Update reverse-proxy examples

examples/apache/README.md

@@ -1,17 +1,14 @@
 # Apache reverse-proxy
 
-This directory contains sample files that show you how to do reverse-proxying using Apache.
+This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy.
 
-This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
-See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
+## Prerequisite configuration
 
-To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
-You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
 
-```yaml
-matrix_nginx_proxy_enabled: false
-```
+## Using the Apache configuration
 
-You can then use the configuration files from this directory as an example for how to configure your Apache server.
+`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
 
-**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
+`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`.
+This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc).

examples/apache/matrix-client-element.conf

@@ -4,14 +4,8 @@
 <VirtualHost *:80>
 	ServerName element.DOMAIN
 
-	ProxyVia On
-
-	# Map /.well-known/acme-challenge to the certbot server
-	# If you manage SSL certificates by yourself, this will differ.
-	<Location /.well-known/acme-challenge>
-		ProxyPreserveHost On
-		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
-	</Location>
+	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
+	# if you're using ACME (Let's Encrypt) certificates.
 
 	Redirect permanent / https://element.DOMAIN/
 </VirtualHost>
@@ -33,8 +27,8 @@
 	ProxyRequests Off
 	ProxyVia On
 
-	ProxyPass / http://127.0.0.1:8765/
-	ProxyPassReverse / http://127.0.0.1:8765/
+	ProxyPass / http://127.0.0.1:81/
+	ProxyPassReverse / http://127.0.0.1:81/
 
 	ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
 	CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined

examples/apache/matrix-dimension.conf

@@ -1,41 +0,0 @@
-# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN.
-# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this.
-
-<VirtualHost *:80>
-	ServerName dimension.DOMAIN
-
-	ProxyVia On
-
-	# Map /.well-known/acme-challenge to the certbot server
-	# If you manage SSL certificates by yourself, this will differ.
-	<Location /.well-known/acme-challenge>
-		ProxyPreserveHost On
-		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
-	</Location>
-
-	Redirect permanent / https://dimension.DOMAIN/
-</VirtualHost>
-
-<VirtualHost *:443>
-	ServerName dimension.DOMAIN
-
-	SSLEngine On
-
-	# If you manage SSL certificates by yourself, these paths will differ.
-	SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem
-	SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
-
-	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.2 +TLSv1.3
-	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-
-	ProxyPreserveHost On
-	ProxyRequests Off
-	ProxyVia On
-
-	ProxyPass / http://127.0.0.1:8184/
-	ProxyPassReverse / http://127.0.0.1:8184/
-
-	ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log
-	CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined
-</VirtualHost>

examples/apache/matrix-domain.conf

@@ -0,0 +1,65 @@
+# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
+
+<VirtualHost *:80>
+	ServerName matrix.DOMAIN
+
+	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
+	# if you're using ACME (Let's Encrypt) certificates.
+
+	Redirect permanent / https://matrix.DOMAIN/
+</VirtualHost>
+
+# Client-Server API
+<VirtualHost *:443>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+	AllowEncodedSlashes NoDecode
+	ProxyPass / http://127.0.0.1:81 retry=0 nocanon
+	ProxyPassReverse / http://127.0.0.1:81/
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>
+
+# Server-Server (federation) API
+Listen 8448
+<VirtualHost *:8448>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+	AllowEncodedSlashes NoDecode
+	ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
+	ProxyPassReverse / http://127.0.0.1:8449/
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>

examples/apache/matrix-synapse.conf

@@ -1,146 +0,0 @@
-# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
-
-<VirtualHost *:80>
-	ServerName matrix.DOMAIN
-
-	ProxyVia On
-
-	# Map /.well-known/acme-challenge to the certbot server
-	# If you manage SSL certificates by yourself, this will differ.
-	<Location /.well-known/acme-challenge>
-		ProxyPreserveHost On
-		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
-	</Location>
-
-	Redirect permanent / https://matrix.DOMAIN/
-</VirtualHost>
-
-# Client-Server API
-<VirtualHost *:443>
-	ServerName matrix.DOMAIN
-
-	SSLEngine On
-
-	# If you manage SSL certificates by yourself, these paths will differ.
-	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
-	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
-
-	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.2 +TLSv1.3
-	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-
-	ProxyPreserveHost On
-	ProxyRequests Off
-	ProxyVia On
-	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
-
-	# Keep some URIs free for different proxy/location
-	ProxyPassMatch ^/.well-known/matrix/client !
-	ProxyPassMatch ^/.well-known/matrix/server !
-	ProxyPassMatch ^/.well-known/matrix/support !
-	ProxyPassMatch ^/_matrix/identity !
-	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
-
-	# Proxy all remaining traffic to Synapse
-	AllowEncodedSlashes NoDecode
-	ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
-	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
-	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
-	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
-
-	# Proxy Admin API (necessary for Synapse-Admin)
-	# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
-	# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
-
-	# Proxy Synapse-Admin
-	# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
-	# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
-
-	# Map /.well-known/matrix/client for client discovery
-	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
-	<Files "/matrix/static-files/.well-known/matrix/client">
-		Require all granted
-	</Files>
-	<Location "/.well-known/matrix/client">
-		Header always set Content-Type "application/json"
-		Header always set Access-Control-Allow-Origin "*"
-	</Location>
-
-	# Map /.well-known/matrix/server for server discovery
-	Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
-	<Files "/matrix/static-files/.well-known/matrix/server">
-		Require all granted
-	</Files>
-	<Location "/.well-known/matrix/server">
-		Header always set Content-Type "application/json"
-	</Location>
-
-	# Map /.well-known/matrix/support for support discovery
-	Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
-	<Files "/matrix/static-files/.well-known/matrix/support">
-		Require all granted
-	</Files>
-	<Location "/.well-known/matrix/support">
-		Header always set Content-Type "application/json"
-	</Location>
-
-	<Directory /matrix/static-files/.well-known/matrix/>
-		AllowOverride All
-		# Apache 2.4:
-		Require all granted
-		# Or for Apache 2.2:
-		#order allow,deny
-	</Directory>
-
-	# Map /_matrix/identity to the identity server
-	<Location /_matrix/identity>
-		ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
-	</Location>
-
-	# Map /_matrix/client/r0/user_directory/search to the identity server
-	<Location /_matrix/client/r0/user_directory/search>
-		ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
-	</Location>
-
-	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
-	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
-</VirtualHost>
-
-# Server-Server (federation) API
-# Use this apache reverse proxy template to enable matrix server-to-server federation traffic
-# Be sure that network traffic on port 8448 is possible
-#
-# You can check your federation config at https://federationtester.matrix.org/
-# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
-#
-# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
-# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
-Listen 8448
-<VirtualHost *:8448>
-	ServerName matrix.DOMAIN
-
-	SSLEngine On
-
-	# If you manage SSL certificates by yourself, these paths will differ.
-	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
-	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
-
-	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.2 +TLSv1.3
-	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-
-	ProxyPreserveHost On
-	ProxyRequests Off
-	ProxyVia On
-	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
-
-	# Proxy all remaining traffic to the Synapse port
-	# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
-	# Of course you can use another IPADRESS in case of using other synapse servers in your network
-	AllowEncodedSlashes NoDecode
-	ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
-	ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix
-
-	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
-	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
-</VirtualHost>