matrix-docker-ansible-deploy/docs/configuring-playbook-own-webserver.md

# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced)

By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.
If that's alright, you can skip this.

If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,
and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.

There are **2 ways you can go about it**, if you'd like to use your own webserver:

- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver)

- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)


## Method 1: Disabling the integrated nginx reverse-proxy webserver

This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver.
For an alternative, make sure to check Method #2 as well.

### Preparation

No matter which external webserver you decide to go with, you'll need to:

1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`

2) Edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable the integrated nginx server:

```yaml
matrix_nginx_proxy_enabled: false
```

3) **If you'll manage SSL certificates by yourself**, edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:

```yaml
matrix_ssl_retrieval_method: none
```

**Note**: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. **Please manually stop your other webserver while installing**. You can start it back up afterwards.


### Using your own external nginx webserver

Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server.

Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`.
Those configuration files are adapted for use with an external web server (one not running in the container network).

You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`

Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:

```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
```


### Using your own external Apache webserver

Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration.

### Using your own external caddy webserver

After following  the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration.

### Using your own HAproxy reverse proxy
After following  the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files.

### Using another external webserver

Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/).


## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy

This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).

If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).

You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network).

You would need some configuration like this:

```yaml
# Do not retrieve SSL certificates. This shall be managed by another webserver or other means.
matrix_ssl_retrieval_method: none

# Do not try to serve HTTPS, since we have no SSL certificates.
# Disabling this also means services will be served on the HTTP port
# (`matrix_nginx_proxy_container_http_host_bind_port`).
matrix_nginx_proxy_https_enabled: false

# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'

# Likewise, expose the Matrix Federation port on the loopback interface.
# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
#
# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).
matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'

# Coturn relies on SSL certificates that have already been obtained.
# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
matrix_coturn_enabled: false
```

With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.

All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above).

You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports.
The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional).

We don't have sample webserver configuration for this use-case yet, but hope to expand on this documentation entry in the future.
For [Traefik](https://traefik.io/), you can [see some work in progress examples here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/296).
Annotate certain features as optional/advanced We've had some people get confused into installing Matrix Corporal and having pain with that. With this documentation change, we try to make it clearer that it's an advanced feature not to be touched unless you know what you're doing. On a similar note, we also make sure other things are properly labeled as "(optional)" and/or "(advanced)". 2018-11-26 06:23:42 +01:00			`# Using your own webserver, instead of this playbook's nginx proxy (optional, advanced)`
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00
			`By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.`
			`If that's alright, you can skip this.`

			`If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,`
			`and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.`

Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`There are 2 ways you can go about it, if you'd like to use your own webserver:`
Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 09:51:46 +02:00
Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`- [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver)`

			`- [Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy](#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)`


			`## Method 1: Disabling the integrated nginx reverse-proxy webserver`

			`This method is about completely disabling the integrated nginx reverse-proxy webserver and replicating its behavior using another webserver.`
			`For an alternative, make sure to check Method #2 as well.`

			`### Preparation`
Add Service Discovery (/.well-known/matrix/client) support 2018-09-17 09:51:46 +02:00
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00			`No matter which external webserver you decide to go with, you'll need to:`

			1) Make sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`

Fix incorrect inventory host_vars paths 2019-05-24 01:06:42 +02:00			2) Edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable the integrated nginx server:
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00
Annotate certain features as optional/advanced We've had some people get confused into installing Matrix Corporal and having pain with that. With this documentation change, we try to make it clearer that it's an advanced feature not to be touched unless you know what you're doing. On a similar note, we also make sure other things are properly labeled as "(optional)" and/or "(advanced)". 2018-11-26 06:23:42 +01:00			```yaml
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00			`matrix_nginx_proxy_enabled: false`
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00			```

Fix incorrect inventory host_vars paths 2019-05-24 01:06:42 +02:00			3) If you'll manage SSL certificates by yourself, edit your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to disable SSL certificate retrieval:
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00
			```yaml
			`matrix_ssl_retrieval_method: none`
			```

			Note: During [installation](installing.md), unless you've disabled SSL certificate management (`matrix_ssl_retrieval_method: none`), the playbook would need 80 to be available, in order to retrieve SSL certificates. Please manually stop your other webserver while installing. You can start it back up afterwards.
Add TLS v1.3 support to matrix-nginx-proxy This was mentioned in #27 (Github Pull Request), but it's just now that the nginx Docker image actually supports TLS v1.3 and we can enable it. 2019-02-01 10:47:43 +01:00
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00
Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`### Using your own external nginx webserver`
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00
			`Once you've followed the [Preparation](#preparation) guide above, it's time to set up your external nginx server.`

			Even with `matrix_nginx_proxy_enabled: false`, the playbook still generates some helpful files for you in `/matrix/nginx-proxy/conf.d`.
			`Those configuration files are adapted for use with an external web server (one not running in the container network).`

			You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`

			Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:

			```yaml
			# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
			`matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"`
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00			```


Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`### Using your own external Apache webserver`
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00			`Once you've followed the [Preparation](#preparation) guide above, you can take a look at the [examples/apache](../examples/apache) directory for a sample configuration.`
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00
Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`### Using your own external caddy webserver`
Give a hint to look into the examples if using caddy 2019-04-16 19:46:17 +02:00
			`After following the [Preparation](#preparation) guide above, you can take a look at the [examples/caddy](../examples/caddy) directory for a sample configuration.`
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00
Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`### Using your own HAproxy reverse proxy`
Adds doc for HAproxy 2019-08-25 21:53:34 +02:00			After following the [Preparation](#preparation) guide above, you can take a look at the [examples/haproxy](../examples/haproxy) directory for a sample configuration. In this case HAproxy is used as a reverse proxy and a simple Nginx container is used to serve statically `.well-known` files.

Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00			`### Using another external webserver`
Split README into a bunch of files in docs/ 2018-08-08 09:07:02 +02:00
Update own-webserver guide and add sample Apache configuration This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration. 2019-02-01 15:51:18 +01:00			`Feel free to look at the [examples/apache](../examples/apache) directory, or the [template files in the matrix-nginx-proxy role](../roles/matrix-nginx-proxy/templates/conf.d/).`
Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 10:53:09 +01:00

			`## Method 2: Fronting the integrated nginx reverse-proxy webserver with another reverse-proxy`

			`This method is about leaving the integrated nginx reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).`

			`If you wish to use another webserver, the integrated nginx reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).`

			`You can disable such behavior and make the integrated nginx reverse-proxy webserver only serve traffic locally (or over a local network).`

			`You would need some configuration like this:`

			```yaml
			`# Do not retrieve SSL certificates. This shall be managed by another webserver or other means.`
			`matrix_ssl_retrieval_method: none`

			`# Do not try to serve HTTPS, since we have no SSL certificates.`
			`# Disabling this also means services will be served on the HTTP port`
			# (`matrix_nginx_proxy_container_http_host_bind_port`).
			`matrix_nginx_proxy_https_enabled: false`

			`# Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.`
			`# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.`
			`matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'`

			`# Likewise, expose the Matrix Federation port on the loopback interface.`
			# Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
			`# If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.`
			`#`
			`# You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).`
			`matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'`

			`# Coturn relies on SSL certificates that have already been obtained.`
			# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
			# An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
			`matrix_coturn_enabled: false`
			```

			`With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.`

			All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as per the example configuration above).

			`You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports.`
			The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional).

			`We don't have sample webserver configuration for this use-case yet, but hope to expand on this documentation entry in the future.`
			`For [Traefik](https://traefik.io/), you can [see some work in progress examples here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/296).`