From 1434c371bd4c699783a21a2e321f2d8afce2e9f1 Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Mon, 15 Feb 2021 10:46:23 +0100 Subject: [PATCH 1/2] safer port binding of etherpad docker container don't bind to any host port if nginx_proxy is used only bind to localhost if it's not used --- group_vars/matrix_servers | 2 ++ roles/matrix-etherpad/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 11d6e7150..843dfb20d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -765,6 +765,8 @@ matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | pas matrix_etherpad_enabled: false +matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}" + matrix_etherpad_systemd_required_services_list: | {{ ['docker.service'] diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index 28bb0c8d3..d5cac2f3b 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -19,7 +19,7 @@ matrix_etherpad_user_gid: '5001' # Controls whether the matrix-etherpad container exposes its HTTP port (tcp/9001 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9001"), or empty string to not expose. -matrix_etherpad_container_http_host_bind_port: '9001' +matrix_etherpad_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_etherpad_container_extra_arguments: [] From fd3d48bb6d7f1e1584d2e7d1ba20580be1d103f4 Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Mon, 15 Feb 2021 10:50:45 +0100 Subject: [PATCH 2/2] trust the reverse proxy by default --- roles/matrix-etherpad/defaults/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-etherpad/defaults/main.yml b/roles/matrix-etherpad/defaults/main.yml index d5cac2f3b..e7ba6002a 100644 --- a/roles/matrix-etherpad/defaults/main.yml +++ b/roles/matrix-etherpad/defaults/main.yml @@ -22,7 +22,12 @@ matrix_etherpad_user_gid: '5001' matrix_etherpad_container_http_host_bind_port: '' # A list of extra arguments to pass to the container -matrix_etherpad_container_extra_arguments: [] +# +# We assume that a reverse proxy is used and tell the container to trust it +# Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md +matrix_etherpad_container_extra_arguments: [ + '--env TRUST_PROXY=true' +] matrix_etherpad_public_endpoint: '/etherpad'