Merge remote-tracking branch 'origin/master' into synapse-workers
Also, replace vague FIXME by a proper NOTE on the complete story of the user_dir endpoints..
This commit is contained in:
Marcel Partap
@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
|
||||
# We use an official nginx image, which we fix-up to run unprivileged.
|
||||
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
||||
# that is frequently out of date.
|
||||
matrix_nginx_proxy_docker_image: "nginx:1.19.3-alpine"
|
||||
matrix_nginx_proxy_docker_image: "nginx:1.19.4-alpine"
|
||||
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
||||
@ -147,7 +147,39 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
|
||||
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
||||
|
||||
|
||||
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
||||
|
||||
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
||||
# Enable this if you need OpenID Connect authentication support.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
||||
|
||||
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
||||
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
||||
# the location prefixes that get forwarded to the Matrix Client API server.
|
||||
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||||
{{
|
||||
(['/_matrix'])
|
||||
+
|
||||
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||||
}}
|
||||
|
||||
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
||||
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
||||
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
||||
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
||||
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
|
||||
|
||||
# Controls whether proxying for the Matrix Federation API should be done.
|
||||
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
||||
@ -243,6 +275,10 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
||||
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
||||
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
||||
|
||||
# If you'd like to start some service before a certificate is obtained, specify it here.
|
||||
# This could be something like `matrix-dynamic-dns`, etc.
|
||||
matrix_ssl_pre_obtaining_required_service_name: ~
|
||||
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||||
|
||||
# nginx status page configurations.
|
||||
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
||||
|
||||
@ -12,6 +12,19 @@
|
||||
- set_fact:
|
||||
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
|
||||
|
||||
- block:
|
||||
- name: Ensure required service for obtaining is started
|
||||
service:
|
||||
name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
|
||||
state: started
|
||||
register: matrix_ssl_pre_obtaining_required_service_start_result
|
||||
|
||||
- name: Wait some time, so that the required service for obtaining can start
|
||||
wait_for:
|
||||
timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}"
|
||||
when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool"
|
||||
when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''"
|
||||
|
||||
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
|
||||
# We suppress the error, as we'll try another method below.
|
||||
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
|
||||
location /_matrix/corporal {
|
||||
location ^~ /_matrix/corporal {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
@ -51,7 +51,7 @@
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
|
||||
location /_matrix/identity {
|
||||
location ^~ /_matrix/identity {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
@ -68,8 +68,10 @@
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
|
||||
# FIXME: if this is enabled, user_dir_workers should be disabled
|
||||
location /_matrix/client/r0/user_directory/search {
|
||||
# NOTE: This redirects user lookup requests to the identity server instead of
|
||||
# synapse, so user_dir_workers endpoints listed further down in this file will
|
||||
# not be reached and workers of this kind should be disabled for consistency.
|
||||
location ^~ /_matrix/client/r0/user_directory/search {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
@ -103,7 +105,7 @@
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
||||
# Workers redirects BEGIN
|
||||
{# Workers redirects BEGIN}
|
||||
|
||||
{% if generic_workers %}
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
||||
@ -162,7 +164,7 @@
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
# Workers redirects END
|
||||
{# Workers redirects END}
|
||||
{% endif %}
|
||||
|
||||
|
||||
@ -170,29 +172,6 @@
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
{#
|
||||
This handles the Matrix Client API only.
|
||||
The Matrix Federation API is handled by a separate vhost.
|
||||
#}
|
||||
location /_matrix {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics %}
|
||||
location /_synapse/metrics {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
@ -215,7 +194,11 @@
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location /_synapse {
|
||||
{#
|
||||
This handles the Matrix Client API only.
|
||||
The Matrix Federation API is handled by a separate vhost.
|
||||
#}
|
||||
location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
@ -235,7 +218,11 @@
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^/$ /_matrix/static/ last;
|
||||
{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
|
||||
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
|
||||
{% else %}
|
||||
rewrite ^/$ /_matrix/static/ last;
|
||||
{% endif %}
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user