Update reverse-proxy examples
This commit is contained in:
parent
aff57d67c0
commit
0e831db3e5
@ -1,17 +1,14 @@
|
||||
# Apache reverse-proxy
|
||||
|
||||
This directory contains sample files that show you how to do reverse-proxying using Apache.
|
||||
This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy.
|
||||
|
||||
This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
|
||||
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
|
||||
## Prerequisite configuration
|
||||
|
||||
To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
|
||||
You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
|
||||
|
||||
```yaml
|
||||
matrix_nginx_proxy_enabled: false
|
||||
```
|
||||
## Using the Apache configuration
|
||||
|
||||
You can then use the configuration files from this directory as an example for how to configure your Apache server.
|
||||
`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
|
||||
|
||||
**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
|
||||
`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`.
|
||||
This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc).
|
||||
|
@ -4,14 +4,8 @@
|
||||
<VirtualHost *:80>
|
||||
ServerName element.DOMAIN
|
||||
|
||||
ProxyVia On
|
||||
|
||||
# Map /.well-known/acme-challenge to the certbot server
|
||||
# If you manage SSL certificates by yourself, this will differ.
|
||||
<Location /.well-known/acme-challenge>
|
||||
ProxyPreserveHost On
|
||||
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
|
||||
</Location>
|
||||
# You may wish to handle the /.well-known/acme-challenge paths here somehow,
|
||||
# if you're using ACME (Let's Encrypt) certificates.
|
||||
|
||||
Redirect permanent / https://element.DOMAIN/
|
||||
</VirtualHost>
|
||||
@ -33,8 +27,8 @@
|
||||
ProxyRequests Off
|
||||
ProxyVia On
|
||||
|
||||
ProxyPass / http://127.0.0.1:8765/
|
||||
ProxyPassReverse / http://127.0.0.1:8765/
|
||||
ProxyPass / http://127.0.0.1:81/
|
||||
ProxyPassReverse / http://127.0.0.1:81/
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined
|
||||
|
@ -1,41 +0,0 @@
|
||||
# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN.
|
||||
# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this.
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName dimension.DOMAIN
|
||||
|
||||
ProxyVia On
|
||||
|
||||
# Map /.well-known/acme-challenge to the certbot server
|
||||
# If you manage SSL certificates by yourself, this will differ.
|
||||
<Location /.well-known/acme-challenge>
|
||||
ProxyPreserveHost On
|
||||
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
|
||||
</Location>
|
||||
|
||||
Redirect permanent / https://dimension.DOMAIN/
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName dimension.DOMAIN
|
||||
|
||||
SSLEngine On
|
||||
|
||||
# If you manage SSL certificates by yourself, these paths will differ.
|
||||
SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem
|
||||
SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
|
||||
|
||||
SSLProxyEngine on
|
||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyVia On
|
||||
|
||||
ProxyPass / http://127.0.0.1:8184/
|
||||
ProxyPassReverse / http://127.0.0.1:8184/
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined
|
||||
</VirtualHost>
|
65
examples/apache/matrix-domain.conf
Normal file
65
examples/apache/matrix-domain.conf
Normal file
@ -0,0 +1,65 @@
|
||||
# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName matrix.DOMAIN
|
||||
|
||||
# You may wish to handle the /.well-known/acme-challenge paths here somehow,
|
||||
# if you're using ACME (Let's Encrypt) certificates.
|
||||
|
||||
Redirect permanent / https://matrix.DOMAIN/
|
||||
</VirtualHost>
|
||||
|
||||
# Client-Server API
|
||||
<VirtualHost *:443>
|
||||
ServerName matrix.DOMAIN
|
||||
|
||||
SSLEngine On
|
||||
|
||||
# If you manage SSL certificates by yourself, these paths will differ.
|
||||
SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
|
||||
SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem
|
||||
|
||||
SSLProxyEngine on
|
||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyVia On
|
||||
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
||||
|
||||
AllowEncodedSlashes NoDecode
|
||||
ProxyPass / http://127.0.0.1:81 retry=0 nocanon
|
||||
ProxyPassReverse / http://127.0.0.1:81/
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
||||
</VirtualHost>
|
||||
|
||||
# Server-Server (federation) API
|
||||
Listen 8448
|
||||
<VirtualHost *:8448>
|
||||
ServerName matrix.DOMAIN
|
||||
|
||||
SSLEngine On
|
||||
|
||||
# If you manage SSL certificates by yourself, these paths will differ.
|
||||
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
|
||||
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
||||
|
||||
SSLProxyEngine on
|
||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyVia On
|
||||
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
||||
|
||||
AllowEncodedSlashes NoDecode
|
||||
ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
|
||||
ProxyPassReverse / http://127.0.0.1:8449/
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
||||
</VirtualHost>
|
@ -1,146 +0,0 @@
|
||||
# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName matrix.DOMAIN
|
||||
|
||||
ProxyVia On
|
||||
|
||||
# Map /.well-known/acme-challenge to the certbot server
|
||||
# If you manage SSL certificates by yourself, this will differ.
|
||||
<Location /.well-known/acme-challenge>
|
||||
ProxyPreserveHost On
|
||||
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
|
||||
</Location>
|
||||
|
||||
Redirect permanent / https://matrix.DOMAIN/
|
||||
</VirtualHost>
|
||||
|
||||
# Client-Server API
|
||||
<VirtualHost *:443>
|
||||
ServerName matrix.DOMAIN
|
||||
|
||||
SSLEngine On
|
||||
|
||||
# If you manage SSL certificates by yourself, these paths will differ.
|
||||
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
|
||||
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
||||
|
||||
SSLProxyEngine on
|
||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyVia On
|
||||
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
||||
|
||||
# Keep some URIs free for different proxy/location
|
||||
ProxyPassMatch ^/.well-known/matrix/client !
|
||||
ProxyPassMatch ^/.well-known/matrix/server !
|
||||
ProxyPassMatch ^/.well-known/matrix/support !
|
||||
ProxyPassMatch ^/_matrix/identity !
|
||||
ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
|
||||
|
||||
# Proxy all remaining traffic to Synapse
|
||||
AllowEncodedSlashes NoDecode
|
||||
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
|
||||
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
|
||||
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
|
||||
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
|
||||
|
||||
# Proxy Admin API (necessary for Synapse-Admin)
|
||||
# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
|
||||
# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
|
||||
|
||||
# Proxy Synapse-Admin
|
||||
# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
|
||||
# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
|
||||
|
||||
# Map /.well-known/matrix/client for client discovery
|
||||
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
|
||||
<Files "/matrix/static-files/.well-known/matrix/client">
|
||||
Require all granted
|
||||
</Files>
|
||||
<Location "/.well-known/matrix/client">
|
||||
Header always set Content-Type "application/json"
|
||||
Header always set Access-Control-Allow-Origin "*"
|
||||
</Location>
|
||||
|
||||
# Map /.well-known/matrix/server for server discovery
|
||||
Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
|
||||
<Files "/matrix/static-files/.well-known/matrix/server">
|
||||
Require all granted
|
||||
</Files>
|
||||
<Location "/.well-known/matrix/server">
|
||||
Header always set Content-Type "application/json"
|
||||
</Location>
|
||||
|
||||
# Map /.well-known/matrix/support for support discovery
|
||||
Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
|
||||
<Files "/matrix/static-files/.well-known/matrix/support">
|
||||
Require all granted
|
||||
</Files>
|
||||
<Location "/.well-known/matrix/support">
|
||||
Header always set Content-Type "application/json"
|
||||
</Location>
|
||||
|
||||
<Directory /matrix/static-files/.well-known/matrix/>
|
||||
AllowOverride All
|
||||
# Apache 2.4:
|
||||
Require all granted
|
||||
# Or for Apache 2.2:
|
||||
#order allow,deny
|
||||
</Directory>
|
||||
|
||||
# Map /_matrix/identity to the identity server
|
||||
<Location /_matrix/identity>
|
||||
ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
|
||||
</Location>
|
||||
|
||||
# Map /_matrix/client/r0/user_directory/search to the identity server
|
||||
<Location /_matrix/client/r0/user_directory/search>
|
||||
ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
|
||||
</Location>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
||||
</VirtualHost>
|
||||
|
||||
# Server-Server (federation) API
|
||||
# Use this apache reverse proxy template to enable matrix server-to-server federation traffic
|
||||
# Be sure that network traffic on port 8448 is possible
|
||||
#
|
||||
# You can check your federation config at https://federationtester.matrix.org/
|
||||
# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
|
||||
#
|
||||
# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
|
||||
# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
|
||||
Listen 8448
|
||||
<VirtualHost *:8448>
|
||||
ServerName matrix.DOMAIN
|
||||
|
||||
SSLEngine On
|
||||
|
||||
# If you manage SSL certificates by yourself, these paths will differ.
|
||||
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
|
||||
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
||||
|
||||
SSLProxyEngine on
|
||||
SSLProxyProtocol +TLSv1.2 +TLSv1.3
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyVia On
|
||||
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
|
||||
|
||||
# Proxy all remaining traffic to the Synapse port
|
||||
# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
|
||||
# Of course you can use another IPADRESS in case of using other synapse servers in your network
|
||||
AllowEncodedSlashes NoDecode
|
||||
ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
|
||||
ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
|
||||
</VirtualHost>
|
@ -1,8 +0,0 @@
|
||||
https://element.DOMAIN {
|
||||
# These might differ if you are supplying your own certificates
|
||||
tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem
|
||||
|
||||
proxy / http://127.0.0.1:8765 {
|
||||
transparent
|
||||
}
|
||||
}
|
@ -1,9 +0,0 @@
|
||||
https://dimension.DOMAIN {
|
||||
# These might differ if you are supplying your own certificates
|
||||
# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
|
||||
tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
|
||||
|
||||
proxy / http://127.0.0.1:8184/ {
|
||||
transparent
|
||||
}
|
||||
}
|
@ -1,31 +0,0 @@
|
||||
https://matrix.DOMAIN {
|
||||
# If you use your own certificates, your path may differ
|
||||
# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
|
||||
tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
|
||||
|
||||
root /matrix/static-files
|
||||
|
||||
header / {
|
||||
Access-Control-Allow-Origin *
|
||||
Strict-Transport-Security "mag=age=31536000;"
|
||||
X-Frame-Options "DENY"
|
||||
X-XSS-Protection "1; mode=block"
|
||||
}
|
||||
|
||||
# Identity server traffic
|
||||
proxy /_matrix/identity matrix-ma1sd:8090 {
|
||||
transparent
|
||||
}
|
||||
proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 {
|
||||
transparent
|
||||
}
|
||||
|
||||
# Synapse Client<>Server API
|
||||
proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 {
|
||||
transparent
|
||||
except /_matrix/identity/ /_matrix/client/r0/user_directory/search
|
||||
}
|
||||
proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 {
|
||||
transparent
|
||||
}
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
:80 {
|
||||
# Redirect ACME-Challenge traffic to port 2402
|
||||
proxy /.well-known/acme-challenge http://127.0.0.1:2402
|
||||
|
||||
# Redirect all other traffic to HTTPS
|
||||
redir / https://{host}{uri} 301
|
||||
}
|
@ -1,269 +0,0 @@
|
||||
(cors) {
|
||||
@cors_preflight method OPTIONS
|
||||
|
||||
handle @cors_preflight {
|
||||
header Access-Control-Allow-Origin "{args.0}"
|
||||
header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
|
||||
header Access-Control-Allow-Headers "Content-Type, Authorization"
|
||||
header Access-Control-Max-Age "3600"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
matrix.DOMAIN.tld {
|
||||
|
||||
# creates letsencrypt certificate
|
||||
# tls your@email.com
|
||||
|
||||
@identity {
|
||||
path /_matrix/identity/*
|
||||
}
|
||||
|
||||
@noidentity {
|
||||
not path /_matrix/identity/*
|
||||
}
|
||||
|
||||
@search {
|
||||
path /_matrix/client/r0/user_directory/search/*
|
||||
}
|
||||
|
||||
@nosearch {
|
||||
not path /_matrix/client/r0/user_directory/search/*
|
||||
}
|
||||
|
||||
@static {
|
||||
path /matrix/static-files/*
|
||||
}
|
||||
|
||||
@nostatic {
|
||||
not path /matrix/static-files/*
|
||||
}
|
||||
|
||||
@wellknown {
|
||||
path /.well-known/matrix/*
|
||||
}
|
||||
|
||||
header {
|
||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
X-XSS-Protection "1; mode=block"
|
||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
X-Content-Type-Options "nosniff"
|
||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||
X-Frame-Options "DENY"
|
||||
# X-Robots-Tag
|
||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
||||
}
|
||||
|
||||
# Cache
|
||||
header @static {
|
||||
# Cache
|
||||
Cache-Control "public, max-age=31536000"
|
||||
defer
|
||||
}
|
||||
|
||||
# identity
|
||||
handle @identity {
|
||||
reverse_proxy localhost:8090 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
|
||||
# search
|
||||
handle @search {
|
||||
reverse_proxy localhost:8090 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
|
||||
handle @wellknown {
|
||||
encode zstd gzip
|
||||
root * /matrix/static-files
|
||||
header Cache-Control max-age=14400
|
||||
header Content-Type application/json
|
||||
header Access-Control-Allow-Origin *
|
||||
file_server
|
||||
}
|
||||
|
||||
# If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
|
||||
#handle @wellknown {
|
||||
# # .well-known is handled by base domain
|
||||
# reverse_proxy https://DOMAIN.tld {
|
||||
# header_up Host {http.reverse_proxy.upstream.hostport}
|
||||
#}
|
||||
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy localhost:8008 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
matrix.DOMAIN.tld:8448 {
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy 127.0.0.1:8048 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
element.DOMAIN.tld {
|
||||
|
||||
# creates letsencrypt certificate
|
||||
# tls your@email.com
|
||||
|
||||
import cors https://*.DOMAIN.tld
|
||||
|
||||
header {
|
||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
X-XSS-Protection "1; mode=block"
|
||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
X-Content-Type-Options "nosniff"
|
||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||
X-Frame-Options "DENY"
|
||||
# If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
|
||||
# Content-Security-Policy frame-src https://*.DOMAIN.tld
|
||||
# X-Robots-Tag
|
||||
X-Robots-Tag "noindex, noarchive, nofollow"
|
||||
}
|
||||
|
||||
handle {
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy localhost:8765 {
|
||||
header_up X-Forwarded-Port {http.request.port}
|
||||
header_up X-Forwarded-Proto {http.request.scheme}
|
||||
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
header_up X-Forwarded-HttpsProto {proto}
|
||||
}
|
||||
}
|
||||
|
||||
#dimension.DOMAIN.tld {
|
||||
#
|
||||
# # creates letsencrypt certificate
|
||||
# # tls your@email.com
|
||||
#
|
||||
# import cors https://*.DOMAIN.tld
|
||||
#
|
||||
# header {
|
||||
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
# X-XSS-Protection "1; mode=block"
|
||||
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
# X-Content-Type-Options "nosniff"
|
||||
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
|
||||
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
|
||||
# # X-Robots-Tag
|
||||
# X-Robots-Tag "noindex, noarchive, nofollow"
|
||||
# }
|
||||
#
|
||||
# handle {
|
||||
# encode zstd gzip
|
||||
#
|
||||
# reverse_proxy localhost:8184 {
|
||||
# header_up X-Forwarded-Port {http.request.port}
|
||||
# header_up X-Forwarded-Proto {http.request.scheme}
|
||||
# header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
# header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
# header_up X-Forwarded-HttpsProto {proto}
|
||||
# }
|
||||
# }
|
||||
#}
|
||||
|
||||
|
||||
#jitsi.DOMAIN.tld {
|
||||
#
|
||||
# creates letsencrypt certificate
|
||||
# tls your@email.com
|
||||
#
|
||||
# import cors https://*.DOMAIN.tld
|
||||
#
|
||||
# header {
|
||||
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
#
|
||||
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||
# X-XSS-Protection "1; mode=block"
|
||||
#
|
||||
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||
# X-Content-Type-Options "nosniff"
|
||||
|
||||
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
|
||||
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
|
||||
#
|
||||
# # Disable some features
|
||||
# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
||||
#
|
||||
# # Referer
|
||||
# Referrer-Policy "no-referrer"
|
||||
#
|
||||
# # X-Robots-Tag
|
||||
# X-Robots-Tag "none"
|
||||
#
|
||||
# # Remove Server header
|
||||
# -Server
|
||||
# }
|
||||
#
|
||||
# handle {
|
||||
# encode zstd gzip
|
||||
#
|
||||
# reverse_proxy 127.0.0.1:13080 {
|
||||
# header_up X-Forwarded-Port {http.request.port}
|
||||
# header_up X-Forwarded-Proto {http.request.scheme}
|
||||
# header_up X-Forwarded-TlsProto {tls_protocol}
|
||||
# header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||
# header_up X-Forwarded-HttpsProto {proto}
|
||||
# }
|
||||
# }
|
||||
#}
|
||||
#DOMAIN.com {
|
||||
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
|
||||
# @wellknown {
|
||||
# path /.well-known/matrix/*
|
||||
# }
|
||||
#
|
||||
# handle @wellknown {
|
||||
# reverse_proxy https://matrix.DOMAIN.com {
|
||||
# header_up Host {http.reverse_proxy.upstream.hostport}
|
||||
# }
|
||||
# }
|
||||
# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
|
||||
# # handle /.well-known/* {
|
||||
# # encode zstd gzip
|
||||
# # header Cache-Control max-age=14400
|
||||
# # header Content-Type application/json
|
||||
# # header Access-Control-Allow-Origin *
|
||||
# #}
|
||||
#
|
||||
# # Configration for the base domain goes here
|
||||
# # handle {
|
||||
# # header -Server
|
||||
# # encode zstd gzip
|
||||
# # reverse_proxy localhost:4020
|
||||
# # }
|
||||
#}
|
@ -14,7 +14,3 @@ You can either just use the [Caddyfile](Caddyfile) directly or append its conten
|
||||
In both cases make sure to replace all the `example.tld` domains with your own domain.
|
||||
|
||||
This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
|
||||
|
||||
# Caddyfile.deprecated
|
||||
|
||||
This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
|
||||
|
@ -1,12 +0,0 @@
|
||||
# Pull nginx base image
|
||||
FROM nginx:latest
|
||||
|
||||
# Expost port 80
|
||||
EXPOSE 80
|
||||
|
||||
# Copy custom configuration file from the current directory
|
||||
COPY nginx.conf /etc/nginx/nginx.conf
|
||||
|
||||
# Start up nginx server
|
||||
CMD ["nginx"]
|
||||
|
@ -3,24 +3,7 @@
|
||||
This directory contains sample files that show you how to do reverse-proxying using HAproxy.
|
||||
|
||||
This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
|
||||
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
|
||||
|
||||
To use your own HAproxy reverse-proxy, you first need to disable the integrated Nginx server.
|
||||
You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||
|
||||
```yaml
|
||||
matrix_nginx_proxy_enabled: false
|
||||
```
|
||||
We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation.
|
||||
|
||||
You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
|
||||
|
||||
**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases or performance needs.
|
||||
|
||||
### Configuration
|
||||
|
||||
HAproxy, unlike Apache, Nginx and others, does not provide you with a webserver to serve static files (i.e., `/.well-known/` directory). For this reason, in this folder you can find an example on how to use HAproxy together with a simple Nginx container whose only task is to serve those files.
|
||||
|
||||
* Build the Docker image. `docker build -t local/nginx .`
|
||||
* Start the container. `docker-compose up -d`. Note that if you want to run Nginx on a different port, you will have to change the port both in the `docker-compose.yml` and in `haproxy.cfg`.
|
||||
* If you don't want to use a wildcard certificate, you will need to modify the corresponding line in the HTTPS frontent and add the paths of all the specific certificates (as for the commented example in `haproxy.cfg`).
|
||||
* Start HAproxy with the proposed configuration.
|
||||
|
@ -1,9 +0,0 @@
|
||||
---
|
||||
version: '3'
|
||||
services:
|
||||
nginx:
|
||||
image: local/nginx
|
||||
ports:
|
||||
- 40888:80
|
||||
volumes:
|
||||
- /matrix/static-files:/var/www/:ro
|
@ -43,29 +43,16 @@ frontend https-frontend
|
||||
reqadd X-Forwarded-Proto:\ https
|
||||
option httplog
|
||||
option http-server-close
|
||||
#
|
||||
# Matrix
|
||||
#
|
||||
# matrix.example.com
|
||||
|
||||
# You can do per-domain routing (as shown above),
|
||||
# or just send everything to the same backend via `default_backend`.
|
||||
|
||||
acl matrix_domain hdr_dom(host) -i matrix.example.com
|
||||
acl static_files path -i -m beg /.well-known/matrix
|
||||
use_backend nginx-static if static_files
|
||||
# /_matrix/identity and /_matrix/client/r0/user_directory/search
|
||||
acl matrix_identity path -i -m beg /_matrix/identity
|
||||
acl matrix_search path -i -m beg /_matrix/client/r0/user_directory/search
|
||||
# Send to :8090
|
||||
use_backend matrix-supporting if matrix_identity or matrix_search
|
||||
# /_matrix and /_synapse/admin
|
||||
acl matrix_path path -i -m beg /_matrix
|
||||
acl synapse_admin path -i -m beg /_synapse/admin
|
||||
# Send to :8008
|
||||
use_backend matrix-main if matrix_path or synapse_admin
|
||||
# element.example.com
|
||||
acl element_domain hdr_dom(host) -i element.example.com
|
||||
# Send to 8765
|
||||
use_backend element if element_domain
|
||||
# If nothing else match, just send to default matrix backend
|
||||
use_backend matrix-main if matrix_domain
|
||||
|
||||
acl matrix_domain hdr_dom(host) -i element.example.com
|
||||
use_backend matrix-main if matrix_domain
|
||||
|
||||
#default_backend matrix-main
|
||||
|
||||
frontend matrix-federation
|
||||
@ -75,14 +62,11 @@ frontend matrix-federation
|
||||
option http-server-close
|
||||
default_backend synapse
|
||||
|
||||
backend matrix-supporting
|
||||
server matrix-supporting 127.0.0.1:8090 check
|
||||
|
||||
backend matrix-main
|
||||
server matrix-main 127.0.0.1:8008 check
|
||||
server matrix-main 127.0.0.1:81 check
|
||||
|
||||
backend synapse
|
||||
server synapse 127.0.0.1:8048 check
|
||||
backend matrix-federation
|
||||
server matrix-federation 127.0.0.1:8049 check
|
||||
|
||||
backend nginx-static
|
||||
capture request header origin len 128
|
||||
|
@ -1,15 +0,0 @@
|
||||
worker_processes auto;
|
||||
daemon off;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
server_tokens off;
|
||||
server {
|
||||
listen 80;
|
||||
index index.html;
|
||||
root /var/www;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user