{# SPDX-FileCopyrightText: 2024 MDAD Team and contributors SPDX-License-Identifier: AGPL-3.0-or-later #} #jinja2: lstrip_blocks: "True" # This is a custom nginx configuration file that we use in the container (instead of the default one), # because it allows us to run nginx with a non-root user. # # For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. # # The following changes have been done compared to a default nginx configuration file: # - various temp paths are changed to `/tmp`, so that a non-root user can write to them # - the `user` directive was removed, as we don't want nginx to switch users worker_processes {{ matrix_synapse_reverse_proxy_companion_worker_processes }}; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; {% for configuration_block in matrix_synapse_reverse_proxy_companion_additional_configuration_blocks %} {{- configuration_block }} {% endfor %} events { worker_connections {{ matrix_synapse_reverse_proxy_companion_worker_connections }}; {% for configuration_block in matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks %} {{- configuration_block }} {% endfor %} } http { proxy_temp_path /tmp/proxy_temp; client_body_temp_path /tmp/client_temp; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; {% if matrix_synapse_reverse_proxy_companion_access_log_enabled %} access_log /var/log/nginx/access.log main; {% endif %} {% if matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %} log_format prometheus_fmt 'matrix-synapse-reverse-proxy-companion $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] ' '$host "$request" ' '$status "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log syslog:server={{ matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port }},tag={{ matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag }} prometheus_fmt; {% endif %} {% if not matrix_synapse_reverse_proxy_companion_access_log_enabled and not matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %} access_log off; {% endif %} proxy_connect_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_connect_timeout }}; proxy_send_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_send_timeout }}; proxy_read_timeout {{ matrix_synapse_reverse_proxy_companion_proxy_read_timeout }}; send_timeout {{ matrix_synapse_reverse_proxy_companion_send_timeout }}; sendfile on; #tcp_nopush on; keepalive_timeout 65; server_tokens off; {# Map directive needed for proxied WebSocket upgrades #} map $http_upgrade $connection_upgrade { default upgrade; '' close; } include /etc/nginx/conf.d/*.conf; }