matrix-docker-ansible-deploy/examples/reverse-proxies/nginx/matrix.conf

server {
    # TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport`
    #listen 443 quic reuseport;
    listen 443 quic;
    listen 443 ssl;
	# TODO: if you replaced the line above for port 443 and IPv4, you probably want to do the same for port 443 IPv6 by switching the two lines below
	#listen [::]:443 quic reuseport;
    listen [::]:443 quic;
    listen [::]:443 ssl;
    http2 on;
    http3 on;

    # TODO: add/remove services and their subdomains if you use/don't use them
    # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
    # if you don't use those, you can remove them
    # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
    server_name example.com matrix.example.com element.example.com;

    location / {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise, nginx will canonicalise the URI and cause signature verification
        # errors.
        proxy_pass http://localhost:81;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        access_log /var/log/nginx/matrix.access.log;
        error_log /var/log/nginx/matrix.error.log;

        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;

        # required for browsers to direct them to quic port
        add_header Alt-Svc 'h3=":443"; ma=86400';
    }

    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# settings for matrix federation
server {
    # For the federation port
    # TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport`
    #listen 8448 quic reuseport;
    listen 8448 quic;
    listen 8448 ssl default_server;
    # TODO: if you replaced the line above for port 8448 and IPv4, you probably want to do the same for port 8448 IPv6 by switching the two lines below
    #listen [::]:8448 quic reuseport;
    listen [::]:8448 quic;
    listen [::]:8448 ssl default_server;
    http2 on;
    http3 on;

    server_name matrix.example.com;

    location / {
        proxy_pass http://localhost:8449;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        access_log /var/log/nginx/matrix.access.log;
        error_log /var/log/nginx/matrix.error.log;

        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;

		# required for browsers to direct them to quic port
        add_header Alt-Svc 'h3=":8448"; ma=86400';
    }
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# ensure using https
# TODO: remove server blocks that you don't use / add server blocks for domains you do use
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;
    listen 80;
    return 404; # managed by Certbot
}

server {
    if ($host = matrix.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name matrix.example.com;
    listen 80;
    return 404; # managed by Certbot
}

server {
    if ($host = element.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name element.example.com;
    listen 80;
    return 404; # managed by Certbot
}
add: nginx example conf + readme for fronting playbooks traefik with own nginx 2023-02-27 14:34:37 +00:00			`server {`
Update nginx fronting example: http2 config and enable quic+http3 (#3460) * update http2 config due to deprecation the previous way to let `http2` follow a `listen` was depracated, it moved to `http2 on;` * enable quic and http3 I hope the comments are somewhat understandable. if someone can describe the `reuseport` part more concise, please do. 2024-08-01 15:12:27 +00:00			# TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport`
			`#listen 443 quic reuseport;`
			`listen 443 quic;`
			`listen 443 ssl;`
			`# TODO: if you replaced the line above for port 443 and IPv4, you probably want to do the same for port 443 IPv6 by switching the two lines below`
			`#listen [::]:443 quic reuseport;`
			`listen [::]:443 quic;`
			`listen [::]:443 ssl;`
			`http2 on;`
			`http3 on;`
add: nginx example conf + readme for fronting playbooks traefik with own nginx 2023-02-27 14:34:37 +00:00
			`# TODO: add/remove services and their subdomains if you use/don't use them`
			`# this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com`
			`# if you don't use those, you can remove them`
			`# if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list`
			`server_name example.com matrix.example.com element.example.com;`

			`location / {`
			# note: do not add a path (even a single /) after the port in `proxy_pass`,
			`# otherwise, nginx will canonicalise the URI and cause signature verification`
			`# errors.`
			`proxy_pass http://localhost:81;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`

			`access_log /var/log/nginx/matrix.access.log;`
			`error_log /var/log/nginx/matrix.error.log;`

			`# Nginx by default only allows file uploads up to 1M in size`
			`# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml`
			`client_max_body_size 50M;`
Update nginx fronting example: http2 config and enable quic+http3 (#3460) * update http2 config due to deprecation the previous way to let `http2` follow a `listen` was depracated, it moved to `http2 on;` * enable quic and http3 I hope the comments are somewhat understandable. if someone can describe the `reuseport` part more concise, please do. 2024-08-01 15:12:27 +00:00
			`# required for browsers to direct them to quic port`
			`add_header Alt-Svc 'h3=":443"; ma=86400';`
add: nginx example conf + readme for fronting playbooks traefik with own nginx 2023-02-27 14:34:37 +00:00			`}`

			`# TODO: adapt the path to your ssl certificate for the domains listed on server_name`
			`ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot`
			`# TODO: adapt the path to your ssl certificate for the domains listed on server_name`
			`ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot`
			`include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot`
			`ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot`
			`}`

			`# settings for matrix federation`
			`server {`
			`# For the federation port`
Update nginx fronting example: http2 config and enable quic+http3 (#3460) * update http2 config due to deprecation the previous way to let `http2` follow a `listen` was depracated, it moved to `http2 on;` * enable quic and http3 I hope the comments are somewhat understandable. if someone can describe the `reuseport` part more concise, please do. 2024-08-01 15:12:27 +00:00			# TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport`
			`#listen 8448 quic reuseport;`
			`listen 8448 quic;`
			`listen 8448 ssl default_server;`
			`# TODO: if you replaced the line above for port 8448 and IPv4, you probably want to do the same for port 8448 IPv6 by switching the two lines below`
			`#listen [::]:8448 quic reuseport;`
			`listen [::]:8448 quic;`
			`listen [::]:8448 ssl default_server;`
			`http2 on;`
			`http3 on;`
add: nginx example conf + readme for fronting playbooks traefik with own nginx 2023-02-27 14:34:37 +00:00
			`server_name matrix.example.com;`

			`location / {`
			`proxy_pass http://localhost:8449;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Host $host;`

			`access_log /var/log/nginx/matrix.access.log;`
			`error_log /var/log/nginx/matrix.error.log;`

			`# Nginx by default only allows file uploads up to 1M in size`
			`# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml`
			`client_max_body_size 50M;`
Update nginx fronting example: http2 config and enable quic+http3 (#3460) * update http2 config due to deprecation the previous way to let `http2` follow a `listen` was depracated, it moved to `http2 on;` * enable quic and http3 I hope the comments are somewhat understandable. if someone can describe the `reuseport` part more concise, please do. 2024-08-01 15:12:27 +00:00
			`# required for browsers to direct them to quic port`
			`add_header Alt-Svc 'h3=":8448"; ma=86400';`
add: nginx example conf + readme for fronting playbooks traefik with own nginx 2023-02-27 14:34:37 +00:00			`}`
			`# TODO: adapt the path to your ssl certificate for the domains listed on server_name`
			`ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot`
			`# TODO: adapt the path to your ssl certificate for the domains listed on server_name`
			`ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot`
			`include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot`
			`ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot`
			`}`

			`# ensure using https`
			`# TODO: remove server blocks that you don't use / add server blocks for domains you do use`
			`server {`
			`if ($host = example.com) {`
			`return 301 https://$host$request_uri;`
			`} # managed by Certbot`

			`server_name example.com;`
			`listen 80;`
			`return 404; # managed by Certbot`
			`}`

			`server {`
			`if ($host = matrix.example.com) {`
			`return 301 https://$host$request_uri;`
			`} # managed by Certbot`

			`server_name matrix.example.com;`
			`listen 80;`
			`return 404; # managed by Certbot`
			`}`

			`server {`
			`if ($host = element.example.com) {`
			`return 301 https://$host$request_uri;`
			`} # managed by Certbot`

			`server_name element.example.com;`
			`listen 80;`
			`return 404; # managed by Certbot`
Update nginx fronting example: http2 config and enable quic+http3 (#3460) * update http2 config due to deprecation the previous way to let `http2` follow a `listen` was depracated, it moved to `http2 on;` * enable quic and http3 I hope the comments are somewhat understandable. if someone can describe the `reuseport` part more concise, please do. 2024-08-01 15:12:27 +00:00			`}`