Update reverse-proxy examples

2024-11-10 04:37:36 +01:00 · 2024-01-14 17:23:28 +02:00 · 2024-01-14 17:23:28 +02:00 · 0e831db3e5
commit 0e831db3e5
parent aff57d67c0
16 changed files with 89 additions and 617 deletions
--- a/examples/apache/README.md
+++ b/examples/apache/README.md
@ -1,17 +1,14 @@
 # Apache reverse-proxy
-This directory contains sample files that show you how to do reverse-proxying using Apache.
+This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy.
-This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
+## Prerequisite configuration
 See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
-To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
 You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
-```yaml
+## Using the Apache configuration
 matrix_nginx_proxy_enabled: false
 ```
-You can then use the configuration files from this directory as an example for how to configure your Apache server.
+`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
-**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
+`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`.
 This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc).
--- a/examples/apache/matrix-client-element.conf
+++ b/examples/apache/matrix-client-element.conf
@ -4,14 +4,8 @@
 <VirtualHost *:80>
 	ServerName element.DOMAIN
-	ProxyVia On
+	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
-
+	# if you're using ACME (Let's Encrypt) certificates.
 	# Map /.well-known/acme-challenge to the certbot server
 	# If you manage SSL certificates by yourself, this will differ.
 	<Location /.well-known/acme-challenge>
 		ProxyPreserveHost On
 		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
 	</Location>
 	Redirect permanent / https://element.DOMAIN/
 </VirtualHost>
@ -33,8 +27,8 @@
 	ProxyRequests Off
 	ProxyVia On
-	ProxyPass / http://127.0.0.1:8765/
+	ProxyPass / http://127.0.0.1:81/
-	ProxyPassReverse / http://127.0.0.1:8765/
+	ProxyPassReverse / http://127.0.0.1:81/
 	ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined
--- a/examples/apache/matrix-dimension.conf
+++ b/examples/apache/matrix-dimension.conf
@ -1,41 +0,0 @@
 # This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN.
 # If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this.
 <VirtualHost *:80>
 	ServerName dimension.DOMAIN
 	ProxyVia On
 	# Map /.well-known/acme-challenge to the certbot server
 	# If you manage SSL certificates by yourself, this will differ.
 	<Location /.well-known/acme-challenge>
 		ProxyPreserveHost On
 		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
 	</Location>
 	Redirect permanent / https://dimension.DOMAIN/
 </VirtualHost>
 <VirtualHost *:443>
 	ServerName dimension.DOMAIN
 	SSLEngine On
 	# If you manage SSL certificates by yourself, these paths will differ.
 	SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem
 	SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 	ProxyPreserveHost On
 	ProxyRequests Off
 	ProxyVia On
 	ProxyPass / http://127.0.0.1:8184/
 	ProxyPassReverse / http://127.0.0.1:8184/
 	ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined
 </VirtualHost>
--- a/examples/apache/matrix-domain.conf
+++ b/examples/apache/matrix-domain.conf
@ -0,0 +1,65 @@
 # This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
 <VirtualHost *:80>
 	ServerName matrix.DOMAIN
 	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
 	# if you're using ACME (Let's Encrypt) certificates.
 	Redirect permanent / https://matrix.DOMAIN/
 </VirtualHost>
 # Client-Server API
 <VirtualHost *:443>
 	ServerName matrix.DOMAIN
 	SSLEngine On
 	# If you manage SSL certificates by yourself, these paths will differ.
 	SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
 	SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem
 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 	ProxyPreserveHost On
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 	AllowEncodedSlashes NoDecode
 	ProxyPass / http://127.0.0.1:81 retry=0 nocanon
 	ProxyPassReverse / http://127.0.0.1:81/
 	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
 </VirtualHost>
 # Server-Server (federation) API
 Listen 8448
 <VirtualHost *:8448>
 	ServerName matrix.DOMAIN
 	SSLEngine On
 	# If you manage SSL certificates by yourself, these paths will differ.
 	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 	ProxyPreserveHost On
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 	AllowEncodedSlashes NoDecode
 	ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
 	ProxyPassReverse / http://127.0.0.1:8449/
 	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
 </VirtualHost>
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -1,146 +0,0 @@
 # This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
 <VirtualHost *:80>
 	ServerName matrix.DOMAIN
 	ProxyVia On
 	# Map /.well-known/acme-challenge to the certbot server
 	# If you manage SSL certificates by yourself, this will differ.
 	<Location /.well-known/acme-challenge>
 		ProxyPreserveHost On
 		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
 	</Location>
 	Redirect permanent / https://matrix.DOMAIN/
 </VirtualHost>
 # Client-Server API
 <VirtualHost *:443>
 	ServerName matrix.DOMAIN
 	SSLEngine On
 	# If you manage SSL certificates by yourself, these paths will differ.
 	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 	ProxyPreserveHost On
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 	# Keep some URIs free for different proxy/location
 	ProxyPassMatch ^/.well-known/matrix/client !
 	ProxyPassMatch ^/.well-known/matrix/server !
 	ProxyPassMatch ^/.well-known/matrix/support !
 	ProxyPassMatch ^/_matrix/identity !
 	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
 	# Proxy all remaining traffic to Synapse
 	AllowEncodedSlashes NoDecode
 	ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
 	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
 	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
 	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
 	# Proxy Admin API (necessary for Synapse-Admin)
 	# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
 	# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
 	# Proxy Synapse-Admin
 	# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
 	# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
 	# Map /.well-known/matrix/client for client discovery
 	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
 	<Files "/matrix/static-files/.well-known/matrix/client">
 		Require all granted
 	</Files>
 	<Location "/.well-known/matrix/client">
 		Header always set Content-Type "application/json"
 		Header always set Access-Control-Allow-Origin "*"
 	</Location>
 	# Map /.well-known/matrix/server for server discovery
 	Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
 	<Files "/matrix/static-files/.well-known/matrix/server">
 		Require all granted
 	</Files>
 	<Location "/.well-known/matrix/server">
 		Header always set Content-Type "application/json"
 	</Location>
 	# Map /.well-known/matrix/support for support discovery
 	Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
 	<Files "/matrix/static-files/.well-known/matrix/support">
 		Require all granted
 	</Files>
 	<Location "/.well-known/matrix/support">
 		Header always set Content-Type "application/json"
 	</Location>
 	<Directory /matrix/static-files/.well-known/matrix/>
 		AllowOverride All
 		# Apache 2.4:
 		Require all granted
 		# Or for Apache 2.2:
 		#order allow,deny
 	</Directory>
 	# Map /_matrix/identity to the identity server
 	<Location /_matrix/identity>
 		ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
 	</Location>
 	# Map /_matrix/client/r0/user_directory/search to the identity server
 	<Location /_matrix/client/r0/user_directory/search>
 		ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
 	</Location>
 	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
 </VirtualHost>
 # Server-Server (federation) API
 # Use this apache reverse proxy template to enable matrix server-to-server federation traffic
 # Be sure that network traffic on port 8448 is possible
 #
 # You can check your federation config at https://federationtester.matrix.org/
 # Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
 #
 # In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
 # If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
 Listen 8448
 <VirtualHost *:8448>
 	ServerName matrix.DOMAIN
 	SSLEngine On
 	# If you manage SSL certificates by yourself, these paths will differ.
 	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 	ProxyPreserveHost On
 	ProxyRequests Off
 	ProxyVia On
 	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
 	# Proxy all remaining traffic to the Synapse port
 	# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
 	# Of course you can use another IPADRESS in case of using other synapse servers in your network
 	AllowEncodedSlashes NoDecode
 	ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
 	ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix
 	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
 </VirtualHost>
--- a/examples/caddy/matrix-client-element
+++ b/examples/caddy/matrix-client-element
@ -1,8 +0,0 @@
 https://element.DOMAIN {
 	# These might differ if you are supplying your own certificates
 	tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem
 	proxy / http://127.0.0.1:8765 {
 		transparent
 	}
 }
--- a/examples/caddy/matrix-dimension
+++ b/examples/caddy/matrix-dimension
@ -1,9 +0,0 @@
 https://dimension.DOMAIN {
 	# These might differ if you are supplying your own certificates
 	# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
 	tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
 	proxy / http://127.0.0.1:8184/ {
 		transparent
 	}
 }
--- a/examples/caddy/matrix-synapse
+++ b/examples/caddy/matrix-synapse
@ -1,31 +0,0 @@
 https://matrix.DOMAIN {
 	# If you use your own certificates, your path may differ
 	# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
 	tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
 	root /matrix/static-files
 	header / {
 		Access-Control-Allow-Origin *
 		Strict-Transport-Security "mag=age=31536000;"
 		X-Frame-Options "DENY"
 		X-XSS-Protection "1; mode=block"
 	}
 	# Identity server traffic
 	proxy /_matrix/identity matrix-ma1sd:8090 {
 		transparent
 	}
 	proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 {
 		transparent
 	}
 	# Synapse Client<>Server API
 	proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 {
 		transparent
 		except /_matrix/identity/ /_matrix/client/r0/user_directory/search
 	}
 	proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 {
 		transparent
 	}
 }
--- a/examples/caddy/matrix-util
+++ b/examples/caddy/matrix-util
@ -1,7 +0,0 @@
 :80 {
 	# Redirect ACME-Challenge traffic to port 2402
 	proxy /.well-known/acme-challenge http://127.0.0.1:2402
 	# Redirect all other traffic to HTTPS
 	redir /  https://{host}{uri} 301
 }
--- a/examples/caddy2/Caddyfile.deprecated
+++ b/examples/caddy2/Caddyfile.deprecated
@ -1,269 +0,0 @@
 (cors) {
 	@cors_preflight method OPTIONS
 	handle @cors_preflight {
 		header Access-Control-Allow-Origin "{args.0}"
 		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
 		header Access-Control-Allow-Headers "Content-Type, Authorization"
 		header Access-Control-Max-Age "3600"
 	}
 }
 matrix.DOMAIN.tld {
  # creates letsencrypt certificate
  # tls your@email.com
  @identity {
        path /_matrix/identity/*
  }
  @noidentity {
        not path /_matrix/identity/*
  }
  @search {
        path /_matrix/client/r0/user_directory/search/*
  }
  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }
  @static {
        path /matrix/static-files/*
  }
  @nostatic {
        not path /matrix/static-files/*
  }
  @wellknown {
        path /.well-known/matrix/*
  }
  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
  }
  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }
  # identity
  handle @identity {
        reverse_proxy localhost:8090  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
  # search
  handle @search {
        reverse_proxy localhost:8090   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
  handle @wellknown {
        encode zstd gzip
        root * /matrix/static-files
 	header Cache-Control max-age=14400
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        file_server
  }
  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
  #handle @wellknown {
  #  # .well-known is handled by base domain
  #  reverse_proxy https://DOMAIN.tld {
  #  header_up Host {http.reverse_proxy.upstream.hostport}
  #}
  handle {
        encode zstd gzip
        reverse_proxy localhost:8008  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
 }
 matrix.DOMAIN.tld:8448 {
    handle {
        encode zstd gzip
        reverse_proxy 127.0.0.1:8048 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
    }
 }
 element.DOMAIN.tld {
      # creates letsencrypt certificate
      # tls your@email.com
      import cors https://*.DOMAIN.tld
      header {
                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
                X-Content-Type-Options "nosniff"
                # Disallow the site to be rendered within a frame (clickjacking protection)
                X-Frame-Options "DENY"
                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
                # Content-Security-Policy frame-src https://*.DOMAIN.tld
                # X-Robots-Tag
                X-Robots-Tag "noindex, noarchive, nofollow"
        }
        handle {
              encode zstd gzip
              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
        }
 }
 #dimension.DOMAIN.tld {
 #
 #      # creates letsencrypt certificate
 #      # tls your@email.com
 #
 #      import cors https://*.DOMAIN.tld
 #
 #      header {
 #          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #          # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #          X-XSS-Protection "1; mode=block"
 #          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #          X-Content-Type-Options "nosniff"
 #          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
 #          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #          # X-Robots-Tag
 #          X-Robots-Tag "noindex, noarchive, nofollow"
 #    }
 #
 #      handle {
 #          encode zstd gzip
 #
 #          reverse_proxy localhost:8184  {
 #                  header_up X-Forwarded-Port {http.request.port}
 #                  header_up X-Forwarded-Proto {http.request.scheme}
 #                  header_up X-Forwarded-TlsProto {tls_protocol}
 #                  header_up X-Forwarded-TlsCipher {tls_cipher}
 #                  header_up X-Forwarded-HttpsProto {proto}
 #          }
 #    }
 #}
 #jitsi.DOMAIN.tld {
 #
 #  creates letsencrypt certificate
 #  tls your@email.com
 #
 #  import cors https://*.DOMAIN.tld
 #
 #  header {
 #        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #
 #        # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #        X-XSS-Protection "1; mode=block"
 #
 #        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #        X-Content-Type-Options "nosniff"
 #        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
 #        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #
 #        # Disable some features
 #        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 #
 #        # Referer
 #        Referrer-Policy "no-referrer"
 #
 #        # X-Robots-Tag
 #        X-Robots-Tag "none"
 #
 #        # Remove Server header
 #        -Server
 #  }
 #
 #  handle {
 #        encode zstd gzip
 #
 #        reverse_proxy 127.0.0.1:13080 {
 #               header_up X-Forwarded-Port {http.request.port}
 #               header_up X-Forwarded-Proto {http.request.scheme}
 #               header_up X-Forwarded-TlsProto {tls_protocol}
 #               header_up X-Forwarded-TlsCipher {tls_cipher}
 #               header_up X-Forwarded-HttpsProto {proto}
 #        }
 #  }
 #}
 #DOMAIN.com {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
 #    @wellknown {
 #        path /.well-known/matrix/*
 #    }
 #
 #    handle @wellknown {
 #        reverse_proxy https://matrix.DOMAIN.com {
 #            header_up Host {http.reverse_proxy.upstream.hostport}
 #        }
 #    }
 #    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
 #      # handle /.well-known/* {
 #	#	encode zstd gzip
 #	#	header Cache-Control max-age=14400
 #	#	header Content-Type application/json
 #	#	header Access-Control-Allow-Origin *
 #	#}
 #
 #    # Configration for the base domain goes here
 #   # handle {
 #   #    header -Server
 #   #     encode zstd gzip
 #   #    reverse_proxy localhost:4020
 #   # }
 #}
--- a/examples/caddy2/README.md
+++ b/examples/caddy2/README.md
@ -14,7 +14,3 @@ You can either just use the [Caddyfile](Caddyfile) directly or append its conten
 In both cases make sure to replace all the `example.tld` domains with your own domain.
 This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
 # Caddyfile.deprecated
 This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
--- a/examples/haproxy/Dockerfile
+++ b/examples/haproxy/Dockerfile
@ -1,12 +0,0 @@
 # Pull nginx base image
 FROM nginx:latest
 # Expost port 80
 EXPOSE 80
 # Copy custom configuration file from the current directory
 COPY nginx.conf /etc/nginx/nginx.conf
 # Start up nginx server
 CMD ["nginx"]
--- a/examples/haproxy/README.md
+++ b/examples/haproxy/README.md
@ -3,24 +3,7 @@
 This directory contains sample files that show you how to do reverse-proxying using HAproxy.
 This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
 See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
-To use your own HAproxy reverse-proxy, you first need to disable the integrated Nginx server.
+We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation.
 You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
 ```yaml
 matrix_nginx_proxy_enabled: false
 ```
 You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
 **NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases or performance needs.
 ### Configuration
 HAproxy, unlike Apache, Nginx and others, does not provide you with a webserver to serve static files (i.e., `/.well-known/` directory). For this reason, in this folder you can find an example on how to use HAproxy together with a simple Nginx container whose only task is to serve those files.
 * Build the Docker image. `docker build -t local/nginx .` 
 * Start the container. `docker-compose up -d`. Note that if you want to run Nginx on a different port, you will have to change the port both in the `docker-compose.yml` and in `haproxy.cfg`.
 * If you don't want to use a wildcard certificate, you will need to modify the corresponding line in the HTTPS frontent and add the paths of all the specific certificates (as for the commented example in `haproxy.cfg`).
 * Start HAproxy with the proposed configuration.
--- a/examples/haproxy/docker-compose.yml
+++ b/examples/haproxy/docker-compose.yml
@ -1,9 +0,0 @@
 ---
 version: '3'
 services:
  nginx:
    image: local/nginx
    ports:
      - 40888:80
    volumes:
      - /matrix/static-files:/var/www/:ro
--- a/examples/haproxy/haproxy.cfg
+++ b/examples/haproxy/haproxy.cfg
@ -43,29 +43,16 @@ frontend https-frontend
    reqadd X-Forwarded-Proto:\ https
    option httplog
    option http-server-close
-    #
+
-    # Matrix
+    # You can do per-domain routing (as shown above),
-    #
+	# or just send everything to the same backend via `default_backend`.
-    # matrix.example.com
+
    acl matrix_domain hdr_dom(host) -i matrix.example.com
    acl static_files path -i -m beg /.well-known/matrix
    use_backend nginx-static if static_files
    # /_matrix/identity and /_matrix/client/r0/user_directory/search
    acl matrix_identity path -i -m beg /_matrix/identity
    acl matrix_search path -i -m beg /_matrix/client/r0/user_directory/search
    # Send to :8090
    use_backend matrix-supporting if matrix_identity or matrix_search
    # /_matrix and /_synapse/admin
    acl matrix_path path -i -m beg /_matrix
    acl synapse_admin path -i -m beg /_synapse/admin
    # Send to :8008
    use_backend matrix-main if matrix_path or synapse_admin
    # element.example.com
    acl element_domain hdr_dom(host) -i element.example.com
    # Send to 8765
    use_backend element if element_domain
    # If nothing else match, just send to default matrix backend
    use_backend matrix-main if matrix_domain
    acl matrix_domain hdr_dom(host) -i element.example.com
    use_backend matrix-main if matrix_domain
    #default_backend matrix-main
 frontend matrix-federation
@ -75,14 +62,11 @@ frontend matrix-federation
  option http-server-close
  default_backend synapse
 backend matrix-supporting
     server matrix-supporting 127.0.0.1:8090 check
 backend matrix-main
-     server matrix-main 127.0.0.1:8008 check
+     server matrix-main 127.0.0.1:81 check
-backend synapse
+backend matrix-federation
-     server synapse 127.0.0.1:8048 check
+     server matrix-federation 127.0.0.1:8049 check
 backend nginx-static
     capture request header origin len 128
--- a/examples/haproxy/nginx.conf
+++ b/examples/haproxy/nginx.conf
@ -1,15 +0,0 @@
 worker_processes auto;
 daemon off;
 events {
  worker_connections 1024;
 }
 http {
  server_tokens off;
  server {
    listen 80;
    index index.html;
    root /var/www;
  }
 }