mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2025-02-24 16:04:09 +01:00
d6bf789710
This is done for a few reasons: - less globals and more indepdendence for each role is better. We rely on various externally-hosted roles and they don't rely on this global either. - `matrix_container_global_registry_prefix` could make people think they could just override this variable and have all their images pull from elsewhere. This is rarely the case, unless you've taken special care to mirror all the various components (from their respective registries) to your own. In such a case, you probably know what you're mirroring and can adjust individual variables. - nowadays, various components live on different registries. With Docker Inc tightening rate limits for Docker Hub, it's even more likely that we'll see increased diversity in where images are hosted
260 lines
23 KiB
YAML
260 lines
23 KiB
YAML
---
|
|
|
|
# matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled.
|
|
#
|
|
# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`).
|
|
# In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit.
|
|
#
|
|
# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc.
|
|
# matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to.
|
|
#
|
|
# Project source code URL: https://github.com/nginx/nginx
|
|
|
|
matrix_synapse_reverse_proxy_companion_enabled: true
|
|
|
|
# renovate: datasource=docker depName=nginx
|
|
matrix_synapse_reverse_proxy_companion_version: 1.27.4-alpine
|
|
|
|
matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
|
|
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
|
|
|
|
# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
|
|
|
|
# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
|
|
matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
# that is frequently out of date.
|
|
matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_container_image_tag }}"
|
|
matrix_synapse_reverse_proxy_companion_container_image_registry_prefix: docker.io/
|
|
matrix_synapse_reverse_proxy_companion_container_image_tag: "{{ matrix_synapse_reverse_proxy_companion_version }}"
|
|
matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
|
|
|
|
matrix_synapse_reverse_proxy_companion_container_network: ""
|
|
|
|
# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
|
|
# The playbook does not create these networks, so make sure they already exist.
|
|
matrix_synapse_reverse_proxy_companion_container_additional_networks: "{{ matrix_synapse_reverse_proxy_companion_container_additional_networks_auto + matrix_synapse_reverse_proxy_companion_container_additional_networks_custom }}"
|
|
matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: []
|
|
matrix_synapse_reverse_proxy_companion_container_additional_networks_custom: []
|
|
|
|
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
|
|
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
|
|
|
|
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
|
|
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: ''
|
|
|
|
# Controls whether a compression middleware will be injected into the middlewares list.
|
|
# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: ""
|
|
|
|
# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
|
|
# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: ""
|
|
|
|
# Controls whether labels will be added that expose the /_synapse/client paths
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# Controls whether labels will be added that expose the /_synapse/admin paths
|
|
# Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# Controls whether labels will be added that expose the Server-Server API (Federation API).
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: ''
|
|
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# Example:
|
|
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
|
|
# my.label=1
|
|
# another.label="here"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
|
|
|
|
# A list of extra arguments to pass to the container
|
|
# Also see `matrix_synapse_reverse_proxy_companion_container_arguments`
|
|
matrix_synapse_reverse_proxy_companion_container_extra_arguments: []
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto is a list of extra arguments to pass to the container.
|
|
# This list is managed by the playbook. You're not meant to override this variable.
|
|
# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`.
|
|
matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto: []
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_arguments holds the final list of extra arguments to pass to the container.
|
|
# You're not meant to override this variable.
|
|
# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`.
|
|
matrix_synapse_reverse_proxy_companion_container_arguments: "{{ matrix_synapse_reverse_proxy_companion_container_extra_arguments + matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto }}"
|
|
|
|
# The amount of worker processes and connections
|
|
# Consider increasing these when you are expecting high amounts of traffic
|
|
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
matrix_synapse_reverse_proxy_companion_worker_processes: auto
|
|
matrix_synapse_reverse_proxy_companion_worker_connections: 1024
|
|
|
|
# Option to disable the access log
|
|
matrix_synapse_reverse_proxy_companion_access_log_enabled: true
|
|
|
|
# Controls whether to send access logs to a remote syslog-compatible server
|
|
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: ''
|
|
# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed.
|
|
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag: matrix_synapse_rev_proxy_comp
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}"
|
|
matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
|
|
# for big matrixservers to enlarge the number of open files to prevent timeouts
|
|
# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks:
|
|
# - 'worker_rlimit_nofile 30000;'
|
|
matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
|
|
matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
|
matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: []
|
|
|
|
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
|
|
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
|
|
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
|
|
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
|
|
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
|
|
#
|
|
# For more information visit:
|
|
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
|
|
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
|
|
#
|
|
# Here we are sticking with nginx default values change this value carefully.
|
|
matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60
|
|
matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60
|
|
matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60
|
|
matrix_synapse_reverse_proxy_companion_send_timeout: 60
|
|
|
|
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
|
#
|
|
# Otherwise, we get warnings like this:
|
|
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/…/fullchain.pem"
|
|
#
|
|
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
|
matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11
|
|
|
|
matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion"
|
|
|
|
# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is
|
|
matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}'
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 50
|
|
|
|
# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done
|
|
matrix_synapse_reverse_proxy_companion_federation_api_enabled: true
|
|
# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is
|
|
matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}'
|
|
matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API
|
|
matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API
|
|
matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: []
|
|
|
|
|
|
# synapse worker activation and endpoint mappings.
|
|
# These are all populated via Ansible group variables.
|
|
matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_synapse_workers_list: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: []
|
|
matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register)
|
|
matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$))
|
|
# Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108)
|
|
matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$
|
|
|
|
matrix_synapse_reverse_proxy_companion_federation_override_locations_regex: ^/_matrix/federation/v1/openid/userinfo$
|
|
|
|
# synapse content caching
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC"
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m"
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h"
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h"
|
|
|
|
|
|
# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header.
|
|
# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server.
|
|
# As such, it trusts the protocol scheme forwarded by the upstream proxy.
|
|
matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true
|
|
matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}"
|