(cors) { @cors_preflight method OPTIONS handle @cors_preflight { header Access-Control-Allow-Origin "{args.0}" header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" header Access-Control-Allow-Headers "Content-Type, Authorization" header Access-Control-Max-Age "3600" } } matrix.DOMAIN.tld { # creates letsencrypt certificate # tls your@email.com @identity { path /_matrix/identity/* } @noidentity { not path /_matrix/identity/* } @search { path /_matrix/client/r0/user_directory/search/* } @nosearch { not path /_matrix/client/r0/user_directory/search/* } @static { path /matrix/static-files/* } @nostatic { not path /matrix/static-files/* } @wellknown { path /.well-known/matrix/* } header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Enable cross-site filter (XSS) and tell browser to block detected attacks X-XSS-Protection "1; mode=block" # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type X-Content-Type-Options "nosniff" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" # X-Robots-Tag X-Robots-Tag "noindex, noarchive, nofollow" } # Cache header @static { # Cache Cache-Control "public, max-age=31536000" defer } # identity handle @identity { reverse_proxy localhost:8090 { header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} } } # search handle @search { reverse_proxy localhost:8090 { header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} } } handle @wellknown { encode zstd gzip root * /matrix/static-files header Cache-Control max-age=14400 header Content-Type application/json header Access-Control-Allow-Origin * file_server } # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain #handle @wellknown { # # .well-known is handled by base domain # reverse_proxy https://DOMAIN.tld { # header_up Host {http.reverse_proxy.upstream.hostport} #} handle { encode zstd gzip reverse_proxy localhost:8008 { header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} } } } matrix.DOMAIN.tld:8448 { handle { encode zstd gzip reverse_proxy 127.0.0.1:8048 { header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} } } } element.DOMAIN.tld { # creates letsencrypt certificate # tls your@email.com import cors https://*.DOMAIN.tld header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Enable cross-site filter (XSS) and tell browser to block detected attacks X-XSS-Protection "1; mode=block" # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type X-Content-Type-Options "nosniff" # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "DENY" # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered # Content-Security-Policy frame-src https://*.DOMAIN.tld # X-Robots-Tag X-Robots-Tag "noindex, noarchive, nofollow" } handle { encode zstd gzip reverse_proxy localhost:8765 { header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsCipher {tls_cipher} header_up X-Forwarded-HttpsProto {proto} } } #dimension.DOMAIN.tld { # # # creates letsencrypt certificate # # tls your@email.com # # import cors https://*.DOMAIN.tld # # header { # # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # # Enable cross-site filter (XSS) and tell browser to block detected attacks # X-XSS-Protection "1; mode=block" # # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # X-Content-Type-Options "nosniff" # # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) # # Content-Security-Policy frame-ancestors https://*.DOMAIN.tld # # X-Robots-Tag # X-Robots-Tag "noindex, noarchive, nofollow" # } # # handle { # encode zstd gzip # # reverse_proxy localhost:8184 { # header_up X-Forwarded-Port {http.request.port} # header_up X-Forwarded-Proto {http.request.scheme} # header_up X-Forwarded-TlsProto {tls_protocol} # header_up X-Forwarded-TlsCipher {tls_cipher} # header_up X-Forwarded-HttpsProto {proto} # } # } #} #jitsi.DOMAIN.tld { # # creates letsencrypt certificate # tls your@email.com # # import cors https://*.DOMAIN.tld # # header { # # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # # # Enable cross-site filter (XSS) and tell browser to block detected attacks # X-XSS-Protection "1; mode=block" # # # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # X-Content-Type-Options "nosniff" # # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain # # Content-Security-Policy frame-ancestors https://*.DOMAIN.tld # # # Disable some features # Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" # # # Referer # Referrer-Policy "no-referrer" # # # X-Robots-Tag # X-Robots-Tag "none" # # # Remove Server header # -Server # } # # handle { # encode zstd gzip # # reverse_proxy 127.0.0.1:13080 { # header_up X-Forwarded-Port {http.request.port} # header_up X-Forwarded-Proto {http.request.scheme} # header_up X-Forwarded-TlsProto {tls_protocol} # header_up X-Forwarded-TlsCipher {tls_cipher} # header_up X-Forwarded-HttpsProto {proto} # } # } #} #DOMAIN.com { # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server # @wellknown { # path /.well-known/matrix/* # } # # handle @wellknown { # reverse_proxy https://matrix.DOMAIN.com { # header_up Host {http.reverse_proxy.upstream.hostport} # } # } # # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain # # handle /.well-known/* { # # encode zstd gzip # # header Cache-Control max-age=14400 # # header Content-Type application/json # # header Access-Control-Allow-Origin * # #} # # # Configration for the base domain goes here # # handle { # # header -Server # # encode zstd gzip # # reverse_proxy localhost:4020 # # } #}