From deeefac84cad6a0f0fb150be029553b4fe7069ac Mon Sep 17 00:00:00 2001
From: p5t2vspoqqw <p5t2vspoqqw@temp.mailbox.org>
Date: Wed, 17 Apr 2019 13:42:09 +0200
Subject: [PATCH 1/5] add ngnix-status to config

add doc
---
 docs/configuring-playbook-ngnix.md                  | 13 +++++++++++++
 docs/configuring-playbook.md                        |  2 ++
 roles/matrix-nginx-proxy/defaults/main.yml          |  2 ++
 .../templates/nginx/conf.d/matrix-domain.conf.j2    |  9 +++++++++
 4 files changed, 26 insertions(+)
 create mode 100644 docs/configuring-playbook-ngnix.md

diff --git a/docs/configuring-playbook-ngnix.md b/docs/configuring-playbook-ngnix.md
new file mode 100644
index 000000000..81081e8b3
--- /dev/null
+++ b/docs/configuring-playbook-ngnix.md
@@ -0,0 +1,13 @@
+# Configure Ngnix (optional, advanced)
+
+By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.
+If that's alright, you can skip this.
+
+
+## Using Ngnix status
+
+This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
+
+```yaml
+matrix_nginx_proxy_nginx_status_enabled: true
+```
diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md
index c56cf11d2..309fff098 100644
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -43,6 +43,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional)
 
+- [Configure Ngnix (optional, advanced)](configuring-playbook-ngnix.md) (optional, advanced)
+
 - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional, advanced)
 
 - [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional, advanced)
diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 3576f4c44..54e25194c 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -1,5 +1,7 @@
 matrix_nginx_proxy_enabled: true
 
+matrix_nginx_proxy_nginx_status_enabled: false
+
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # those as more frequently out of date.
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
index 679f3efa7..b63f9fbcc 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -4,6 +4,15 @@ server {
 
 	server_tokens off;
 
+	{% if matrix_nginx_proxy_nginx_status_enabled %}
+		location /nginx_status {
+			stub_status on;
+			access_log off;
+			allow {{ ansible_default_ipv4.address }};
+			deny all;
+		}
+	{% endif %}
+
 	location /.well-known/acme-challenge {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

From 7ee6927ca92e6acae0ddb313877cd9b2e7dc7ee1 Mon Sep 17 00:00:00 2001
From: p5t2vspoqqw <p5t2vspoqqw@temp.mailbox.org>
Date: Tue, 23 Apr 2019 09:44:02 +0200
Subject: [PATCH 2/5] add suggested change; correct indent

---
 docs/configuring-playbook-ngnix.md            |  8 +++++++
 roles/matrix-nginx-proxy/defaults/main.yml    |  7 ++++--
 .../nginx/conf.d/matrix-domain.conf.j2        | 24 ++++++++++---------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/docs/configuring-playbook-ngnix.md b/docs/configuring-playbook-ngnix.md
index 81081e8b3..e2a46a72a 100644
--- a/docs/configuring-playbook-ngnix.md
+++ b/docs/configuring-playbook-ngnix.md
@@ -11,3 +11,11 @@ This will serve a statuspage to the hosting machine only. Useful for monitoring
 ```yaml
 matrix_nginx_proxy_nginx_status_enabled: true
 ```
+
+In default ```matrix_nginx_proxy_nginx_status_enabled``` will add the local ip adress. If you wish to listen to other ip-adresses provide a list:
+
+```yaml
+matrix_nginx_proxy_nginx_status_allowed_addresses:
+- 8.8.8.8
+- 1.1.1.1
+```
diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 54e25194c..7c9739c36 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -1,7 +1,5 @@
 matrix_nginx_proxy_enabled: true
 
-matrix_nginx_proxy_nginx_status_enabled: false
-
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # those as more frequently out of date.
@@ -142,3 +140,8 @@ matrix_ssl_lets_encrypt_support_email: ~
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
+
+
+# ngnix status page configurations.
+matrix_nginx_proxy_nginx_status_enabled: false
+matrix_nginx_proxy_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
index b63f9fbcc..f33d69599 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -4,25 +4,27 @@ server {
 
 	server_tokens off;
 
-	{% if matrix_nginx_proxy_nginx_status_enabled %}
-		location /nginx_status {
-			stub_status on;
-			access_log off;
-			allow {{ ansible_default_ipv4.address }};
-			deny all;
-		}
-	{% endif %}
+{% if matrix_nginx_proxy_nginx_status_enabled %}
+	location /nginx_status {
+		stub_status on;
+		access_log off;
+{% for address in matrix_nginx_proxy_nginx_status_allowed_addresses %}
+		allow {{ address }};
+{% endfor %}
+		deny all;
+	}
+{% endif %}
 
 	location /.well-known/acme-challenge {
-		{% if matrix_nginx_proxy_enabled %}
+{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			set $backend "matrix-certbot:8080";
 			proxy_pass http://$backend;
-		{% else %}
+{% else %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
-		{% endif %}
+{% endif %}
 	}
 
 	location / {

From 4b8190dc3fd1f48c30b8ceda9a530a20960a6763 Mon Sep 17 00:00:00 2001
From: p5t2vspoqqw <p5t2vspoqqw@temp.mailbox.org>
Date: Wed, 7 Aug 2019 10:54:14 +0200
Subject: [PATCH 3/5] serve status page for matrix.DOMAIN only

---
 docs/configuring-playbook-ngnix.md              |  6 ++++--
 .../nginx/conf.d/matrix-domain.conf.j2          | 17 +++--------------
 .../nginx/conf.d/matrix-synapse.conf.j2         | 11 +++++++++++
 3 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/docs/configuring-playbook-ngnix.md b/docs/configuring-playbook-ngnix.md
index e2a46a72a..8b7e24e75 100644
--- a/docs/configuring-playbook-ngnix.md
+++ b/docs/configuring-playbook-ngnix.md
@@ -9,13 +9,15 @@ If that's alright, you can skip this.
 This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
 
 ```yaml
-matrix_nginx_proxy_nginx_status_enabled: true
+matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true
 ```
 
+This will serve the status page under ```matrix.DOMAIN/nginx_status``` 
+
 In default ```matrix_nginx_proxy_nginx_status_enabled``` will add the local ip adress. If you wish to listen to other ip-adresses provide a list:
 
 ```yaml
-matrix_nginx_proxy_nginx_status_allowed_addresses:
+matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
 - 8.8.8.8
 - 1.1.1.1
 ```
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
index 27d2f297e..0d2348272 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -5,27 +5,16 @@ server {
 
 	server_tokens off;
 
-{% if matrix_nginx_proxy_nginx_status_enabled %}
-	location /nginx_status {
-		stub_status on;
-		access_log off;
-{% for address in matrix_nginx_proxy_nginx_status_allowed_addresses %}
-		allow {{ address }};
-{% endfor %}
-		deny all;
-	}
-{% endif %}
-
 	location /.well-known/acme-challenge {
-{% if matrix_nginx_proxy_enabled %}
+		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			set $backend "matrix-certbot:8080";
 			proxy_pass http://$backend;
-{% else %}
+		{% else %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
-{% endif %}
+		{% endif %}
 	}
 
 	location / {
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
index eda0929b8..356c9f3a7 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -17,6 +17,17 @@ server {
 		{% endif %}
 	}
 
+{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
+	location /nginx_status {
+		stub_status on;
+		access_log off;
+{% for address in matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses %}
+		allow {{ address }};
+{% endfor %}
+		deny all;
+	}
+{% endif %}
+
 	location / {
 		return 301 https://$http_host$request_uri;
 	}

From c32a3e32040821368735b0b97a979e8587cb8e2c Mon Sep 17 00:00:00 2001
From: p5t2vspoqqw <p5t2vspoqqw@temp.mailbox.org>
Date: Wed, 7 Aug 2019 10:56:29 +0200
Subject: [PATCH 4/5] correct defaults

---
 roles/matrix-nginx-proxy/defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index b76b2bbde..82cc8d5c0 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -155,5 +155,5 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
 
 
 # ngnix status page configurations.
-matrix_nginx_proxy_nginx_status_enabled: false
-matrix_nginx_proxy_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
+matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
+matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

From f97175a1c6a6ddfa457d7f15d7bd8c52e5660c15 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Wed, 7 Aug 2019 12:35:48 +0300
Subject: [PATCH 5/5] Update configuring-playbook-ngnix.md

---
 docs/configuring-playbook-ngnix.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/configuring-playbook-ngnix.md b/docs/configuring-playbook-ngnix.md
index 8b7e24e75..cc4a64940 100644
--- a/docs/configuring-playbook-ngnix.md
+++ b/docs/configuring-playbook-ngnix.md
@@ -12,9 +12,9 @@ This will serve a statuspage to the hosting machine only. Useful for monitoring
 matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true
 ```
 
-This will serve the status page under ```matrix.DOMAIN/nginx_status``` 
+This will serve the status page under ```https://matrix.DOMAIN/nginx_status``` 
 
-In default ```matrix_nginx_proxy_nginx_status_enabled``` will add the local ip adress. If you wish to listen to other ip-adresses provide a list:
+By default, if ```matrix_nginx_proxy_nginx_status_enabled``` is enabled, access to the status page would be allowed from the local IP address of the server. If you wish to allow access from other IP addresses, you can provide them as a list:
 
 ```yaml
 matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: