Relocate reverse-proxy example configurations and update docs/configuring-playbook-own-webserver.md with more details

2024-01-15 13:53:14 +02:00
parent 92c3122b96
commit 3e3afb79b8
11 changed files with 18 additions and 4 deletions
--- a/examples/reverse-proxies/README.md
+++ b/examples/reverse-proxies/README.md
@ -0,0 +1,5 @@
+## Using other reverse-proxies for fronting the integrated Traefik reverse-proxy
+
+This directory contains sample configuration for various webservers, showing you how to put these reverse-proxies in front of the integrated Traefik reverse-proxy used by the playbook.
+
+To learn more, see [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy).
--- a/examples/reverse-proxies/apache/README.md
+++ b/examples/reverse-proxies/apache/README.md
@ -0,0 +1,14 @@
+# Apache reverse-proxy
+
+This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy.
+
+## Prerequisite configuration
+
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
+
+## Using the Apache configuration
+
+`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
+
+`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`.
+This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc).
--- a/examples/reverse-proxies/apache/matrix-client-element.conf
+++ b/examples/reverse-proxies/apache/matrix-client-element.conf
@ -0,0 +1,35 @@
+# This is a sample file demonstrating how to set up reverse-proxy for element.DOMAIN.
+# If you're not using Element (`matrix_client_element_enabled: false`), you won't need this.
+
+<VirtualHost *:80>
+	ServerName element.DOMAIN
+
+	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
+	# if you're using ACME (Let's Encrypt) certificates.
+
+	Redirect permanent / https://element.DOMAIN/
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName element.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/element.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/element.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+
+	ProxyPass / http://127.0.0.1:81/
+	ProxyPassReverse / http://127.0.0.1:81/
+
+	ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined
+</VirtualHost>
--- a/examples/reverse-proxies/apache/matrix-domain.conf
+++ b/examples/reverse-proxies/apache/matrix-domain.conf
@ -0,0 +1,65 @@
+# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
+
+<VirtualHost *:80>
+	ServerName matrix.DOMAIN
+
+	# You may wish to handle the /.well-known/acme-challenge paths here somehow,
+	# if you're using ACME (Let's Encrypt) certificates.
+
+	Redirect permanent / https://matrix.DOMAIN/
+</VirtualHost>
+
+# Client-Server API
+<VirtualHost *:443>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+	AllowEncodedSlashes NoDecode
+	ProxyPass / http://127.0.0.1:81 retry=0 nocanon
+	ProxyPassReverse / http://127.0.0.1:81/
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>
+
+# Server-Server (federation) API
+Listen 8448
+<VirtualHost *:8448>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+	AllowEncodedSlashes NoDecode
+	ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
+	ProxyPassReverse / http://127.0.0.1:8449/
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>
--- a/examples/reverse-proxies/caddy2/Caddyfile
+++ b/examples/reverse-proxies/caddy2/Caddyfile
@ -0,0 +1,40 @@
+matrix.example.tld {
+
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:81  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+}
+
+matrix.example.tld:8448 {
+    handle {
+        encode zstd gzip
+
+        reverse_proxy 127.0.0.1:8449 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+    }
+}
+
+
+example.tld {
+# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
+    @wellknown {
+        path /.well-known/matrix/*
+    }
+
+    handle @wellknown {
+        reverse_proxy https://matrix.example.tld {
+            header_up Host {http.reverse_proxy.upstream.hostport}
+        }
+    }
+}
--- a/examples/reverse-proxies/caddy2/README.md
+++ b/examples/reverse-proxies/caddy2/README.md
@ -0,0 +1,16 @@
+# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
+
+This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy.
+
+
+## Prerequisite configuration
+
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
+
+
+## Using the Caddyfile
+
+You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
+In both cases make sure to replace all the `example.tld` domains with your own domain.
+
+This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
--- a/examples/reverse-proxies/haproxy/README.md
+++ b/examples/reverse-proxies/haproxy/README.md
@ -0,0 +1,9 @@
+# HAproxy reverse-proxy
+
+This directory contains sample files that show you how to do reverse-proxying using HAproxy.
+
+This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
+
+We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation.
+
+You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
--- a/examples/reverse-proxies/haproxy/haproxy.cfg
+++ b/examples/reverse-proxies/haproxy/haproxy.cfg
@ -0,0 +1,81 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log global
+	mode http
+	option httplog
+	option dontlognull
+	option forwardfor
+	option redispatch
+	timeout connect 5000
+	timeout client  50000
+	timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend https-frontend
+    bind *:80
+    # HAproxy wants the full chain and the private key in one file. For Letsencrypt manually generated certs (e.g., wildcard certs) you can use
+    # cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/haproxy/certs/star-example.com.pem
+    bind *:443 ssl crt /etc/haproxy/certs/star-example.com.pem
+    #bind *:443 ssl crt /etc/haproxy/certs/element.example.com.pem /etc/haproxy/certs/matrix.example.com.pem
+    reqadd X-Forwarded-Proto:\ https
+    option httplog
+    option http-server-close
+
+    # You can do per-domain routing (as shown above),
+	# or just send everything to the same backend via `default_backend`.
+
+    acl matrix_domain hdr_dom(host) -i matrix.example.com
+    use_backend matrix-main if matrix_domain
+
+    acl matrix_domain hdr_dom(host) -i element.example.com
+    use_backend matrix-main if matrix_domain
+
+    #default_backend matrix-main
+
+frontend matrix-federation
+  bind *:8448 ssl crt /etc/haproxy/certs/star-example.com.pem
+  reqadd X-Forwarded-Proto:\ https
+  option httplog
+  option http-server-close
+  default_backend synapse
+
+backend matrix-main
+     server matrix-main 127.0.0.1:81 check
+
+backend matrix-federation
+     server matrix-federation 127.0.0.1:8049 check
+
+backend nginx-static
+     capture request header origin len 128
+     http-response add-header Access-Control-Allow-Origin *
+     rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
+     rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
+     rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }
+     server nginx 127.0.0.1:40888 check
+
+backend element
+     server element 127.0.0.1:8765 check
+
--- a/examples/reverse-proxies/nginx/README.md
+++ b/examples/reverse-proxies/nginx/README.md
@ -0,0 +1,17 @@
+# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
+
+This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
+
+
+## Prerequisite configuration
+
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
+
+
+## Using the nginx configuration
+
+Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it in your nginx configuration (e.g. `include /path/to/matrix.conf;`).
+
+This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.
+
+Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager.
--- a/examples/reverse-proxies/nginx/matrix.conf
+++ b/examples/reverse-proxies/nginx/matrix.conf
@ -0,0 +1,96 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # TODO: add/remove services and their subdomains if you use/don't use them
+    # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
+    # if you don't use those, you can remove them
+    # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
+    server_name example.com matrix.example.com element.example.com;
+
+    location / {
+        # note: do not add a path (even a single /) after the port in `proxy_pass`,
+        # otherwise, nginx will canonicalise the URI and cause signature verification
+        # errors.
+        proxy_pass http://localhost:81;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+
+        access_log /var/log/nginx/matrix.access.log;
+        error_log /var/log/nginx/matrix.error.log;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# settings for matrix federation
+server {
+    # For the federation port
+    listen 8448 ssl http2 default_server;
+    listen [::]:8448 ssl http2 default_server;
+
+    server_name matrix.example.com;
+
+    location / {
+        proxy_pass http://localhost:8449;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        access_log /var/log/nginx/matrix.access.log;
+        error_log /var/log/nginx/matrix.error.log;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# ensure using https
+# TODO: remove server blocks that you don't use / add server blocks for domains you do use
+server {
+    if ($host = example.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name example.com;
+    listen 80;
+    return 404; # managed by Certbot
+}
+
+server {
+    if ($host = matrix.example.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name matrix.example.com;
+    listen 80;
+    return 404; # managed by Certbot
+}
+
+server {
+    if ($host = element.example.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name element.example.com;
+    listen 80;
+    return 404; # managed by Certbot
+}