5fd8
Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy
2021-04-17 21:03:26 +05:30
sakkiii
05042f5ff1
Improve security grafana
...
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy )
2021-04-17 21:03:05 +05:30
sakkiii
5dc642ace1
Nginx element web: XSS protection & nosniff header
...
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
2021-04-16 14:45:04 +05:30
Slavi Pantaleev
c7c137df74
Upgrade nginx and certbot
2021-04-14 13:24:41 +03:00