From 68e1a636c30d292f257587c32f9b333efbabc9d3 Mon Sep 17 00:00:00 2001 From: Logan Pulley Date: Tue, 10 Dec 2019 12:17:19 -0600 Subject: [PATCH] Added Traefik configuration example to own webserver docs --- docs/configuring-playbook-own-webserver.md | 82 +++++++++++++++++++++- 1 file changed, 80 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 29b7625b8..4fd3dc45d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -115,5 +115,83 @@ All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional). -We don't have sample webserver configuration for this use-case yet, but hope to expand on this documentation entry in the future. -For [Traefik](https://traefik.io/), you can [see some work in progress examples here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/296). +### Sample configuration for running behind Traefik 2.0 + +Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. + +```yaml +# Disable generation and retrieval of SSL certs +matrix_ssl_retrieval_method: none + +# Configure Nginx to only use plain HTTP +matrix_nginx_proxy_https_enabled: false + +# Don't bind any HTTP or federation port to the host +# (Traefik will proxy directly into the containers) +matrix_nginx_proxy_container_http_host_bind_port: '' +matrix_nginx_proxy_container_federation_host_bind_port: '' + +# Disable Coturn because it needs SSL certs +# (Clients can, though exposing IP address, use Matrix.org TURN) +matrix_coturn_enabled: false + +# All containers need to be on the same Docker network as Traefik +# (This network should already exist and Traefik should be using this network) +matrix_docker_network: 'traefik' + +matrix_nginx_proxy_container_extra_arguments: + # May be unnecessary depending on Traefik config, but can't hurt + - '--label "traefik.enable=true"' + + # The Nginx proxy container will receive traffic from these subdomains + # (Replace DOMAIN with your domain, e.g. example.com) + - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`matrix.DOMAIN`,`riot.DOMAIN`,`dimension.DOMAIN`)"' + + # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) + - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' + + # (The 'default' certificate resolver must be defined in Traefik config) + - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' + + # The Nginx proxy container uses port 8080 internally + - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' + +matrix_synapse_container_extra_arguments: + # May be unnecessary depending on Traefik config, but can't hurt + - '--label "traefik.enable=true"' + + # The Synapse container will receive traffic from this subdomain + # (Replace DOMAIN with your domain, e.g. example.com) + - '--label "traefik.http.routers.matrix-synapse.rule=Host(`matrix.DOMAIN`)"' + + # (The 'synapse' entrypoint must bind to port 8448 in Traefik config) + - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"' + + # (The 'default' certificate resolver must be defined in Traefik config) + - '--label "traefik.http.routers.matrix-synapse.tls.certResolver=default"' + + # The Synapse container uses port 8048 internally + - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"' +``` + +This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `riot.DOMAIN`, and `dimension.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. + +Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 433 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: + +```toml +[http] + [http.routers] + [http.routers.redirect-http] + entrypoints = ["web"] # The 'web' entrypoint must bind to port 80 + rule = "HostRegexp(`{host:.+}`)" # Change if you don't want to redirect all hosts to HTTPS + service = "dummy" # Unused, but all routers need services (for now) + middlewares = ["https"] + [http.services] + [http.services.dummy.loadbalancer] + [[http.services.dummy.loadbalancer.servers]] + url = "localhost" + [http.middlewares] + [http.middlewares.https.redirectscheme] + scheme = "https" + permanent = true +``` \ No newline at end of file