mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2025-01-14 04:07:19 +01:00
3fd6fd647f
Moving away from using the default bridge network to using our own. This isolates our services from other Docker containers running on the default network on the same host. The benefits are that: - isolation is a little better - we no longer share a default bridge network with any other containers that might be running on the host - there are no longer hard dependencies - we do service discovery by DNS name, and not via explicit `--link` usage during container start, so containers can start out of order and fail without bringing down others with them (`matrix-nginx-proxy` can continue running, even if one of the other services dies) In the future, when other services get introduced, the increased resilience and simplicity will help as well.
56 lines
1.4 KiB
Django/Jinja
56 lines
1.4 KiB
Django/Jinja
server {
|
|
listen 80;
|
|
server_name {{ hostname_riot }};
|
|
|
|
server_tokens off;
|
|
|
|
location /.well-known/acme-challenge {
|
|
{#
|
|
The proxy can access the files directly.
|
|
An external server likely does not have permission to read these files,
|
|
so we'll just proxy to acme's :402 port.
|
|
#}
|
|
|
|
{%- if matrix_nginx_proxy_enabled -%}
|
|
default_type "text/plain";
|
|
alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
|
|
{%- else -%}
|
|
proxy_pass http://localhost:402;
|
|
{% endif %}
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$http_host$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name {{ hostname_riot }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain;
|
|
ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
|
|
location / {
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
resolver 127.0.0.11 valid=5s;
|
|
set $backend "matrix-riot-web:8765";
|
|
proxy_pass http://$backend;
|
|
{% else %}
|
|
{# Generic configuration for people to use outside of our container setup #}
|
|
proxy_pass http://localhost:8765;
|
|
{% endif %}
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
}
|