mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-26 21:10:41 +01:00 
			
		
		
		
	GoMatrixHosting v0.5.5
This commit is contained in:
		| @@ -0,0 +1,95 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	root /nginx-data/matrix-domain; | ||||
|  | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	location /.well-known/matrix { | ||||
| 		root {{ matrix_static_files_base_path }}; | ||||
| 		{# | ||||
| 			A somewhat long expires value is used to prevent outages | ||||
| 			in case this is unreachable due to network failure. | ||||
| 		#} | ||||
| 		expires 4h; | ||||
| 		default_type application/json; | ||||
| 		add_header Access-Control-Allow-Origin *; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_base_domain_hostname }}; | ||||
| 	server_tokens off; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_base_domain_hostname }}; | ||||
| 	server_tokens off; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,95 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
|  | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-bot-go-neb:4050"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:4050; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,104 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Frame-Options SAMEORIGIN; | ||||
| 	add_header Content-Security-Policy "frame-ancestors 'self'"; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-client-element:8080"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:8765; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != "" %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,102 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	add_header X-Frame-Options SAMEORIGIN; | ||||
| 	add_header Content-Security-Policy "frame-ancestors 'none'"; | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-client-hydrogen:8080"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:8768; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != "" %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,98 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-dimension:8184"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:8184; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,293 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| {% macro render_nginx_status_location_block(addresses) %} | ||||
| 	{# Empty first line to make indentation prettier. #} | ||||
|  | ||||
| 	location /nginx_status { | ||||
| 		stub_status on; | ||||
| 		access_log off; | ||||
| 		{% for address in addresses %} | ||||
| 		allow {{ address }}; | ||||
| 		{% endfor %} | ||||
| 		deny all; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
|  | ||||
| 	location /.well-known/matrix { | ||||
| 		root {{ matrix_static_files_base_path }}; | ||||
| 		{# | ||||
| 			A somewhat long expires value is used to prevent outages | ||||
| 			in case this is unreachable due to network failure or | ||||
| 			due to the base domain's server completely dying. | ||||
| 		#} | ||||
| 		expires 4h; | ||||
| 		default_type application/json; | ||||
| 		add_header Access-Control-Allow-Origin *; | ||||
| 	} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} | ||||
| 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} | ||||
| 	location ^~ /_matrix/corporal { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} | ||||
| 	location ^~ /_matrix/identity { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} | ||||
| 	location ^~ /_matrix/client/r0/user_directory/search { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %} | ||||
| 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	{# | ||||
| 		This handles the Matrix Client API only. | ||||
| 		The Matrix Federation API is handled by a separate vhost. | ||||
| 	#} | ||||
| 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
|  | ||||
| 		client_body_buffer_size 25M; | ||||
| 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; | ||||
| 		proxy_max_temp_file_size 0; | ||||
| 	} | ||||
|  | ||||
| 	{# | ||||
| 		We only handle the root URI for this redirect or homepage serving. | ||||
| 		Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, | ||||
| 		instead of causing a redirect. | ||||
| 		See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 | ||||
| 	#} | ||||
| 	location ~* ^/$ { | ||||
| 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %} | ||||
| 			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri; | ||||
| 		{% else %} | ||||
| 			rewrite ^/$ /_matrix/static/ last; | ||||
| 		{% endif %} | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} | ||||
| 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} | ||||
| 		{% endif %} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};	 | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
|  | ||||
| {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} | ||||
| {# | ||||
| 	This federation vhost is a little special. | ||||
| 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`. | ||||
| #} | ||||
| server { | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; | ||||
| 		listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; | ||||
| 	{% else %} | ||||
| 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; | ||||
| 	server_tokens off; | ||||
|  | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; | ||||
| 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; | ||||
|  | ||||
| 		ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 		{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 			ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 		{% endif %} | ||||
| 		ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 		{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 			ssl_stapling on; | ||||
| 			ssl_stapling_verify on; | ||||
| 			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; | ||||
| 		{% endif %} | ||||
| 		 | ||||
| 		{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 			ssl_session_tickets off; | ||||
| 		{% endif %} | ||||
| 		ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 		ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
|  | ||||
| 		client_body_buffer_size 25M; | ||||
| 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; | ||||
| 		proxy_max_temp_file_size 0; | ||||
| 	} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,106 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	# duplicate X-Content-Type-Options & X-Frame-Options header | ||||
| 	# Enabled by grafana by default | ||||
| 	# add_header X-Content-Type-Options nosniff; | ||||
| 	# add_header X-Frame-Options SAMEORIGIN; | ||||
| 	add_header Referrer-Policy "strict-origin-when-cross-origin"; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	proxy_cookie_path / "/; HTTPOnly; Secure"; | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-grafana:3000"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:3000; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != "" %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};	 | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,140 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-jitsi-web:80"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:13080; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 	} | ||||
|  | ||||
| 	# colibri (JVB) websockets | ||||
| 	location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-jitsi-jvb:9090"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:13090; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header Upgrade $http_upgrade; | ||||
| 		proxy_set_header Connection "upgrade"; | ||||
|  | ||||
| 		proxy_http_version 1.1; | ||||
|  | ||||
| 		tcp_nodelay on; | ||||
| 	} | ||||
|  | ||||
| 	# XMPP websocket | ||||
| 	location = /xmpp-websocket { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; | ||||
| 			proxy_pass $backend/xmpp-websocket; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:5280; | ||||
| 		{% endif %} | ||||
| 		proxy_set_header Host $host; | ||||
|  | ||||
| 		proxy_http_version 1.1; | ||||
| 		proxy_read_timeout 900s; | ||||
| 		proxy_set_header Connection "upgrade"; | ||||
| 		proxy_set_header Upgrade $http_upgrade; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
| 		tcp_nodelay on; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,87 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		return 301 https://{{ matrix_nginx_proxy_proxy_element_hostname }}$request_uri; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,97 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	add_header X-Frame-Options DENY; | ||||
|  | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-sygnal:6000"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:6000; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For $remote_addr; | ||||
| 		proxy_set_header X-Forwarded-Proto $scheme; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
| 	 | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,231 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} | ||||
| {% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} | ||||
| {% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} | ||||
| {% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} | ||||
| {% if matrix_nginx_proxy_synapse_workers_enabled %} | ||||
| 	# Round Robin "upstream" pools for workers | ||||
|  | ||||
| 	{% if generic_workers %} | ||||
| 	upstream generic_worker_upstream { | ||||
| 		# ensures that requests from the same client will always be passed | ||||
| 		# to the same server (except when this server is unavailable) | ||||
| 		hash $http_x_forwarded_for; | ||||
|  | ||||
| 		{% for worker in generic_workers %} | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; | ||||
| 			{% else %} | ||||
| 				server "127.0.0.1:{{ worker.port }}"; | ||||
| 			{% endif %} | ||||
| 		{% endfor %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if frontend_proxy_workers %} | ||||
| 	upstream frontend_proxy_upstream { | ||||
| 		{% for worker in frontend_proxy_workers %} | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; | ||||
| 			{% else %} | ||||
| 				server "127.0.0.1:{{ worker.port }}"; | ||||
| 			{% endif %} | ||||
| 		{% endfor %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if media_repository_workers %} | ||||
| 	upstream media_repository_upstream { | ||||
| 		{% for worker in media_repository_workers %} | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; | ||||
| 			{% else %} | ||||
| 				server "127.0.0.1:{{ worker.port }}"; | ||||
| 			{% endif %} | ||||
| 		{% endfor %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if user_dir_workers %} | ||||
| 	upstream user_dir_upstream { | ||||
| 		{% for worker in user_dir_workers %} | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}"; | ||||
| 			{% else %} | ||||
| 				server "127.0.0.1:{{ worker.port }}"; | ||||
| 			{% endif %} | ||||
| 		{% endfor %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
| {% endif %} | ||||
|  | ||||
| server { | ||||
| 	listen 12080; | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_synapse_workers_enabled %} | ||||
| 		{# Workers redirects BEGIN #} | ||||
|  | ||||
| 		{% if generic_workers %} | ||||
| 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker | ||||
| 			{% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %} | ||||
| 			location ~ {{ location }} { | ||||
| 				proxy_pass http://generic_worker_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
|  | ||||
| 		{% if media_repository_workers %} | ||||
| 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository | ||||
| 			{% for location in matrix_nginx_proxy_synapse_media_repository_locations %} | ||||
| 			location ~ {{ location }} { | ||||
| 				proxy_pass http://media_repository_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
|  | ||||
| 				client_body_buffer_size 25M; | ||||
| 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; | ||||
| 				proxy_max_temp_file_size 0; | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
|  | ||||
| 		{% if user_dir_workers %} | ||||
| 			# FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set | ||||
| 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir | ||||
| 			{% for location in matrix_nginx_proxy_synapse_user_dir_locations %} | ||||
| 			location ~ {{ location }} { | ||||
| 				proxy_pass http://user_dir_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
|  | ||||
| 		{% if frontend_proxy_workers %} | ||||
| 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy | ||||
| 			{% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %} | ||||
| 			location ~ {{ location }} { | ||||
| 				proxy_pass http://frontend_proxy_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 			{% if matrix_nginx_proxy_synapse_presence_disabled %} | ||||
| 			# FIXME: keep in sync with synapse workers documentation manually | ||||
| 			location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { | ||||
| 				proxy_pass http://frontend_proxy_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
| 			} | ||||
| 			{% endif %} | ||||
| 		{% endif %} | ||||
| 		{# Workers redirects END #} | ||||
| 	{% endif %} | ||||
|  | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_synapse_metrics %} | ||||
| 	location /_synapse/metrics { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
|  | ||||
| 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
| 			auth_basic "protected"; | ||||
| 			auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; | ||||
| 		{% endif %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{# Everything else just goes to the API server ##} | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
|  | ||||
| 		client_body_buffer_size 25M; | ||||
| 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; | ||||
| 		proxy_max_temp_file_size 0; | ||||
| 	} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_proxy_synapse_federation_api_enabled %} | ||||
| server { | ||||
| 	listen 12088; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }}; | ||||
| 	server_tokens off; | ||||
|  | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_synapse_workers_enabled %} | ||||
| 		{% if generic_workers %} | ||||
| 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker | ||||
| 			{% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %} | ||||
| 			location ~ {{ location }} { | ||||
| 				proxy_pass http://generic_worker_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
| 		{% if media_repository_workers %} | ||||
| 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository | ||||
| 			{% for location in matrix_nginx_proxy_synapse_media_repository_locations %} | ||||
| 			location ~ {{ location }} { | ||||
| 				proxy_pass http://media_repository_upstream$request_uri; | ||||
| 				proxy_set_header Host $host; | ||||
|  | ||||
| 				client_body_buffer_size 25M; | ||||
| 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; | ||||
| 				proxy_max_temp_file_size 0; | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
|  | ||||
| 		client_body_buffer_size 25M; | ||||
| 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; | ||||
| 		proxy_max_temp_file_size 0; | ||||
| 	} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -0,0 +1,14 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| # The default is aligned to the CPU's cache size, | ||||
| # which can sometimes be too low to handle our 2 vhosts (Synapse and Element). | ||||
| # | ||||
| # Thus, we ensure a larger bucket size value is used. | ||||
| server_names_hash_bucket_size 64; | ||||
|  | ||||
| {% if matrix_nginx_proxy_http_level_resolver %} | ||||
| 	resolver {{ matrix_nginx_proxy_http_level_resolver }}; | ||||
| {% endif %} | ||||
|  | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
| @@ -0,0 +1,3 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| # User and password for protecting /_synapse/metrics URI | ||||
| prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} | ||||
							
								
								
									
										61
									
								
								roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										61
									
								
								roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,61 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| # This is a custom nginx configuration file that we use in the container (instead of the default one), | ||||
| # because it allows us to run nginx with a non-root user. | ||||
| # | ||||
| # For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. | ||||
| # | ||||
| # The following changes have been done compared to a default nginx configuration file: | ||||
| # - various temp paths are changed to `/tmp`, so that a non-root user can write to them | ||||
| # - the `user` directive was removed, as we don't want nginx to switch users | ||||
|  | ||||
| worker_processes {{ matrix_nginx_proxy_worker_processes }}; | ||||
| error_log /var/log/nginx/error.log warn; | ||||
| pid /tmp/nginx.pid; | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_additional_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
|  | ||||
| events { | ||||
| 	worker_connections {{ matrix_nginx_proxy_worker_connections }}; | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_event_additional_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
| } | ||||
|  | ||||
|  | ||||
| http { | ||||
| 	proxy_temp_path /tmp/proxy_temp; | ||||
| 	client_body_temp_path /tmp/client_temp; | ||||
| 	fastcgi_temp_path /tmp/fastcgi_temp; | ||||
| 	uwsgi_temp_path /tmp/uwsgi_temp; | ||||
| 	scgi_temp_path /tmp/scgi_temp; | ||||
|  | ||||
| 	include /etc/nginx/mime.types; | ||||
| 	default_type application/octet-stream; | ||||
|  | ||||
| 	log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||||
| 					'$status $body_bytes_sent "$http_referer" ' | ||||
| 					'"$http_user_agent" "$http_x_forwarded_for"'; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_access_log_enabled %} | ||||
| 	access_log /var/log/nginx/access.log main; | ||||
| 	{% else %} | ||||
| 	access_log off; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	sendfile on; | ||||
| 	#tcp_nopush on; | ||||
|  | ||||
| 	keepalive_timeout 65; | ||||
|  | ||||
| 	server_tokens off; | ||||
|  | ||||
| 	#gzip on; | ||||
| 	{# Map directive needed for proxied WebSocket upgrades #} | ||||
| 	map $http_upgrade $connection_upgrade { | ||||
| 		default upgrade; | ||||
| 		''      close; | ||||
| 	} | ||||
|  | ||||
| 	include /etc/nginx/conf.d/*.conf; | ||||
| } | ||||
							
								
								
									
										58
									
								
								roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										58
									
								
								roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,58 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| [Unit] | ||||
| Description=Matrix nginx-proxy server | ||||
| {% for service in matrix_nginx_proxy_systemd_required_services_list %} | ||||
| Requires={{ service }} | ||||
| After={{ service }} | ||||
| {% endfor %} | ||||
| {% for service in matrix_nginx_proxy_systemd_wanted_services_list %} | ||||
| Wants={{ service }} | ||||
| {% endfor %} | ||||
| DefaultDependencies=no | ||||
|  | ||||
| [Service] | ||||
| Type=simple | ||||
| Environment="HOME={{ matrix_systemd_unit_home_path }}" | ||||
| ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' | ||||
| ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' | ||||
|  | ||||
| ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \ | ||||
| 			--log-driver=none \ | ||||
| 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ | ||||
| 			--cap-drop=ALL \ | ||||
| 			--read-only \ | ||||
| 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ | ||||
| 			--network={{ matrix_docker_network }} \ | ||||
| 			{% if matrix_nginx_proxy_container_http_host_bind_port %} | ||||
| 			-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ | ||||
| 			{% endif %} | ||||
| 			{% if matrix_nginx_proxy_https_enabled and matrix_nginx_proxy_container_https_host_bind_port %} | ||||
| 			-p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \ | ||||
| 			{% endif %} | ||||
| 			{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} | ||||
| 			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ | ||||
| 			{% endif %} | ||||
| 			--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ | ||||
| 			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \ | ||||
| 			--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ | ||||
| 			{% if matrix_ssl_retrieval_method != 'none' %} | ||||
| 			--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ | ||||
| 			{% endif %} | ||||
| 			--mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \ | ||||
| 			{% for volume in matrix_nginx_proxy_container_additional_volumes %} | ||||
| 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ | ||||
| 			{% endfor %} | ||||
| 			{% for arg in matrix_nginx_proxy_container_extra_arguments %} | ||||
| 			{{ arg }} \ | ||||
| 			{% endfor %} | ||||
| 			{{ matrix_nginx_proxy_docker_image }} | ||||
|  | ||||
| ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-nginx-proxy 2>/dev/null' | ||||
| ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null' | ||||
| ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload | ||||
| Restart=always | ||||
| RestartSec=30 | ||||
| SyslogIdentifier=matrix-nginx-proxy | ||||
|  | ||||
| [Install] | ||||
| WantedBy=multi-user.target | ||||
| @@ -0,0 +1,7 @@ | ||||
| [Unit] | ||||
| Description=Renews Let's Encrypt SSL certificates | ||||
|  | ||||
| [Service] | ||||
| Type=oneshot | ||||
| Environment="HOME={{ matrix_systemd_unit_home_path }}" | ||||
| ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew | ||||
| @@ -0,0 +1,10 @@ | ||||
| [Unit] | ||||
| Description=Renews Let's Encrypt SSL certificates periodically | ||||
|  | ||||
| [Timer] | ||||
| Unit=matrix-ssl-lets-encrypt-certificates-renew.service | ||||
| OnCalendar=*-*-* 04:00:00 | ||||
| RandomizedDelaySec=2h | ||||
|  | ||||
| [Install] | ||||
| WantedBy=timers.target | ||||
| @@ -0,0 +1,6 @@ | ||||
| [Unit] | ||||
| Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in | ||||
|  | ||||
| [Service] | ||||
| Type=oneshot | ||||
| ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service | ||||
| @@ -0,0 +1,10 @@ | ||||
| [Unit] | ||||
| Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in | ||||
|  | ||||
| [Timer] | ||||
| Unit=matrix-ssl-nginx-proxy-reload.service | ||||
| OnCalendar=*-*-* 06:30:00 | ||||
| RandomizedDelaySec=1h | ||||
|  | ||||
| [Install] | ||||
| WantedBy=timers.target | ||||
| @@ -0,0 +1,31 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| #!/bin/bash | ||||
|  | ||||
| # For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) | ||||
| # need to forward requests for `/.well-known/acme-challenge` to the certbot container. | ||||
| # | ||||
| # This can happen inside the container network by proxying to `http://matrix-certbot:8080` | ||||
| # or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. | ||||
|  | ||||
| docker run \ | ||||
| 	--rm \ | ||||
| 	--name=matrix-certbot \ | ||||
| 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ | ||||
| 	--cap-drop=ALL \ | ||||
| 	--network="{{ matrix_docker_network }}" \ | ||||
| 	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ | ||||
| 	--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ | ||||
| 	--mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ | ||||
| 	{{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ | ||||
| 	renew \ | ||||
| 		--non-interactive \ | ||||
| 		--work-dir=/tmp \ | ||||
| 		--http-01-port 8080 \ | ||||
| 		{% if matrix_ssl_lets_encrypt_staging %} | ||||
| 			--staging \ | ||||
| 		{% endif %} | ||||
| 		--standalone \ | ||||
| 		--preferred-challenges http \ | ||||
| 		--agree-tos \ | ||||
| 		--email={{ matrix_ssl_lets_encrypt_support_email }} \ | ||||
| 		--no-random-sleep-on-renew | ||||
		Reference in New Issue
	
	Block a user