Remvoe all Traefik labels from matrix-nginx-proxy and update docs for delegation via SRV
This commit is contained in:
Slavi Pantaleev
parent
ce2f541deb
commit
18254cd0b2
@ -1,6 +1,6 @@
|
||||
# Server Delegation via a DNS SRV record (advanced)
|
||||
|
||||
**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain.
|
||||
**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain.
|
||||
|
||||
This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required.
|
||||
|
||||
@ -16,11 +16,18 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra
|
||||
|
||||
## The changes
|
||||
|
||||
**NOTE**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels:
|
||||
|
||||
- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md) or [Dendrite](./configuring-playbook-dendrite.md))
|
||||
- if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached
|
||||
|
||||
Also, all instructions below are from an older version of the playbook and may not work anymore.
|
||||
|
||||
### Federation Endpoint
|
||||
|
||||
```yaml
|
||||
# To serve the federation from any domain, as long as the path match
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
|
||||
# To serve the federation from any domain, as long as the path matches
|
||||
matrix_synapse_container_labels_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`)
|
||||
```
|
||||
|
||||
This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint.
|
||||
@ -29,13 +36,13 @@ This is because with SRV federation, some servers / tools (one of which being th
|
||||
|
||||
Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name.
|
||||
|
||||
This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.
|
||||
This is because the matrix specification expects the federation endpoint to be served using a certificate compatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.
|
||||
|
||||
```yaml
|
||||
# To let Traefik know which domains' certificates to serve
|
||||
matrix_nginx_proxy_container_labels_additional_labels: |
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
|
||||
matrix_synapse_container_labels_additional_labels: |
|
||||
traefik.http.routers.matrix-synapse-federation-api.tls.domains.main="example.com"
|
||||
traefik.http.routers.matrix-synapse-federation-api.tls.domains.sans="*.example.com"
|
||||
```
|
||||
|
||||
### Configure the DNS-01 challenge for let's encrypt
|
||||
@ -60,7 +67,7 @@ devture_traefik_configuration_extension_yaml: |
|
||||
email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
|
||||
dnsChallenge:
|
||||
provider: cloudflare
|
||||
resolvers:
|
||||
resolvers:
|
||||
- "1.1.1.1:53"
|
||||
- "8.8.8.8:53"
|
||||
storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
|
||||
@ -134,13 +141,13 @@ matrix_coturn_container_additional_volumes: |
|
||||
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
||||
devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com
|
||||
|
||||
# To serve the federation from any domain, as long as the path match
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
|
||||
# To serve the federation from any domain, as long as the path matches
|
||||
matrix_synapse_container_labels_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`)
|
||||
|
||||
# To let Traefik know which domains' certificates to serve
|
||||
matrix_nginx_proxy_container_labels_additional_labels: |
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
|
||||
matrix_synapse_container_labels_additional_labels: |
|
||||
traefik.http.routers.matrix-synapse-federation-api.tls.domains.main="example.com"
|
||||
traefik.http.routers.matrix-synapse-federation-api.tls.domains.sans="*.example.com"
|
||||
|
||||
# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
|
||||
devture_traefik_configuration_extension_yaml: |
|
||||
@ -152,7 +159,7 @@ devture_traefik_configuration_extension_yaml: |
|
||||
email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
|
||||
dnsChallenge:
|
||||
provider: cloudflare
|
||||
resolvers:
|
||||
resolvers:
|
||||
- "1.1.1.1:53"
|
||||
- "8.8.8.8:53"
|
||||
storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
|
||||
|
||||
@ -3333,12 +3333,6 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playboo
|
||||
matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
|
||||
matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
|
||||
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||||
|
||||
@ -41,34 +41,6 @@ matrix_nginx_proxy_container_additional_networks: []
|
||||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||||
matrix_nginx_proxy_container_additional_volumes: []
|
||||
|
||||
# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`.
|
||||
matrix_nginx_proxy_container_labels_traefik_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}"
|
||||
|
||||
# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_nginx_proxy_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_nginx_proxy_container_labels_additional_labels: ''
|
||||
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_nginx_proxy_container_extra_arguments: []
|
||||
|
||||
|
||||
@ -22,14 +22,6 @@
|
||||
- "{{ matrix_nginx_proxy_data_path }}"
|
||||
- "{{ matrix_nginx_proxy_confd_path }}"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy labels file is created
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/labels.j2"
|
||||
dest: "{{ matrix_nginx_proxy_base_path }}/labels"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configured (main config override)
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %}
|
||||
# Matrix Client
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
|
||||
# Matrix Federation
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
||||
traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_nginx_proxy_container_labels_additional_labels }}
|
||||
@ -24,7 +24,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
|
||||
--label-file={{ matrix_nginx_proxy_base_path }}/labels \
|
||||
--network={{ matrix_nginx_proxy_container_network }} \
|
||||
{% if matrix_nginx_proxy_container_http_host_bind_port %}
|
||||
-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user