mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2025-01-28 02:44:58 +01:00
192 lines
9.8 KiB
Markdown
192 lines
9.8 KiB
Markdown
# Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced)
|
|
|
|
By default, this playbook installs its own [Traefik](https://traefik.io/) reverse-proxy server (in a Docker container) which listens on ports 80 and 443.
|
|
|
|
If that's alright, you can skip this.
|
|
|
|
## Traefik
|
|
|
|
[Traefik](https://traefik.io/) is the default reverse-proxy for the playbook since [2023-02-26](../CHANGELOG.md/#2023-02-26) and serves **2 purposes**:
|
|
|
|
- serving public traffic and providing SSL-termination with certificates obtained from [Let's Encrypt](https://letsencrypt.org/). See [Adjusting SSL certificate retrieval](./configuring-playbook-ssl-certificates.md).
|
|
|
|
- assists internal communication between addon services (briges, bots, etc.) and the homeserver via an internal entrypoint (`matrix-internal-matrix-client-api`).
|
|
|
|
There are 2 ways to use Traefik with this playbook, as described below.
|
|
|
|
### Traefik managed by the playbook
|
|
|
|
To have the playbook install and use Traefik, use configuration like this (as seen in `examples/vars.yml`):
|
|
|
|
```yaml
|
|
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
|
|
|
devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
|
|
```
|
|
|
|
Traefik will manage SSL certificates for all services seamlessly.
|
|
|
|
|
|
### Traefik managed by you
|
|
|
|
```yaml
|
|
matrix_playbook_reverse_proxy_type: other-traefik-container
|
|
|
|
# Uncomment and adjust if your Traefik container is on another network
|
|
# matrix_playbook_reverse_proxy_container_network: traefik
|
|
|
|
# Adjust to point to your Traefik container
|
|
matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container
|
|
|
|
devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
|
|
|
|
# Uncomment and tweak the variable below if the name of your federation entrypoint is different
|
|
# than the default value (matrix-federation).
|
|
# matrix_federation_traefik_entrypoint_name: matrix-federation
|
|
```
|
|
|
|
In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
|
|
|
|
By default, the playbook configured a `default` certificate resolver and multiple entrypoints.
|
|
|
|
You need to configure 4 entrypoints for your Traefik server:
|
|
|
|
- `web` (TCP port `80`) - used for redirecting to HTTPS (`web-secure`)
|
|
- `web-secure` (TCP port `443`) - used for exposing the Matrix Client-Server API and all other services
|
|
- `matrix-federation` (TCP port `8448`) - used for exposing the Matrix Federation API
|
|
- `matrix-internal-matrix-client-api` (TCP port `8008`) - used internally for addon services (bridges, bots) to communicate with the homserver
|
|
|
|
Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook).
|
|
|
|
Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows:
|
|
|
|
```toml
|
|
[http]
|
|
[http.routers]
|
|
[http.routers.redirect-http]
|
|
entrypoints = ["web"] # The 'web' entrypoint must bind to port 80
|
|
rule = "HostRegexp(`{host:.+}`)" # Change if you don't want to redirect all hosts to HTTPS
|
|
service = "dummy" # Unused, but all routers need services (for now)
|
|
middlewares = ["https"]
|
|
[http.services]
|
|
[http.services.dummy.loadbalancer]
|
|
[[http.services.dummy.loadbalancer.servers]]
|
|
url = "localhost"
|
|
[http.middlewares]
|
|
[http.middlewares.https.redirectscheme]
|
|
scheme = "https"
|
|
permanent = true
|
|
```
|
|
|
|
You can use the following `docker-compose.yml` as example to launch Traefik.
|
|
|
|
```yaml
|
|
version: "3.3"
|
|
|
|
services:
|
|
|
|
traefik:
|
|
image: "docker.io/traefik:v2.9.6"
|
|
restart: always
|
|
container_name: "traefik"
|
|
networks:
|
|
- traefik
|
|
command:
|
|
- "--api.insecure=true"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.network=traefik"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--entrypoints.web-secure.address=:443"
|
|
- "--entrypoints.matrix-federation.address=:8448"
|
|
- "--entrypoints.matrix-internal-matrix-client-api.address=:8008"
|
|
- "--certificatesresolvers.default.acme.tlschallenge=true"
|
|
- "--certificatesresolvers.default.acme.email=YOUR EMAIL"
|
|
- "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json"
|
|
ports:
|
|
- "443:443"
|
|
- "8448:8448"
|
|
volumes:
|
|
- "./letsencrypt:/letsencrypt"
|
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
|
|
networks:
|
|
traefik:
|
|
external: true
|
|
```
|
|
|
|
## Another webserver
|
|
|
|
If you don't wish to use Traefik, you can also use your own webserver.
|
|
|
|
Doing this is possible, but requires manual work.
|
|
|
|
There are 2 ways to go about it:
|
|
|
|
- (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using the playbook-managed reverse-proxy (Traefik), but disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports
|
|
|
|
- (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling the playbook-managed reverse-proxy (Traefik), exposing services one by one using `_host_bind_port` variables and forwarding traffic from your own webserver to those ports
|
|
|
|
|
|
### Fronting the integrated reverse-proxy webserver with another reverse-proxy
|
|
|
|
This method is about leaving the integrated reverse-proxy webserver be, but making it not get in the way (using up important ports, trying to retrieve SSL certificates, etc.).
|
|
|
|
If you wish to use another webserver, the integrated reverse-proxy webserver usually gets in the way because it attempts to fetch SSL certificates and binds to ports 80, 443 and 8448 (if Matrix Federation is enabled).
|
|
|
|
You can disable such behavior and make the integrated reverse-proxy webserver only serve traffic locally (or over a local network).
|
|
|
|
This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it.
|
|
|
|
To front Traefik with another reverse-proxy, you would need some configuration like this:
|
|
|
|
```yaml
|
|
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
|
|
|
# Ensure that public urls use https
|
|
matrix_playbook_ssl_enabled: true
|
|
|
|
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval.
|
|
# This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint
|
|
# (by toggling `matrix_federation_traefik_entrypoint_tls`).
|
|
devture_traefik_config_entrypoint_web_secure_enabled: false
|
|
|
|
# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
|
|
devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
|
|
|
|
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
|
|
# a reverse-proxy running on the local machine is safe enough.
|
|
# If you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interface:
|
|
# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
|
|
# - uncomment and adjust the `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
|
|
devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
|
|
# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
|
|
|
|
# Expose the federation entrypoint on a custom port (other than port 8448, which is normally used publicly).
|
|
#
|
|
# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
|
|
# a reverse-proxy running on the local machine is safe enough.
|
|
#
|
|
# If your reverse-proxy runs on another machine, consider:
|
|
# - using `0.0.0.0:8449`, just `8449` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:8449` below
|
|
# - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs`
|
|
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: 127.0.0.1:8449
|
|
|
|
# Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above,
|
|
# this may need to be reconfigured. See the comments above.
|
|
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
|
|
forwardedHeaders:
|
|
insecure: true
|
|
# trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
|
|
```
|
|
|
|
For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md).
|
|
|
|
|
|
### Using no reverse-proxy on the Matrix side at all
|
|
|
|
Instead of [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), you can also go another way -- completely disabling the playbook-managed reverse-proxy. You would then need to reverse-proxy from your own webserver directly to Matrix services.
|
|
|
|
This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do.
|
|
|
|
If your webserver is on the same machine, ensure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group, so that it can serve static files from `/matrix/static-files`.
|