d14ef08d5b
When using matrix-nginx-proxy, the file permissions are organized in a way that matrix-nginx-proxy could read the challenge files produced by acmetool. However, when another own/external webserver was used (like nginx with our generated sample configuration), this could not work. From on we're proxying the HTTP requests to port :402 in such a case, which fixes the problem.
48 lines
1.1 KiB
Django/Jinja
48 lines
1.1 KiB
Django/Jinja
server {
|
|
listen 80;
|
|
server_name {{ hostname_riot }};
|
|
|
|
server_tokens off;
|
|
|
|
location /.well-known/acme-challenge {
|
|
{#
|
|
The proxy can access the files directly.
|
|
An external server likely does not have permission to read these files,
|
|
so we'll just proxy to acme's :402 port.
|
|
#}
|
|
|
|
{%- if matrix_nginx_proxy_enabled -%}
|
|
default_type "text/plain";
|
|
alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
|
|
{%- else -%}
|
|
proxy_pass http://localhost:402;
|
|
{% endif %}
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$http_host$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name {{ hostname_riot }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
ssl on;
|
|
ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain;
|
|
ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
|
|
location / {
|
|
proxy_pass http://{{ 'riot' if matrix_nginx_proxy_enabled else 'localhost' }}:8765;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
}
|