The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility.
2.9 KiB
Configure Nginx (optional, advanced)
By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443. If that's alright, you can skip this.
Using Nginx status
This will serve a statuspage to the hosting machine only. Useful for monitoring software like longview
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true
This will serve the status page under the following addresses:
http://matrix.DOMAIN/nginx_status
(using HTTP)https://matrix.DOMAIN/nginx_status
(using HTTPS)
By default, if matrix_nginx_proxy_nginx_status_enabled
is enabled, access to the status page would be allowed from the local IP address of the server. If you wish to allow access from other IP addresses, you can provide them as a list:
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 8.8.8.8
- 1.1.1.1
Adjusting SSL in your server
You can adjust how the SSL is served by the nginx server by setting the matrix_nginx_proxy_ssl_preset
. This is based on the Mozilla Server Side TLS
Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the ssl_prefer_server_ciphers
variable of nginx.
The posible values are:
- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- "intermediate" - Recommended configuration for a general-purpose server
- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
The default is set to "intermediate"
.
Be really carefull when setting it to "modern". This could break the comunication with other matrix servers, limiting your feration posibilities and the Federarion tester won't work.
If you want to override one of the values used by the preset, you can use this three variables:
matrix_nginx_proxy_ssl_protocols
: for specifying the supported TLS protocols.matrix_nginx_proxy_ssl_prefer_server_ciphers
: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off".matrix_nginx_proxy_ssl_ciphers
: for specifying the SSL Cipher suites used by nginx.
For more information about this variables, check the roles/matrix-nginx-proxy/defaults/main.yml
file.
Synapse + OpenID Connect for Single-Sign-On
If you want to use OpenID Connect as an SSO provider (as per the Synapse OpenID docs), you need to use the following configuration (in your vars.yml
file) to instruct nginx to forward /_synapse/oidc
to Synapse:
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
Disable Nginx access logs
This will disable the access logging for nginx.
matrix_nginx_proxy_access_log_enabled: false