Expose /_synapse/* APIs via matrix-synapse-reverse-proxy-companion
This also updates validation tasks and documentation, pointing to variables in the matrix-synapse role which don't currently exist yet (e.g. `matrix_synapse_container_labels_client_synapse_admin_api_enabled`). These variables will be added soon, as Traefik labels are added to the `matrix-synapse` role. At that point, the `matrix-synapse-reverse-proxy-companion` role will be updated to also use them.
This commit is contained in:
Slavi Pantaleev
@ -325,30 +325,12 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080
|
||||
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
||||
|
||||
|
||||
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
||||
|
||||
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
||||
# Enable this if you need OpenID Connect authentication support.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
||||
|
||||
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
||||
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
||||
|
||||
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
||||
# the location prefixes that get forwarded to the Matrix Client API server.
|
||||
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||||
{{
|
||||
(['/_matrix'])
|
||||
+
|
||||
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
||||
+
|
||||
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||||
}}
|
||||
|
||||
# Controls whether proxying for the Matrix Federation API should be done.
|
||||
|
||||
@ -93,7 +93,37 @@ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entry
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# TODO - /_synapse public exposure, etc.?
|
||||
# Controls whether labels will be added that expose the /_synapse/client paths
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: true
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix: /_synapse/client
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints != 'web' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose the /_synapse/oidc paths
|
||||
# Enable this if you need OpenID Connect authentication support.
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: false
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints != 'web' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose the /_synapse/admin paths
|
||||
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: false
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose the Server-Server API (Federation API).
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
|
||||
|
||||
@ -13,6 +13,10 @@
|
||||
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"}
|
||||
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled }}"}
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled }}"}
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled }}"}
|
||||
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-root.tls.cert
|
||||
|
||||
|
||||
{#
|
||||
Client-API
|
||||
Client-API (/_matrix)
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %}
|
||||
|
||||
@ -68,12 +68,87 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certR
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Client-API
|
||||
/Client-API (/_matrix)
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Federation-API
|
||||
Synapse Admin API (/_synapse/client)
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls | to_json }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Synapse Admin API (/_synapse/client)
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Synapse OIDC API (/_synapse/oidc)
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls | to_json }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Synapse OIDC API (/_synapse/oidc)
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Synapse Admin API (/_synapse/admin)
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls | to_json }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Synapse Admin API (/_synapse/admin)
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Federation-API (/_matrix)
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %}
|
||||
|
||||
@ -93,7 +168,7 @@ traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.c
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Federation-API
|
||||
/Federation-API (/_matrix)
|
||||
#}
|
||||
|
||||
{% endif %}
|
||||
|
||||
@ -18,7 +18,7 @@ matrix_synapse_email_smtp_enable_tls: true
|
||||
# because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc.
|
||||
# While /_synapse/client/ endpoints are somewhat client-server API-related, they're:
|
||||
# - neither part of the client-server API spec (and are thus, different)
|
||||
# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`)
|
||||
# - nor always OK to forward to a worker (we're supposed to obey `matrix_synapse_companion_container_labels_client_synapse_client_api_enabled`)
|
||||
#
|
||||
# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24),
|
||||
# so it's not that important whether we forward them or not.
|
||||
|
||||
@ -84,6 +84,9 @@
|
||||
- {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': '<superseded by matrix_synapse_container_labels_client_root_redirection_* or matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_* or other equivalent variables based on the homeserver implementation you use>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'}
|
||||
|
||||
- name: (Deprecation) Catch and report matrix_postgres variables
|
||||
ansible.builtin.fail:
|
||||
|
||||
Reference in New Issue
Block a user