ff6db5fd3b
The new variables created to the nginx reverse proxy are properly added to the documentation.
58 lines
2.9 KiB
Markdown
58 lines
2.9 KiB
Markdown
# Configure Nginx (optional, advanced)
|
|
|
|
By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.
|
|
If that's alright, you can skip this.
|
|
|
|
|
|
## Using Nginx status
|
|
|
|
This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
|
|
|
|
```yaml
|
|
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true
|
|
```
|
|
|
|
This will serve the status page under the following addresses:
|
|
- `http://matrix.DOMAIN/nginx_status` (using HTTP)
|
|
- `https://matrix.DOMAIN/nginx_status` (using HTTPS)
|
|
|
|
By default, if ```matrix_nginx_proxy_nginx_status_enabled``` is enabled, access to the status page would be allowed from the local IP address of the server. If you wish to allow access from other IP addresses, you can provide them as a list:
|
|
|
|
```yaml
|
|
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
|
|
- 8.8.8.8
|
|
- 1.1.1.1
|
|
```
|
|
|
|
## Adjusting SSL in your server
|
|
|
|
You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS
|
|
Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
|
|
The posible values are:
|
|
|
|
- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
|
- "Intermediate" - Recommended configuration for a general-purpose server
|
|
- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
|
- "Custom" - For defining your own protocols an ciphers
|
|
|
|
The default is set to `"Intermediate"`.
|
|
|
|
**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the
|
|
[Federarion tester](https://federationtester.matrix.org/) won't work.
|
|
|
|
If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set:
|
|
|
|
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
|
|
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off".
|
|
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
|
|
|
|
For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
|
|
|
|
## Synapse + OpenID Connect for Single-Sign-On
|
|
|
|
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
|
|
|
|
```yaml
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
|
|
```
|