server { listen 80; server_name {{ hostname_riot }}; server_tokens off; location /.well-known/acme-challenge { {# The proxy can access the files directly. An external server likely does not have permission to read these files, so we'll just proxy to acme's :402 port. #} {%- if matrix_nginx_proxy_enabled -%} default_type "text/plain"; alias {{ matrix_ssl_certs_path }}/run/acme-challenge; {%- else -%} proxy_pass http://localhost:402; {% endif %} } location / { return 301 https://$http_host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ hostname_riot }}; server_tokens off; root /dev/null; gzip on; gzip_types text/plain text/html application/json application/javascript text/css image/x-icon font/ttf image/gif; ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain; ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} resolver 127.0.0.11 valid=5s; set $backend "matrix-riot-web:8765"; proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://localhost:8765; {% endif %} proxy_set_header X-Forwarded-For $remote_addr; } }