merge upstream

roles/matrix-nginx-proxy/defaults/main.yml

@@ -121,6 +121,10 @@ matrix_nginx_proxy_proxy_matrix_federation_port: 8448
 matrix_nginx_proxy_proxy_dimension_enabled: false
 matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
 
+# Controls whether proxying the goneb domain should be done.
+matrix_nginx_proxy_proxy_bot_go_neb_enabled: false
+matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
+
 # Controls whether proxying the jitsi domain should be done.
 matrix_nginx_proxy_proxy_jitsi_enabled: false
 matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
@@ -194,6 +198,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
     (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
     +
     (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
+    +
+    (['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
   }}
 
 # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
@@ -235,6 +241,9 @@ matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
 matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
 
+# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).
+matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []
+
 # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).
 matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
 
@@ -363,3 +372,9 @@ matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
 matrix_nginx_proxy_synapse_media_repository_locations: []
 matrix_nginx_proxy_synapse_user_dir_locations: []
 matrix_nginx_proxy_synapse_frontend_proxy_locations: []
+
+# The amount of worker processes and connections
+# Consider increasing these when you are expecting high amounts of traffic
+# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
+matrix_nginx_proxy_worker_processes: 1
+matrix_nginx_proxy_worker_connections: 1024

roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml

@@ -12,6 +12,8 @@
     follow_redirects: none
     return_content: true
     validate_certs: "{{ well_known_file_check.validate_certs }}"
+    headers:
+      Origin: example.com
   check_mode: no
   register: result_well_known_matrix
   ignore_errors: true
@@ -40,6 +42,8 @@
     follow_redirects: "{{ well_known_file_check.follow_redirects }}"
     return_content: true
     validate_certs: "{{ well_known_file_check.validate_certs }}"
+    headers:
+      Origin: example.com
   check_mode: no
   register: result_well_known_identity
   ignore_errors: true

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -79,6 +79,13 @@
     mode: 0644
   when: matrix_nginx_proxy_proxy_dimension_enabled|bool
 
+- name: Ensure Matrix nginx-proxy configuration for goneb domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool
+
 - name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
   template:
     src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
@@ -196,6 +203,12 @@
     state: absent
   when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool"
 
+- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool"
+
 - name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
   file:
     path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2

@@ -0,0 +1,77 @@
+#jinja2: lstrip_blocks: "True"
+
+{% macro render_vhost_directives() %}
+	gzip on;
+	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	add_header X-Content-Type-Options nosniff;
+{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}
+
+	location / {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-bot-go-neb:4050";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://127.0.0.1:4050;
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+{% endmacro %}
+
+server {
+	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
+	server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	{% if matrix_nginx_proxy_https_enabled %}
+		location /.well-known/acme-challenge {
+			{% if matrix_nginx_proxy_enabled %}
+				{# Use the embedded DNS resolver in Docker containers to discover the service #}
+				resolver 127.0.0.11 valid=5s;
+				set $backend "matrix-certbot:8080";
+				proxy_pass http://$backend;
+			{% else %}
+				{# Generic configuration for use outside of our container setup #}
+				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
+			{% endif %}
+		}
+
+		location / {
+			return 301 https://$http_host$request_uri;
+		}
+	{% else %}
+		{{ render_vhost_directives() }}
+	{% endif %}
+}
+
+{% if matrix_nginx_proxy_https_enabled %}
+server {
+	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+
+	server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem;
+
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
+	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
+	{% endif %}
+	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+
+	{{ render_vhost_directives() }}
+}
+{% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -47,6 +47,7 @@
 
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 	{% endif %}
 
@@ -64,6 +65,7 @@
 
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 	{% endif %}
 
@@ -98,6 +100,7 @@
 
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 	{% endif %}
 
@@ -122,6 +125,7 @@
 
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
 
 		client_body_buffer_size 25M;
 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -17,7 +17,7 @@
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://127.0.0.1:12080;
+			proxy_pass http://127.0.0.1:13080;
 		{% endif %}
 
 		proxy_set_header Host $host;
@@ -32,7 +32,7 @@
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://127.0.0.1:12090;
+			proxy_pass http://127.0.0.1:13090;
 		{% endif %}
 
 		proxy_set_header Host $host;

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -79,7 +79,6 @@ server {
 			location ~ {{ location }} {
 				proxy_pass http://generic_worker_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 			}
 			{% endfor %}
 		{% endif %}
@@ -90,7 +89,6 @@ server {
 			location ~ {{ location }} {
 				proxy_pass http://media_repository_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 
 				client_body_buffer_size 25M;
 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
@@ -106,7 +104,6 @@ server {
 			location ~ {{ location }} {
 				proxy_pass http://user_dir_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 			}
 			{% endfor %}
 		{% endif %}
@@ -117,7 +114,6 @@ server {
 			location ~ {{ location }} {
 				proxy_pass http://frontend_proxy_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 			}
 			{% endfor %}
 			{% if matrix_nginx_proxy_synapse_presence_disabled %}
@@ -125,7 +121,6 @@ server {
 			location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status {
 				proxy_pass http://frontend_proxy_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 			}
 			{% endif %}
 		{% endif %}
@@ -150,7 +145,6 @@ server {
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
 
 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
 			auth_basic "protected";
@@ -172,7 +166,6 @@ server {
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
 
 		client_body_buffer_size 25M;
 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
@@ -199,7 +192,6 @@ server {
 			location ~ {{ location }} {
 				proxy_pass http://generic_worker_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 			}
 			{% endfor %}
 		{% endif %}
@@ -209,7 +201,6 @@ server {
 			location ~ {{ location }} {
 				proxy_pass http://media_repository_upstream$request_uri;
 				proxy_set_header Host $host;
-				proxy_set_header X-Forwarded-For $remote_addr;
 
 				client_body_buffer_size 25M;
 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
@@ -231,7 +222,6 @@ server {
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
 
 		client_body_buffer_size 25M;
 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2

@@ -8,14 +8,13 @@
 # - various temp paths are changed to `/tmp`, so that a non-root user can write to them
 # - the `user` directive was removed, as we don't want nginx to switch users
 
-worker_processes 1;
-
+worker_processes {{ matrix_nginx_proxy_worker_processes }};
 error_log /var/log/nginx/error.log warn;
 pid /tmp/nginx.pid;
 
 
 events {
-	worker_connections 1024;
+	worker_connections {{ matrix_nginx_proxy_worker_connections }};
 }