matrix-docker-ansible-deploy/roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2
Slavi Pantaleev d14ef08d5b Fix SSL certificate renewal for the custom-proxy-server case
When using matrix-nginx-proxy, the file permissions are organized
in a way that matrix-nginx-proxy could read the challenge files
produced by acmetool.

However, when another own/external webserver was used (like nginx
with our generated sample configuration), this could not work.
From on we're proxying the HTTP requests to port :402 in such a case,
which fixes the problem.
2017-12-01 12:07:27 +01:00

48 lines
1.1 KiB
Django/Jinja

server {
listen 80;
server_name {{ hostname_riot }};
server_tokens off;
location /.well-known/acme-challenge {
{#
The proxy can access the files directly.
An external server likely does not have permission to read these files,
so we'll just proxy to acme's :402 port.
#}
{%- if matrix_nginx_proxy_enabled -%}
default_type "text/plain";
alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
{%- else -%}
proxy_pass http://localhost:402;
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ hostname_riot }};
server_tokens off;
root /dev/null;
ssl on;
ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain;
ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
location / {
proxy_pass http://{{ 'riot' if matrix_nginx_proxy_enabled else 'localhost' }}:8765;
proxy_set_header X-Forwarded-For $remote_addr;
}
}