From 0e831db3e5da63f6f513ee197677daa051185ba1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Jan 2024 17:23:28 +0200 Subject: [PATCH] Update reverse-proxy examples --- examples/apache/README.md | 17 +- examples/apache/matrix-client-element.conf | 14 +- examples/apache/matrix-dimension.conf | 41 ---- examples/apache/matrix-domain.conf | 65 +++++ examples/apache/matrix-synapse.conf | 146 ----------- examples/caddy/matrix-client-element | 8 - examples/caddy/matrix-dimension | 9 - examples/caddy/matrix-synapse | 31 --- examples/caddy/matrix-util | 7 - examples/caddy2/Caddyfile.deprecated | 269 --------------------- examples/caddy2/README.md | 6 +- examples/haproxy/Dockerfile | 12 - examples/haproxy/README.md | 19 +- examples/haproxy/docker-compose.yml | 9 - examples/haproxy/haproxy.cfg | 38 +-- examples/haproxy/nginx.conf | 15 -- 16 files changed, 89 insertions(+), 617 deletions(-) delete mode 100644 examples/apache/matrix-dimension.conf create mode 100644 examples/apache/matrix-domain.conf delete mode 100644 examples/apache/matrix-synapse.conf delete mode 100644 examples/caddy/matrix-client-element delete mode 100644 examples/caddy/matrix-dimension delete mode 100644 examples/caddy/matrix-synapse delete mode 100644 examples/caddy/matrix-util delete mode 100644 examples/caddy2/Caddyfile.deprecated delete mode 100644 examples/haproxy/Dockerfile delete mode 100644 examples/haproxy/docker-compose.yml delete mode 100644 examples/haproxy/nginx.conf diff --git a/examples/apache/README.md b/examples/apache/README.md index 92d7d932d..997c363ea 100644 --- a/examples/apache/README.md +++ b/examples/apache/README.md @@ -1,17 +1,14 @@ # Apache reverse-proxy -This directory contains sample files that show you how to do reverse-proxying using Apache. +This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy. -This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook. -See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page. +## Prerequisite configuration -To use your own Apache reverse-proxy, you first need to disable the integrated nginx server. -You do that with the following custom configuration (`inventory/host_vars/matrix./vars.yml`): +To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix./vars.yml`). -```yaml -matrix_nginx_proxy_enabled: false -``` +## Using the Apache configuration -You can then use the configuration files from this directory as an example for how to configure your Apache server. +`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`). -**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). +`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`. +This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc). diff --git a/examples/apache/matrix-client-element.conf b/examples/apache/matrix-client-element.conf index f2b347fe1..005a9fc28 100644 --- a/examples/apache/matrix-client-element.conf +++ b/examples/apache/matrix-client-element.conf @@ -4,14 +4,8 @@ ServerName element.DOMAIN - ProxyVia On - - # Map /.well-known/acme-challenge to the certbot server - # If you manage SSL certificates by yourself, this will differ. - - ProxyPreserveHost On - ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge - + # You may wish to handle the /.well-known/acme-challenge paths here somehow, + # if you're using ACME (Let's Encrypt) certificates. Redirect permanent / https://element.DOMAIN/ @@ -33,8 +27,8 @@ ProxyRequests Off ProxyVia On - ProxyPass / http://127.0.0.1:8765/ - ProxyPassReverse / http://127.0.0.1:8765/ + ProxyPass / http://127.0.0.1:81/ + ProxyPassReverse / http://127.0.0.1:81/ ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined diff --git a/examples/apache/matrix-dimension.conf b/examples/apache/matrix-dimension.conf deleted file mode 100644 index f334690e3..000000000 --- a/examples/apache/matrix-dimension.conf +++ /dev/null @@ -1,41 +0,0 @@ -# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN. -# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this. - - - ServerName dimension.DOMAIN - - ProxyVia On - - # Map /.well-known/acme-challenge to the certbot server - # If you manage SSL certificates by yourself, this will differ. - - ProxyPreserveHost On - ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge - - - Redirect permanent / https://dimension.DOMAIN/ - - - - ServerName dimension.DOMAIN - - SSLEngine On - - # If you manage SSL certificates by yourself, these paths will differ. - SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem - SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem - - SSLProxyEngine on - SSLProxyProtocol +TLSv1.2 +TLSv1.3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - - ProxyPreserveHost On - ProxyRequests Off - ProxyVia On - - ProxyPass / http://127.0.0.1:8184/ - ProxyPassReverse / http://127.0.0.1:8184/ - - ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log - CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined - diff --git a/examples/apache/matrix-domain.conf b/examples/apache/matrix-domain.conf new file mode 100644 index 000000000..ba4af4f44 --- /dev/null +++ b/examples/apache/matrix-domain.conf @@ -0,0 +1,65 @@ +# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN + + + ServerName matrix.DOMAIN + + # You may wish to handle the /.well-known/acme-challenge paths here somehow, + # if you're using ACME (Let's Encrypt) certificates. + + Redirect permanent / https://matrix.DOMAIN/ + + +# Client-Server API + + ServerName matrix.DOMAIN + + SSLEngine On + + # If you manage SSL certificates by yourself, these paths will differ. + SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem + SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem + + SSLProxyEngine on + SSLProxyProtocol +TLSv1.2 +TLSv1.3 + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} + + AllowEncodedSlashes NoDecode + ProxyPass / http://127.0.0.1:81 retry=0 nocanon + ProxyPassReverse / http://127.0.0.1:81/ + + ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log + CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined + + +# Server-Server (federation) API +Listen 8448 + + ServerName matrix.DOMAIN + + SSLEngine On + + # If you manage SSL certificates by yourself, these paths will differ. + SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem + SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem + + SSLProxyEngine on + SSLProxyProtocol +TLSv1.2 +TLSv1.3 + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + + ProxyPreserveHost On + ProxyRequests Off + ProxyVia On + RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} + + AllowEncodedSlashes NoDecode + ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon + ProxyPassReverse / http://127.0.0.1:8449/ + + ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log + CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined + diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf deleted file mode 100644 index 17c6b6ea5..000000000 --- a/examples/apache/matrix-synapse.conf +++ /dev/null @@ -1,146 +0,0 @@ -# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN - - - ServerName matrix.DOMAIN - - ProxyVia On - - # Map /.well-known/acme-challenge to the certbot server - # If you manage SSL certificates by yourself, this will differ. - - ProxyPreserveHost On - ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge - - - Redirect permanent / https://matrix.DOMAIN/ - - -# Client-Server API - - ServerName matrix.DOMAIN - - SSLEngine On - - # If you manage SSL certificates by yourself, these paths will differ. - SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem - SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem - - SSLProxyEngine on - SSLProxyProtocol +TLSv1.2 +TLSv1.3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - - ProxyPreserveHost On - ProxyRequests Off - ProxyVia On - RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} - - # Keep some URIs free for different proxy/location - ProxyPassMatch ^/.well-known/matrix/client ! - ProxyPassMatch ^/.well-known/matrix/server ! - ProxyPassMatch ^/.well-known/matrix/support ! - ProxyPassMatch ^/_matrix/identity ! - ProxyPassMatch ^/_matrix/client/r0/user_directory/search ! - - # Proxy all remaining traffic to Synapse - AllowEncodedSlashes NoDecode - ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon - ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix - ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon - ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client - - # Proxy Admin API (necessary for Synapse-Admin) - # ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon - # ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin - - # Proxy Synapse-Admin - # ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon - # ProxyPassReverse /synapse-admin http://127.0.0.1:8766 - - # Map /.well-known/matrix/client for client discovery - Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client - - Require all granted - - - Header always set Content-Type "application/json" - Header always set Access-Control-Allow-Origin "*" - - - # Map /.well-known/matrix/server for server discovery - Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server - - Require all granted - - - Header always set Content-Type "application/json" - - - # Map /.well-known/matrix/support for support discovery - Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support - - Require all granted - - - Header always set Content-Type "application/json" - - - - AllowOverride All - # Apache 2.4: - Require all granted - # Or for Apache 2.2: - #order allow,deny - - - # Map /_matrix/identity to the identity server - - ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon - - - # Map /_matrix/client/r0/user_directory/search to the identity server - - ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon - - - ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log - CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined - - -# Server-Server (federation) API -# Use this apache reverse proxy template to enable matrix server-to-server federation traffic -# Be sure that network traffic on port 8448 is possible -# -# You can check your federation config at https://federationtester.matrix.org/ -# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN -# -# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines. -# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool. -Listen 8448 - - ServerName matrix.DOMAIN - - SSLEngine On - - # If you manage SSL certificates by yourself, these paths will differ. - SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem - SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem - - SSLProxyEngine on - SSLProxyProtocol +TLSv1.2 +TLSv1.3 - SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - - ProxyPreserveHost On - ProxyRequests Off - ProxyVia On - RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} - - # Proxy all remaining traffic to the Synapse port - # Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1 - # Of course you can use another IPADRESS in case of using other synapse servers in your network - AllowEncodedSlashes NoDecode - ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon - ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix - - ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log - CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined - diff --git a/examples/caddy/matrix-client-element b/examples/caddy/matrix-client-element deleted file mode 100644 index 2dc6ba345..000000000 --- a/examples/caddy/matrix-client-element +++ /dev/null @@ -1,8 +0,0 @@ -https://element.DOMAIN { - # These might differ if you are supplying your own certificates - tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem - - proxy / http://127.0.0.1:8765 { - transparent - } -} diff --git a/examples/caddy/matrix-dimension b/examples/caddy/matrix-dimension deleted file mode 100644 index 74d08e593..000000000 --- a/examples/caddy/matrix-dimension +++ /dev/null @@ -1,9 +0,0 @@ -https://dimension.DOMAIN { - # These might differ if you are supplying your own certificates - # If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here - tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem - - proxy / http://127.0.0.1:8184/ { - transparent - } -} diff --git a/examples/caddy/matrix-synapse b/examples/caddy/matrix-synapse deleted file mode 100644 index 46c48ab65..000000000 --- a/examples/caddy/matrix-synapse +++ /dev/null @@ -1,31 +0,0 @@ -https://matrix.DOMAIN { - # If you use your own certificates, your path may differ - # If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here - tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem - - root /matrix/static-files - - header / { - Access-Control-Allow-Origin * - Strict-Transport-Security "mag=age=31536000;" - X-Frame-Options "DENY" - X-XSS-Protection "1; mode=block" - } - - # Identity server traffic - proxy /_matrix/identity matrix-ma1sd:8090 { - transparent - } - proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 { - transparent - } - - # Synapse Client<>Server API - proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 { - transparent - except /_matrix/identity/ /_matrix/client/r0/user_directory/search - } - proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 { - transparent - } -} diff --git a/examples/caddy/matrix-util b/examples/caddy/matrix-util deleted file mode 100644 index 191f7758f..000000000 --- a/examples/caddy/matrix-util +++ /dev/null @@ -1,7 +0,0 @@ -:80 { - # Redirect ACME-Challenge traffic to port 2402 - proxy /.well-known/acme-challenge http://127.0.0.1:2402 - - # Redirect all other traffic to HTTPS - redir / https://{host}{uri} 301 -} diff --git a/examples/caddy2/Caddyfile.deprecated b/examples/caddy2/Caddyfile.deprecated deleted file mode 100644 index 43005ca41..000000000 --- a/examples/caddy2/Caddyfile.deprecated +++ /dev/null @@ -1,269 +0,0 @@ -(cors) { - @cors_preflight method OPTIONS - - handle @cors_preflight { - header Access-Control-Allow-Origin "{args.0}" - header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE" - header Access-Control-Allow-Headers "Content-Type, Authorization" - header Access-Control-Max-Age "3600" - } -} - - -matrix.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - @identity { - path /_matrix/identity/* - } - - @noidentity { - not path /_matrix/identity/* - } - - @search { - path /_matrix/client/r0/user_directory/search/* - } - - @nosearch { - not path /_matrix/client/r0/user_directory/search/* - } - - @static { - path /matrix/static-files/* - } - - @nostatic { - not path /matrix/static-files/* - } - - @wellknown { - path /.well-known/matrix/* - } - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - - # identity - handle @identity { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - # search - handle @search { - reverse_proxy localhost:8090 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } - - handle @wellknown { - encode zstd gzip - root * /matrix/static-files - header Cache-Control max-age=14400 - header Content-Type application/json - header Access-Control-Allow-Origin * - file_server - } - - # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain - #handle @wellknown { - # # .well-known is handled by base domain - # reverse_proxy https://DOMAIN.tld { - # header_up Host {http.reverse_proxy.upstream.hostport} - #} - - handle { - encode zstd gzip - - reverse_proxy localhost:8008 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } -} - -matrix.DOMAIN.tld:8448 { - handle { - encode zstd gzip - - reverse_proxy 127.0.0.1:8048 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } - } -} - -element.DOMAIN.tld { - - # creates letsencrypt certificate - # tls your@email.com - - import cors https://*.DOMAIN.tld - - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disallow the site to be rendered within a frame (clickjacking protection) - X-Frame-Options "DENY" - # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered - # Content-Security-Policy frame-src https://*.DOMAIN.tld - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - } - - handle { - encode zstd gzip - - reverse_proxy localhost:8765 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} - } -} - -#dimension.DOMAIN.tld { -# -# # creates letsencrypt certificate -# # tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection) -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# # X-Robots-Tag -# X-Robots-Tag "noindex, noarchive, nofollow" -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy localhost:8184 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} - - -#jitsi.DOMAIN.tld { -# -# creates letsencrypt certificate -# tls your@email.com -# -# import cors https://*.DOMAIN.tld -# -# header { -# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS -# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -# -# # Enable cross-site filter (XSS) and tell browser to block detected attacks -# X-XSS-Protection "1; mode=block" -# -# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type -# X-Content-Type-Options "nosniff" - -# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain -# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld -# -# # Disable some features -# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" -# -# # Referer -# Referrer-Policy "no-referrer" -# -# # X-Robots-Tag -# X-Robots-Tag "none" -# -# # Remove Server header -# -Server -# } -# -# handle { -# encode zstd gzip -# -# reverse_proxy 127.0.0.1:13080 { -# header_up X-Forwarded-Port {http.request.port} -# header_up X-Forwarded-Proto {http.request.scheme} -# header_up X-Forwarded-TlsProto {tls_protocol} -# header_up X-Forwarded-TlsCipher {tls_cipher} -# header_up X-Forwarded-HttpsProto {proto} -# } -# } -#} -#DOMAIN.com { -# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server -# @wellknown { -# path /.well-known/matrix/* -# } -# -# handle @wellknown { -# reverse_proxy https://matrix.DOMAIN.com { -# header_up Host {http.reverse_proxy.upstream.hostport} -# } -# } -# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain -# # handle /.well-known/* { -# # encode zstd gzip -# # header Cache-Control max-age=14400 -# # header Content-Type application/json -# # header Access-Control-Allow-Origin * -# #} -# -# # Configration for the base domain goes here -# # handle { -# # header -Server -# # encode zstd gzip -# # reverse_proxy localhost:4020 -# # } -#} diff --git a/examples/caddy2/README.md b/examples/caddy2/README.md index d4bfb4755..879efde34 100644 --- a/examples/caddy2/README.md +++ b/examples/caddy2/README.md @@ -13,8 +13,4 @@ To get started, first follow the [front the integrated reverse-proxy webserver w You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile. In both cases make sure to replace all the `example.tld` domains with your own domain. -This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. - -# Caddyfile.deprecated - -This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above. +This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though. diff --git a/examples/haproxy/Dockerfile b/examples/haproxy/Dockerfile deleted file mode 100644 index 8c7db989e..000000000 --- a/examples/haproxy/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -# Pull nginx base image -FROM nginx:latest - -# Expost port 80 -EXPOSE 80 - -# Copy custom configuration file from the current directory -COPY nginx.conf /etc/nginx/nginx.conf - -# Start up nginx server -CMD ["nginx"] - diff --git a/examples/haproxy/README.md b/examples/haproxy/README.md index c1d20b0f9..1ab173c1f 100644 --- a/examples/haproxy/README.md +++ b/examples/haproxy/README.md @@ -3,24 +3,7 @@ This directory contains sample files that show you how to do reverse-proxying using HAproxy. This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook. -See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page. -To use your own HAproxy reverse-proxy, you first need to disable the integrated Nginx server. -You do that with the following custom configuration (`inventory/host_vars/matrix./vars.yml`): - -```yaml -matrix_nginx_proxy_enabled: false -``` +We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation. You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy. - -**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases or performance needs. - -### Configuration - -HAproxy, unlike Apache, Nginx and others, does not provide you with a webserver to serve static files (i.e., `/.well-known/` directory). For this reason, in this folder you can find an example on how to use HAproxy together with a simple Nginx container whose only task is to serve those files. - -* Build the Docker image. `docker build -t local/nginx .` -* Start the container. `docker-compose up -d`. Note that if you want to run Nginx on a different port, you will have to change the port both in the `docker-compose.yml` and in `haproxy.cfg`. -* If you don't want to use a wildcard certificate, you will need to modify the corresponding line in the HTTPS frontent and add the paths of all the specific certificates (as for the commented example in `haproxy.cfg`). -* Start HAproxy with the proposed configuration. diff --git a/examples/haproxy/docker-compose.yml b/examples/haproxy/docker-compose.yml deleted file mode 100644 index b5c9aab79..000000000 --- a/examples/haproxy/docker-compose.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -version: '3' -services: - nginx: - image: local/nginx - ports: - - 40888:80 - volumes: - - /matrix/static-files:/var/www/:ro diff --git a/examples/haproxy/haproxy.cfg b/examples/haproxy/haproxy.cfg index c7fbf967b..b3e176a89 100644 --- a/examples/haproxy/haproxy.cfg +++ b/examples/haproxy/haproxy.cfg @@ -43,29 +43,16 @@ frontend https-frontend reqadd X-Forwarded-Proto:\ https option httplog option http-server-close - # - # Matrix - # - # matrix.example.com + + # You can do per-domain routing (as shown above), + # or just send everything to the same backend via `default_backend`. + acl matrix_domain hdr_dom(host) -i matrix.example.com - acl static_files path -i -m beg /.well-known/matrix - use_backend nginx-static if static_files - # /_matrix/identity and /_matrix/client/r0/user_directory/search - acl matrix_identity path -i -m beg /_matrix/identity - acl matrix_search path -i -m beg /_matrix/client/r0/user_directory/search - # Send to :8090 - use_backend matrix-supporting if matrix_identity or matrix_search - # /_matrix and /_synapse/admin - acl matrix_path path -i -m beg /_matrix - acl synapse_admin path -i -m beg /_synapse/admin - # Send to :8008 - use_backend matrix-main if matrix_path or synapse_admin - # element.example.com - acl element_domain hdr_dom(host) -i element.example.com - # Send to 8765 - use_backend element if element_domain - # If nothing else match, just send to default matrix backend use_backend matrix-main if matrix_domain + + acl matrix_domain hdr_dom(host) -i element.example.com + use_backend matrix-main if matrix_domain + #default_backend matrix-main frontend matrix-federation @@ -75,14 +62,11 @@ frontend matrix-federation option http-server-close default_backend synapse -backend matrix-supporting - server matrix-supporting 127.0.0.1:8090 check - backend matrix-main - server matrix-main 127.0.0.1:8008 check + server matrix-main 127.0.0.1:81 check -backend synapse - server synapse 127.0.0.1:8048 check +backend matrix-federation + server matrix-federation 127.0.0.1:8049 check backend nginx-static capture request header origin len 128 diff --git a/examples/haproxy/nginx.conf b/examples/haproxy/nginx.conf deleted file mode 100644 index 912e17c6c..000000000 --- a/examples/haproxy/nginx.conf +++ /dev/null @@ -1,15 +0,0 @@ -worker_processes auto; -daemon off; - -events { - worker_connections 1024; -} - -http { - server_tokens off; - server { - listen 80; - index index.html; - root /var/www; - } -}