Update reverse-proxy examples
This commit is contained in:
parent
aff57d67c0
commit
0e831db3e5
@ -1,17 +1,14 @@
|
|||||||
# Apache reverse-proxy
|
# Apache reverse-proxy
|
||||||
|
|
||||||
This directory contains sample files that show you how to do reverse-proxying using Apache.
|
This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy.
|
||||||
|
|
||||||
This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
|
## Prerequisite configuration
|
||||||
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
|
|
||||||
|
|
||||||
To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
|
To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
|
||||||
You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
|
||||||
|
|
||||||
```yaml
|
## Using the Apache configuration
|
||||||
matrix_nginx_proxy_enabled: false
|
|
||||||
```
|
|
||||||
|
|
||||||
You can then use the configuration files from this directory as an example for how to configure your Apache server.
|
`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
|
||||||
|
|
||||||
**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
|
`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`.
|
||||||
|
This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc).
|
||||||
|
@ -4,14 +4,8 @@
|
|||||||
<VirtualHost *:80>
|
<VirtualHost *:80>
|
||||||
ServerName element.DOMAIN
|
ServerName element.DOMAIN
|
||||||
|
|
||||||
ProxyVia On
|
# You may wish to handle the /.well-known/acme-challenge paths here somehow,
|
||||||
|
# if you're using ACME (Let's Encrypt) certificates.
|
||||||
# Map /.well-known/acme-challenge to the certbot server
|
|
||||||
# If you manage SSL certificates by yourself, this will differ.
|
|
||||||
<Location /.well-known/acme-challenge>
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
Redirect permanent / https://element.DOMAIN/
|
Redirect permanent / https://element.DOMAIN/
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
@ -33,8 +27,8 @@
|
|||||||
ProxyRequests Off
|
ProxyRequests Off
|
||||||
ProxyVia On
|
ProxyVia On
|
||||||
|
|
||||||
ProxyPass / http://127.0.0.1:8765/
|
ProxyPass / http://127.0.0.1:81/
|
||||||
ProxyPassReverse / http://127.0.0.1:8765/
|
ProxyPassReverse / http://127.0.0.1:81/
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
|
ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
|
||||||
CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined
|
CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined
|
||||||
|
@ -1,41 +0,0 @@
|
|||||||
# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN.
|
|
||||||
# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this.
|
|
||||||
|
|
||||||
<VirtualHost *:80>
|
|
||||||
ServerName dimension.DOMAIN
|
|
||||||
|
|
||||||
ProxyVia On
|
|
||||||
|
|
||||||
# Map /.well-known/acme-challenge to the certbot server
|
|
||||||
# If you manage SSL certificates by yourself, this will differ.
|
|
||||||
<Location /.well-known/acme-challenge>
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
Redirect permanent / https://dimension.DOMAIN/
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
||||||
<VirtualHost *:443>
|
|
||||||
ServerName dimension.DOMAIN
|
|
||||||
|
|
||||||
SSLEngine On
|
|
||||||
|
|
||||||
# If you manage SSL certificates by yourself, these paths will differ.
|
|
||||||
SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem
|
|
||||||
SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
|
|
||||||
|
|
||||||
SSLProxyEngine on
|
|
||||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
|
||||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
|
||||||
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyRequests Off
|
|
||||||
ProxyVia On
|
|
||||||
|
|
||||||
ProxyPass / http://127.0.0.1:8184/
|
|
||||||
ProxyPassReverse / http://127.0.0.1:8184/
|
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log
|
|
||||||
CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined
|
|
||||||
</VirtualHost>
|
|
65
examples/apache/matrix-domain.conf
Normal file
65
examples/apache/matrix-domain.conf
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
|
||||||
|
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName matrix.DOMAIN
|
||||||
|
|
||||||
|
# You may wish to handle the /.well-known/acme-challenge paths here somehow,
|
||||||
|
# if you're using ACME (Let's Encrypt) certificates.
|
||||||
|
|
||||||
|
Redirect permanent / https://matrix.DOMAIN/
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
# Client-Server API
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerName matrix.DOMAIN
|
||||||
|
|
||||||
|
SSLEngine On
|
||||||
|
|
||||||
|
# If you manage SSL certificates by yourself, these paths will differ.
|
||||||
|
SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
|
||||||
|
SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem
|
||||||
|
|
||||||
|
SSLProxyEngine on
|
||||||
|
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||||
|
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||||
|
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyRequests Off
|
||||||
|
ProxyVia On
|
||||||
|
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
||||||
|
|
||||||
|
AllowEncodedSlashes NoDecode
|
||||||
|
ProxyPass / http://127.0.0.1:81 retry=0 nocanon
|
||||||
|
ProxyPassReverse / http://127.0.0.1:81/
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
# Server-Server (federation) API
|
||||||
|
Listen 8448
|
||||||
|
<VirtualHost *:8448>
|
||||||
|
ServerName matrix.DOMAIN
|
||||||
|
|
||||||
|
SSLEngine On
|
||||||
|
|
||||||
|
# If you manage SSL certificates by yourself, these paths will differ.
|
||||||
|
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
|
||||||
|
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
||||||
|
|
||||||
|
SSLProxyEngine on
|
||||||
|
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||||
|
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||||
|
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyRequests Off
|
||||||
|
ProxyVia On
|
||||||
|
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
||||||
|
|
||||||
|
AllowEncodedSlashes NoDecode
|
||||||
|
ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
|
||||||
|
ProxyPassReverse / http://127.0.0.1:8449/
|
||||||
|
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
||||||
|
</VirtualHost>
|
@ -1,146 +0,0 @@
|
|||||||
# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
|
|
||||||
|
|
||||||
<VirtualHost *:80>
|
|
||||||
ServerName matrix.DOMAIN
|
|
||||||
|
|
||||||
ProxyVia On
|
|
||||||
|
|
||||||
# Map /.well-known/acme-challenge to the certbot server
|
|
||||||
# If you manage SSL certificates by yourself, this will differ.
|
|
||||||
<Location /.well-known/acme-challenge>
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
Redirect permanent / https://matrix.DOMAIN/
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
||||||
# Client-Server API
|
|
||||||
<VirtualHost *:443>
|
|
||||||
ServerName matrix.DOMAIN
|
|
||||||
|
|
||||||
SSLEngine On
|
|
||||||
|
|
||||||
# If you manage SSL certificates by yourself, these paths will differ.
|
|
||||||
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
|
|
||||||
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
|
||||||
|
|
||||||
SSLProxyEngine on
|
|
||||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
|
||||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
|
||||||
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyRequests Off
|
|
||||||
ProxyVia On
|
|
||||||
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
|
||||||
|
|
||||||
# Keep some URIs free for different proxy/location
|
|
||||||
ProxyPassMatch ^/.well-known/matrix/client !
|
|
||||||
ProxyPassMatch ^/.well-known/matrix/server !
|
|
||||||
ProxyPassMatch ^/.well-known/matrix/support !
|
|
||||||
ProxyPassMatch ^/_matrix/identity !
|
|
||||||
ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
|
|
||||||
|
|
||||||
# Proxy all remaining traffic to Synapse
|
|
||||||
AllowEncodedSlashes NoDecode
|
|
||||||
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
|
|
||||||
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
|
|
||||||
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
|
|
||||||
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
|
|
||||||
|
|
||||||
# Proxy Admin API (necessary for Synapse-Admin)
|
|
||||||
# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
|
|
||||||
# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
|
|
||||||
|
|
||||||
# Proxy Synapse-Admin
|
|
||||||
# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
|
|
||||||
# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
|
|
||||||
|
|
||||||
# Map /.well-known/matrix/client for client discovery
|
|
||||||
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
|
|
||||||
<Files "/matrix/static-files/.well-known/matrix/client">
|
|
||||||
Require all granted
|
|
||||||
</Files>
|
|
||||||
<Location "/.well-known/matrix/client">
|
|
||||||
Header always set Content-Type "application/json"
|
|
||||||
Header always set Access-Control-Allow-Origin "*"
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Map /.well-known/matrix/server for server discovery
|
|
||||||
Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
|
|
||||||
<Files "/matrix/static-files/.well-known/matrix/server">
|
|
||||||
Require all granted
|
|
||||||
</Files>
|
|
||||||
<Location "/.well-known/matrix/server">
|
|
||||||
Header always set Content-Type "application/json"
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Map /.well-known/matrix/support for support discovery
|
|
||||||
Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
|
|
||||||
<Files "/matrix/static-files/.well-known/matrix/support">
|
|
||||||
Require all granted
|
|
||||||
</Files>
|
|
||||||
<Location "/.well-known/matrix/support">
|
|
||||||
Header always set Content-Type "application/json"
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
<Directory /matrix/static-files/.well-known/matrix/>
|
|
||||||
AllowOverride All
|
|
||||||
# Apache 2.4:
|
|
||||||
Require all granted
|
|
||||||
# Or for Apache 2.2:
|
|
||||||
#order allow,deny
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# Map /_matrix/identity to the identity server
|
|
||||||
<Location /_matrix/identity>
|
|
||||||
ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Map /_matrix/client/r0/user_directory/search to the identity server
|
|
||||||
<Location /_matrix/client/r0/user_directory/search>
|
|
||||||
ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
|
||||||
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
||||||
# Server-Server (federation) API
|
|
||||||
# Use this apache reverse proxy template to enable matrix server-to-server federation traffic
|
|
||||||
# Be sure that network traffic on port 8448 is possible
|
|
||||||
#
|
|
||||||
# You can check your federation config at https://federationtester.matrix.org/
|
|
||||||
# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
|
|
||||||
#
|
|
||||||
# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
|
|
||||||
# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
|
|
||||||
Listen 8448
|
|
||||||
<VirtualHost *:8448>
|
|
||||||
ServerName matrix.DOMAIN
|
|
||||||
|
|
||||||
SSLEngine On
|
|
||||||
|
|
||||||
# If you manage SSL certificates by yourself, these paths will differ.
|
|
||||||
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
|
|
||||||
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
|
||||||
|
|
||||||
SSLProxyEngine on
|
|
||||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
|
||||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
|
||||||
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyRequests Off
|
|
||||||
ProxyVia On
|
|
||||||
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
|
||||||
|
|
||||||
# Proxy all remaining traffic to the Synapse port
|
|
||||||
# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
|
|
||||||
# Of course you can use another IPADRESS in case of using other synapse servers in your network
|
|
||||||
AllowEncodedSlashes NoDecode
|
|
||||||
ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
|
|
||||||
ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix
|
|
||||||
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
|
||||||
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
|
||||||
</VirtualHost>
|
|
@ -1,8 +0,0 @@
|
|||||||
https://element.DOMAIN {
|
|
||||||
# These might differ if you are supplying your own certificates
|
|
||||||
tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem
|
|
||||||
|
|
||||||
proxy / http://127.0.0.1:8765 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,9 +0,0 @@
|
|||||||
https://dimension.DOMAIN {
|
|
||||||
# These might differ if you are supplying your own certificates
|
|
||||||
# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
|
|
||||||
tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
|
|
||||||
|
|
||||||
proxy / http://127.0.0.1:8184/ {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,31 +0,0 @@
|
|||||||
https://matrix.DOMAIN {
|
|
||||||
# If you use your own certificates, your path may differ
|
|
||||||
# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
|
|
||||||
tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
|
||||||
|
|
||||||
root /matrix/static-files
|
|
||||||
|
|
||||||
header / {
|
|
||||||
Access-Control-Allow-Origin *
|
|
||||||
Strict-Transport-Security "mag=age=31536000;"
|
|
||||||
X-Frame-Options "DENY"
|
|
||||||
X-XSS-Protection "1; mode=block"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Identity server traffic
|
|
||||||
proxy /_matrix/identity matrix-ma1sd:8090 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
|
|
||||||
# Synapse Client<>Server API
|
|
||||||
proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 {
|
|
||||||
transparent
|
|
||||||
except /_matrix/identity/ /_matrix/client/r0/user_directory/search
|
|
||||||
}
|
|
||||||
proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,7 +0,0 @@
|
|||||||
:80 {
|
|
||||||
# Redirect ACME-Challenge traffic to port 2402
|
|
||||||
proxy /.well-known/acme-challenge http://127.0.0.1:2402
|
|
||||||
|
|
||||||
# Redirect all other traffic to HTTPS
|
|
||||||
redir / https://{host}{uri} 301
|
|
||||||
}
|
|
@ -1,269 +0,0 @@
|
|||||||
(cors) {
|
|
||||||
@cors_preflight method OPTIONS
|
|
||||||
|
|
||||||
handle @cors_preflight {
|
|
||||||
header Access-Control-Allow-Origin "{args.0}"
|
|
||||||
header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
|
|
||||||
header Access-Control-Allow-Headers "Content-Type, Authorization"
|
|
||||||
header Access-Control-Max-Age "3600"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
matrix.DOMAIN.tld {
|
|
||||||
|
|
||||||
# creates letsencrypt certificate
|
|
||||||
# tls your@email.com
|
|
||||||
|
|
||||||
@identity {
|
|
||||||
path /_matrix/identity/*
|
|
||||||
}
|
|
||||||
|
|
||||||
@noidentity {
|
|
||||||
not path /_matrix/identity/*
|
|
||||||
}
|
|
||||||
|
|
||||||
@search {
|
|
||||||
path /_matrix/client/r0/user_directory/search/*
|
|
||||||
}
|
|
||||||
|
|
||||||
@nosearch {
|
|
||||||
not path /_matrix/client/r0/user_directory/search/*
|
|
||||||
}
|
|
||||||
|
|
||||||
@static {
|
|
||||||
path /matrix/static-files/*
|
|
||||||
}
|
|
||||||
|
|
||||||
@nostatic {
|
|
||||||
not path /matrix/static-files/*
|
|
||||||
}
|
|
||||||
|
|
||||||
@wellknown {
|
|
||||||
path /.well-known/matrix/*
|
|
||||||
}
|
|
||||||
|
|
||||||
header {
|
|
||||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
||||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
||||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
||||||
X-XSS-Protection "1; mode=block"
|
|
||||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
||||||
X-Content-Type-Options "nosniff"
|
|
||||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
|
||||||
X-Frame-Options "DENY"
|
|
||||||
# X-Robots-Tag
|
|
||||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Cache
|
|
||||||
header @static {
|
|
||||||
# Cache
|
|
||||||
Cache-Control "public, max-age=31536000"
|
|
||||||
defer
|
|
||||||
}
|
|
||||||
|
|
||||||
# identity
|
|
||||||
handle @identity {
|
|
||||||
reverse_proxy localhost:8090 {
|
|
||||||
header_up X-Forwarded-Port {http.request.port}
|
|
||||||
header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# search
|
|
||||||
handle @search {
|
|
||||||
reverse_proxy localhost:8090 {
|
|
||||||
header_up X-Forwarded-Port {http.request.port}
|
|
||||||
header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
handle @wellknown {
|
|
||||||
encode zstd gzip
|
|
||||||
root * /matrix/static-files
|
|
||||||
header Cache-Control max-age=14400
|
|
||||||
header Content-Type application/json
|
|
||||||
header Access-Control-Allow-Origin *
|
|
||||||
file_server
|
|
||||||
}
|
|
||||||
|
|
||||||
# If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
|
|
||||||
#handle @wellknown {
|
|
||||||
# # .well-known is handled by base domain
|
|
||||||
# reverse_proxy https://DOMAIN.tld {
|
|
||||||
# header_up Host {http.reverse_proxy.upstream.hostport}
|
|
||||||
#}
|
|
||||||
|
|
||||||
handle {
|
|
||||||
encode zstd gzip
|
|
||||||
|
|
||||||
reverse_proxy localhost:8008 {
|
|
||||||
header_up X-Forwarded-Port {http.request.port}
|
|
||||||
header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
matrix.DOMAIN.tld:8448 {
|
|
||||||
handle {
|
|
||||||
encode zstd gzip
|
|
||||||
|
|
||||||
reverse_proxy 127.0.0.1:8048 {
|
|
||||||
header_up X-Forwarded-Port {http.request.port}
|
|
||||||
header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
element.DOMAIN.tld {
|
|
||||||
|
|
||||||
# creates letsencrypt certificate
|
|
||||||
# tls your@email.com
|
|
||||||
|
|
||||||
import cors https://*.DOMAIN.tld
|
|
||||||
|
|
||||||
header {
|
|
||||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
||||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
||||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
||||||
X-XSS-Protection "1; mode=block"
|
|
||||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
||||||
X-Content-Type-Options "nosniff"
|
|
||||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
|
||||||
X-Frame-Options "DENY"
|
|
||||||
# If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
|
|
||||||
# Content-Security-Policy frame-src https://*.DOMAIN.tld
|
|
||||||
# X-Robots-Tag
|
|
||||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
|
||||||
}
|
|
||||||
|
|
||||||
handle {
|
|
||||||
encode zstd gzip
|
|
||||||
|
|
||||||
reverse_proxy localhost:8765 {
|
|
||||||
header_up X-Forwarded-Port {http.request.port}
|
|
||||||
header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#dimension.DOMAIN.tld {
|
|
||||||
#
|
|
||||||
# # creates letsencrypt certificate
|
|
||||||
# # tls your@email.com
|
|
||||||
#
|
|
||||||
# import cors https://*.DOMAIN.tld
|
|
||||||
#
|
|
||||||
# header {
|
|
||||||
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
||||||
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
||||||
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
||||||
# X-XSS-Protection "1; mode=block"
|
|
||||||
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
||||||
# X-Content-Type-Options "nosniff"
|
|
||||||
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
|
|
||||||
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
|
|
||||||
# # X-Robots-Tag
|
|
||||||
# X-Robots-Tag "noindex, noarchive, nofollow"
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# handle {
|
|
||||||
# encode zstd gzip
|
|
||||||
#
|
|
||||||
# reverse_proxy localhost:8184 {
|
|
||||||
# header_up X-Forwarded-Port {http.request.port}
|
|
||||||
# header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
# header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
# header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
# header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
||||||
|
|
||||||
#jitsi.DOMAIN.tld {
|
|
||||||
#
|
|
||||||
# creates letsencrypt certificate
|
|
||||||
# tls your@email.com
|
|
||||||
#
|
|
||||||
# import cors https://*.DOMAIN.tld
|
|
||||||
#
|
|
||||||
# header {
|
|
||||||
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
|
||||||
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
||||||
#
|
|
||||||
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
|
|
||||||
# X-XSS-Protection "1; mode=block"
|
|
||||||
#
|
|
||||||
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
|
||||||
# X-Content-Type-Options "nosniff"
|
|
||||||
|
|
||||||
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
|
|
||||||
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
|
|
||||||
#
|
|
||||||
# # Disable some features
|
|
||||||
# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
|
||||||
#
|
|
||||||
# # Referer
|
|
||||||
# Referrer-Policy "no-referrer"
|
|
||||||
#
|
|
||||||
# # X-Robots-Tag
|
|
||||||
# X-Robots-Tag "none"
|
|
||||||
#
|
|
||||||
# # Remove Server header
|
|
||||||
# -Server
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# handle {
|
|
||||||
# encode zstd gzip
|
|
||||||
#
|
|
||||||
# reverse_proxy 127.0.0.1:13080 {
|
|
||||||
# header_up X-Forwarded-Port {http.request.port}
|
|
||||||
# header_up X-Forwarded-Proto {http.request.scheme}
|
|
||||||
# header_up X-Forwarded-TlsProto {tls_protocol}
|
|
||||||
# header_up X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
# header_up X-Forwarded-HttpsProto {proto}
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
#DOMAIN.com {
|
|
||||||
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
|
|
||||||
# @wellknown {
|
|
||||||
# path /.well-known/matrix/*
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# handle @wellknown {
|
|
||||||
# reverse_proxy https://matrix.DOMAIN.com {
|
|
||||||
# header_up Host {http.reverse_proxy.upstream.hostport}
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
|
|
||||||
# # handle /.well-known/* {
|
|
||||||
# # encode zstd gzip
|
|
||||||
# # header Cache-Control max-age=14400
|
|
||||||
# # header Content-Type application/json
|
|
||||||
# # header Access-Control-Allow-Origin *
|
|
||||||
# #}
|
|
||||||
#
|
|
||||||
# # Configration for the base domain goes here
|
|
||||||
# # handle {
|
|
||||||
# # header -Server
|
|
||||||
# # encode zstd gzip
|
|
||||||
# # reverse_proxy localhost:4020
|
|
||||||
# # }
|
|
||||||
#}
|
|
@ -13,8 +13,4 @@ To get started, first follow the [front the integrated reverse-proxy webserver w
|
|||||||
You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
|
You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
|
||||||
In both cases make sure to replace all the `example.tld` domains with your own domain.
|
In both cases make sure to replace all the `example.tld` domains with your own domain.
|
||||||
|
|
||||||
This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
|
This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
|
||||||
|
|
||||||
# Caddyfile.deprecated
|
|
||||||
|
|
||||||
This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
|
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
# Pull nginx base image
|
|
||||||
FROM nginx:latest
|
|
||||||
|
|
||||||
# Expost port 80
|
|
||||||
EXPOSE 80
|
|
||||||
|
|
||||||
# Copy custom configuration file from the current directory
|
|
||||||
COPY nginx.conf /etc/nginx/nginx.conf
|
|
||||||
|
|
||||||
# Start up nginx server
|
|
||||||
CMD ["nginx"]
|
|
||||||
|
|
@ -3,24 +3,7 @@
|
|||||||
This directory contains sample files that show you how to do reverse-proxying using HAproxy.
|
This directory contains sample files that show you how to do reverse-proxying using HAproxy.
|
||||||
|
|
||||||
This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
|
This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
|
||||||
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
|
|
||||||
|
|
||||||
To use your own HAproxy reverse-proxy, you first need to disable the integrated Nginx server.
|
We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation.
|
||||||
You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
matrix_nginx_proxy_enabled: false
|
|
||||||
```
|
|
||||||
|
|
||||||
You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
|
You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
|
||||||
|
|
||||||
**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases or performance needs.
|
|
||||||
|
|
||||||
### Configuration
|
|
||||||
|
|
||||||
HAproxy, unlike Apache, Nginx and others, does not provide you with a webserver to serve static files (i.e., `/.well-known/` directory). For this reason, in this folder you can find an example on how to use HAproxy together with a simple Nginx container whose only task is to serve those files.
|
|
||||||
|
|
||||||
* Build the Docker image. `docker build -t local/nginx .`
|
|
||||||
* Start the container. `docker-compose up -d`. Note that if you want to run Nginx on a different port, you will have to change the port both in the `docker-compose.yml` and in `haproxy.cfg`.
|
|
||||||
* If you don't want to use a wildcard certificate, you will need to modify the corresponding line in the HTTPS frontent and add the paths of all the specific certificates (as for the commented example in `haproxy.cfg`).
|
|
||||||
* Start HAproxy with the proposed configuration.
|
|
||||||
|
@ -1,9 +0,0 @@
|
|||||||
---
|
|
||||||
version: '3'
|
|
||||||
services:
|
|
||||||
nginx:
|
|
||||||
image: local/nginx
|
|
||||||
ports:
|
|
||||||
- 40888:80
|
|
||||||
volumes:
|
|
||||||
- /matrix/static-files:/var/www/:ro
|
|
@ -43,29 +43,16 @@ frontend https-frontend
|
|||||||
reqadd X-Forwarded-Proto:\ https
|
reqadd X-Forwarded-Proto:\ https
|
||||||
option httplog
|
option httplog
|
||||||
option http-server-close
|
option http-server-close
|
||||||
#
|
|
||||||
# Matrix
|
# You can do per-domain routing (as shown above),
|
||||||
#
|
# or just send everything to the same backend via `default_backend`.
|
||||||
# matrix.example.com
|
|
||||||
acl matrix_domain hdr_dom(host) -i matrix.example.com
|
acl matrix_domain hdr_dom(host) -i matrix.example.com
|
||||||
acl static_files path -i -m beg /.well-known/matrix
|
|
||||||
use_backend nginx-static if static_files
|
|
||||||
# /_matrix/identity and /_matrix/client/r0/user_directory/search
|
|
||||||
acl matrix_identity path -i -m beg /_matrix/identity
|
|
||||||
acl matrix_search path -i -m beg /_matrix/client/r0/user_directory/search
|
|
||||||
# Send to :8090
|
|
||||||
use_backend matrix-supporting if matrix_identity or matrix_search
|
|
||||||
# /_matrix and /_synapse/admin
|
|
||||||
acl matrix_path path -i -m beg /_matrix
|
|
||||||
acl synapse_admin path -i -m beg /_synapse/admin
|
|
||||||
# Send to :8008
|
|
||||||
use_backend matrix-main if matrix_path or synapse_admin
|
|
||||||
# element.example.com
|
|
||||||
acl element_domain hdr_dom(host) -i element.example.com
|
|
||||||
# Send to 8765
|
|
||||||
use_backend element if element_domain
|
|
||||||
# If nothing else match, just send to default matrix backend
|
|
||||||
use_backend matrix-main if matrix_domain
|
use_backend matrix-main if matrix_domain
|
||||||
|
|
||||||
|
acl matrix_domain hdr_dom(host) -i element.example.com
|
||||||
|
use_backend matrix-main if matrix_domain
|
||||||
|
|
||||||
#default_backend matrix-main
|
#default_backend matrix-main
|
||||||
|
|
||||||
frontend matrix-federation
|
frontend matrix-federation
|
||||||
@ -75,14 +62,11 @@ frontend matrix-federation
|
|||||||
option http-server-close
|
option http-server-close
|
||||||
default_backend synapse
|
default_backend synapse
|
||||||
|
|
||||||
backend matrix-supporting
|
|
||||||
server matrix-supporting 127.0.0.1:8090 check
|
|
||||||
|
|
||||||
backend matrix-main
|
backend matrix-main
|
||||||
server matrix-main 127.0.0.1:8008 check
|
server matrix-main 127.0.0.1:81 check
|
||||||
|
|
||||||
backend synapse
|
backend matrix-federation
|
||||||
server synapse 127.0.0.1:8048 check
|
server matrix-federation 127.0.0.1:8049 check
|
||||||
|
|
||||||
backend nginx-static
|
backend nginx-static
|
||||||
capture request header origin len 128
|
capture request header origin len 128
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
worker_processes auto;
|
|
||||||
daemon off;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
server_tokens off;
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
index index.html;
|
|
||||||
root /var/www;
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user