Update own-webserver guide and add sample Apache configuration

This supersedes #59 (Github Pull Request), which was greatly beneficial in creating our sample Apache configuration.
2019-02-01 16:51:18 +02:00
parent 8681a5dc69
commit 5e8a7fd05b
4 changed files with 166 additions and 13 deletions
--- a/examples/apache/README.md
+++ b/examples/apache/README.md
@ -0,0 +1,17 @@
+# Apache reverse-proxy
+
+This directory contains sample files that show you how to do reverse-proxying using Apache.
+
+This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
+See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
+
+To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
+You do that with the following custom configuration (`inventory/matrix.<your-domain>/vars.yml`):
+
+```yaml
+matrix_nginx_proxy_enabled: false
+```
+
+You can then use the configuration files from this directory as an example for how to configure your Apache server.
+
+**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
--- a/examples/apache/matrix-riot-web.conf
+++ b/examples/apache/matrix-riot-web.conf
@ -0,0 +1,41 @@
+# This is a sample file demonstrating how to set up reverse-proxy for the riot.DOMAIN.
+# If you're not using Riot (`matrix_riot_web_enabled: false`), you won't need this.
+
+<VirtualHost *:80>
+	ServerName riot.DOMAIN
+
+	# Map /.well-known/acme-challenge to the certbot server
+	# If you manage SSL certificates by yourself, this will differ.
+	<Location /.well-known/acme-challenge>
+		ProxyPreserveHost On
+		ProxyRequests Off
+		ProxyVia On
+		ProxyPass http://localhost:2402/.well-known/acme-challenge
+	</Location>
+
+	Redirect permanent / https://riot.DOMAIN/
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName riot.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/riot.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+
+	ProxyPass / http://localhost:8765/
+	ProxyPassReverse / http://localhost:8765/
+
+	ErrorLog ${APACHE_LOG_DIR}/riot.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/riot.DOMAIN-access.log combined
+</VirtualHost>
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -0,0 +1,73 @@
+# This is a sample file demonstrating how to set up reverse-proxy for the matrix.DOMAIN
+
+<VirtualHost *:80>
+	ServerName matrix.DOMAIN
+
+	# Map /.well-known/acme-challenge to the certbot server
+	# If you manage SSL certificates by yourself, this will differ.
+	<Location /.well-known/acme-challenge>
+		ProxyPreserveHost On
+		ProxyRequests Off
+		ProxyVia On
+		ProxyPass http://localhost:2402/.well-known/acme-challenge
+	</Location>
+
+	Redirect permanent / https://matrix.DOMAIN/
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+
+	# Keep some URIs free for different proxy/location
+	ProxyPassMatch ^/.well-known/matrix/client !
+	ProxyPassMatch ^/_matrix/identity !
+	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
+
+	# Proxy all remaining traffic to Synapse
+	ProxyPass / http://localhost:8008/
+	ProxyPassReverse / http://localhost:8008/
+
+	# Map /.well-known/matrix/client for client discovery
+	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
+	<Files "/matrix/static-files/.well-known/matrix/client">
+		Require all granted
+	</Files>
+	<Location "/.well-known/matrix/client>
+		Header always set Content-Type "application/json"
+		Header always set Access-Control-Allow-Origin "*"
+	</Location>
+	<Directory /matrix/static-files/.well-known/matrix/>
+		AllowOverride All
+		# Apache 2.4:
+		Require all granted
+		# Or for Apache 2.2:
+		#order allow,deny
+	</Directory>
+
+	# Map /_matrix/identity to the identity server
+	<Location /_matrix/identity>
+		ProxyPass http://localhost:8090/_matrix/identity
+	</Location>
+
+	# Map /_matrix/client/r0/user_directory/search to the identity server
+	<Location /_matrix/client/r0/user_directory/search>
+		ProxyPass http://localhost:8090/_matrix/client/r0/user_directory/search
+	</Location>
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>