sync with previous repo

examples/apache/README.md

@@ -0,0 +1,17 @@
+# Apache reverse-proxy
+
+This directory contains sample files that show you how to do reverse-proxying using Apache.
+
+This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
+See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
+
+To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
+You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
+
+```yaml
+matrix_nginx_proxy_enabled: false
+```
+
+You can then use the configuration files from this directory as an example for how to configure your Apache server.
+
+**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).

examples/apache/matrix-client-element.conf

@@ -0,0 +1,41 @@
+# This is a sample file demonstrating how to set up reverse-proxy for element.DOMAIN.
+# If you're not using Element (`matrix_client_element_enabled: false`), you won't need this.
+
+<VirtualHost *:80>
+	ServerName element.DOMAIN
+
+	ProxyVia On
+
+	# Map /.well-known/acme-challenge to the certbot server
+	# If you manage SSL certificates by yourself, this will differ.
+	<Location /.well-known/acme-challenge>
+		ProxyPreserveHost On
+		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
+	</Location>
+
+	Redirect permanent / https://element.DOMAIN/
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName element.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/element.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/element.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+
+	ProxyPass / http://127.0.0.1:8765/
+	ProxyPassReverse / http://127.0.0.1:8765/
+
+	ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined
+</VirtualHost>

examples/apache/matrix-dimension.conf

@@ -0,0 +1,41 @@
+# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN.
+# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this.
+
+<VirtualHost *:80>
+	ServerName dimension.DOMAIN
+
+	ProxyVia On
+
+	# Map /.well-known/acme-challenge to the certbot server
+	# If you manage SSL certificates by yourself, this will differ.
+	<Location /.well-known/acme-challenge>
+		ProxyPreserveHost On
+		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
+	</Location>
+
+	Redirect permanent / https://dimension.DOMAIN/
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName dimension.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+
+	ProxyPass / http://127.0.0.1:8184/
+	ProxyPassReverse / http://127.0.0.1:8184/
+
+	ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined
+</VirtualHost>

examples/apache/matrix-synapse.conf

@@ -0,0 +1,134 @@
+# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
+
+<VirtualHost *:80>
+	ServerName matrix.DOMAIN
+
+	ProxyVia On
+
+	# Map /.well-known/acme-challenge to the certbot server
+	# If you manage SSL certificates by yourself, this will differ.
+	<Location /.well-known/acme-challenge>
+		ProxyPreserveHost On
+		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
+	</Location>
+
+	Redirect permanent / https://matrix.DOMAIN/
+</VirtualHost>
+
+# Client-Server API
+<VirtualHost *:443>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+	# Keep some URIs free for different proxy/location
+	ProxyPassMatch ^/.well-known/matrix/client !
+	ProxyPassMatch ^/.well-known/matrix/server !
+	ProxyPassMatch ^/_matrix/identity !
+	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
+
+	# Proxy all remaining traffic to Synapse
+	AllowEncodedSlashes NoDecode
+	ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
+	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
+	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
+	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
+	
+	# Proxy Admin API (necessary for Synapse-Admin)
+	# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
+	# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
+	
+	# Proxy Synapse-Admin
+	# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
+	# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
+
+	# Map /.well-known/matrix/client for client discovery
+	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
+	<Files "/matrix/static-files/.well-known/matrix/client">
+		Require all granted
+	</Files>
+	<Location "/.well-known/matrix/client">
+		Header always set Content-Type "application/json"
+		Header always set Access-Control-Allow-Origin "*"
+	</Location>
+	# Map /.well-known/matrix/server for server discovery
+	Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
+	<Files "/matrix/static-files/.well-known/matrix/server">
+		Require all granted
+	</Files>
+	<Location "/.well-known/matrix/server">
+		Header always set Content-Type "application/json"
+	</Location>
+	<Directory /matrix/static-files/.well-known/matrix/>
+		AllowOverride All
+		# Apache 2.4:
+		Require all granted
+		# Or for Apache 2.2:
+		#order allow,deny
+	</Directory>
+
+	# Map /_matrix/identity to the identity server
+	<Location /_matrix/identity>
+		ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
+	</Location>
+
+	# Map /_matrix/client/r0/user_directory/search to the identity server
+	<Location /_matrix/client/r0/user_directory/search>
+		ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
+	</Location>
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>
+
+# Server-Server (federation) API
+# Use this apache reverse proxy template to enable matrix server-to-server federation traffic
+# Be sure that network traffic on port 8448 is possible
+#
+# You can check your federation config at https://federationtester.matrix.org/
+# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
+#
+# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
+# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
+Listen 8448
+<VirtualHost *:8448>
+	ServerName matrix.DOMAIN
+
+	SSLEngine On
+
+	# If you manage SSL certificates by yourself, these paths will differ.
+	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
+	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
+
+	SSLProxyEngine on
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
+	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+	ProxyPreserveHost On
+	ProxyRequests Off
+	ProxyVia On
+	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+	# Proxy all remaining traffic to the Synapse port
+	# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
+	# Of course you can use another IPADRESS in case of using other synapse servers in your network
+	AllowEncodedSlashes NoDecode
+	ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
+	ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix
+
+	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
+	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
+</VirtualHost>

examples/caddy/matrix-client-element

@@ -0,0 +1,8 @@
+https://element.DOMAIN {
+	# These might differ if you are supplying your own certificates
+	tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem
+
+	proxy / http://127.0.0.1:8765 {
+		transparent
+	}
+}

examples/caddy/matrix-dimension

@@ -0,0 +1,9 @@
+https://dimension.DOMAIN {
+	# These might differ if you are supplying your own certificates
+	# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
+	tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
+
+	proxy / http://127.0.0.1:8184/ {
+		transparent
+	}
+}

examples/caddy/matrix-synapse

@@ -0,0 +1,31 @@
+https://matrix.DOMAIN {
+	# If you use your own certificates, your path may differ
+	# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
+	tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
+
+	root /matrix/static-files
+
+	header {
+		Access-Control-Allow-Origin *
+		Strict-Transport-Security "mag=age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+
+	# Identity server traffic
+	proxy /_matrix/identity matrix-msisd:8090 {
+		transparent
+	}
+	proxy /_matrix/client/r0/user_directory/search matrix-msisd:8090 {
+		transparent
+	}
+
+	# Synapse Client<>Server API
+	proxy /_matrix matrix-synapse:8008 {
+		transparent
+		except /_matrix/identity/ /_matrix/client/r0/user_directory/search
+	}
+	proxy /_synapse/client matrix-synapse:8008 {
+		transparent
+	}
+}

examples/caddy/matrix-util

@@ -0,0 +1,7 @@
+:80 {
+	# Redirect ACME-Challenge traffic to port 2402
+	proxy /.well-known/acme-challenge http://127.0.0.1:2402
+
+	# Redirect all other traffic to HTTPS
+	redir /  https://{host}{uri} 301
+}

examples/caddy2/Caddyfile

@@ -0,0 +1,203 @@
+matrix.DOMAIN.tld {
+
+  # creates letsencrypt certificate
+  # tls your@email.com
+
+  @identity {
+        path /_matrix/identity/*
+  }
+
+  @noidentity {
+        not path /_matrix/identity/*
+  }
+
+  @search {
+        path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @nosearch {
+        not path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @static {
+        path /matrix/static-files/*
+  }
+
+  @nostatic {
+        not path /matrix/static-files/*
+  }
+
+  header {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+        # Disallow the site to be rendered within a frame (clickjacking protection)
+        X-Frame-Options "DENY"
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
+  }
+
+  # Cache
+  header @static {
+        # Cache
+    Cache-Control "public, max-age=31536000"
+    defer
+  }
+
+  # identity
+  handle @identity {
+        reverse_proxy localhost:8090  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  # search
+  handle @search {
+        reverse_proxy localhost:8090   {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8008  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+}
+
+matrix.DOMAIN.tld:8448 {
+    handle {
+        encode zstd gzip
+
+        reverse_proxy 127.0.0.1:8048 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+    }
+}
+
+element.DOMAIN.tld {
+
+      # creates letsencrypt certificate
+      # tls your@email.com
+
+      header {
+         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
+        	X-XSS-Protection "1; mode=block"
+        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        	X-Content-Type-Options "nosniff"
+        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Frame-Options "DENY"
+        	# X-Robots-Tag
+        	X-Robots-Tag "noindex, noarchive, nofollow"
+  	}
+
+        handle {
+              encode zstd gzip
+
+              reverse_proxy localhost:8765 {
+                     header_up X-Forwarded-Port {http.request.port}
+                     header_up X-Forwarded-Proto {http.request.scheme}
+                     header_up X-Forwarded-TlsProto {tls_protocol}
+                     header_up X-Forwarded-TlsCipher {tls_cipher}
+                     header_up X-Forwarded-HttpsProto {proto}
+        }
+}
+
+#dimension.DOMAIN.tld {
+#
+#      # creates letsencrypt certificate
+#      # tls your@email.com
+#
+#      header {
+#          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+#          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+#          # Enable cross-site filter (XSS) and tell browser to block detected attacks
+#          X-XSS-Protection "1; mode=block"
+#          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+#          X-Content-Type-Options "nosniff"
+#          # Disallow the site to be rendered within a frame (clickjacking protection)
+#          X-Frame-Options "DENY"
+#          # X-Robots-Tag
+#          X-Robots-Tag "noindex, noarchive, nofollow"
+#    }
+#
+#      handle {
+#          encode zstd gzip
+#
+#          reverse_proxy localhost:8184  {
+#                  header_up X-Forwarded-Port {http.request.port}
+#                  header_up X-Forwarded-Proto {http.request.scheme}
+#                  header_up X-Forwarded-TlsProto {tls_protocol}
+#                  header_up X-Forwarded-TlsCipher {tls_cipher}
+#                  header_up X-Forwarded-HttpsProto {proto}
+#          }
+#    }
+#}
+
+
+#jitsi.DOMAIN.tld {
+#
+#  creates letsencrypt certificate
+#  tls your@email.com
+#
+#  header {
+#        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+#        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+#
+#        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+#        X-XSS-Protection "1; mode=block"
+#
+#        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+#        X-Content-Type-Options "nosniff"
+#
+#        # Disallow the site to be rendered within a frame (clickjacking protection)
+#        X-Frame-Options "SAMEORIGIN"
+#
+#        # Disable some features
+#        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+#
+#        # Referer
+#        Referrer-Policy "no-referrer"
+#
+#        # X-Robots-Tag
+#        X-Robots-Tag "none"
+#
+#        # Remove Server header
+#        -Server
+#  }
+#
+#  handle {
+#        encode zstd gzip
+#
+#        reverse_proxy 127.0.0.1:13080 {
+#               header_up X-Forwarded-Port {http.request.port}
+#               header_up X-Forwarded-Proto {http.request.scheme}
+#               header_up X-Forwarded-TlsProto {tls_protocol}
+#               header_up X-Forwarded-TlsCipher {tls_cipher}
+#               header_up X-Forwarded-HttpsProto {proto}
+#        }
+#  }
+#}

examples/caddy2/README.md

@@ -0,0 +1,12 @@
+# Caddyfile
+
+This directory contains sample files that show you how to do reverse-proxying using Caddy2.
+
+## Config
+
+| Variable           | Function |
+| ------------------ | -------- |
+| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | 
+| tls                | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
+| Dimension         | To enable Dimension support uncomment the lines for Dimension and set your data |
+| Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |

examples/haproxy/Dockerfile

@@ -0,0 +1,12 @@
+# Pull nginx base image
+FROM nginx:latest
+
+# Expost port 80
+EXPOSE 80
+
+# Copy custom configuration file from the current directory
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Start up nginx server
+CMD ["nginx"]
+

examples/haproxy/README.md

@@ -0,0 +1,26 @@
+# HAproxy reverse-proxy
+
+This directory contains sample files that show you how to do reverse-proxying using HAproxy.
+
+This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
+See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
+
+To use your own HAproxy reverse-proxy, you first need to disable the integrated Nginx server.
+You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
+
+```yaml
+matrix_nginx_proxy_enabled: false
+```
+
+You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
+
+**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases or performance needs.
+
+### Configuration
+
+HAproxy, unlike Apache, Nginx and others, does not provide you with a webserver to serve static files (i.e., `/.well-known/` directory). For this reason, in this folder you can find an example on how to use HAproxy together with a simple Nginx container whose only task is to serve those files.
+
+* Build the Docker image. `docker build -t local/nginx .` 
+* Start the container. `docker-compose up -d`. Note that if you want to run Nginx on a different port, you will have to change the port both in the `docker-compose.yml` and in `haproxy.cfg`.
+* If you don't want to use a wildcard certificate, you will need to modify the corresponding line in the HTTPS frontent and add the paths of all the specific certificates (as for the commented example in `haproxy.cfg`).
+* Start HAproxy with the proposed configuration.

examples/haproxy/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+  nginx:
+    image: local/nginx 
+    ports:
+      - 40888:80
+    volumes:
+      - /matrix/static-files:/var/www/:ro

examples/haproxy/haproxy.cfg

@@ -0,0 +1,97 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log global
+	mode http
+	option httplog
+	option dontlognull
+	option forwardfor
+	option redispatch
+	timeout connect 5000
+	timeout client  50000
+	timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend https-frontend
+    bind *:80
+    # HAproxy wants the full chain and the private key in one file. For Letsencrypt manually generated certs (e.g., wildcard certs) you can use
+    # cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/haproxy/certs/star-example.com.pem
+    bind *:443 ssl crt /etc/haproxy/certs/star-example.com.pem
+    #bind *:443 ssl crt /etc/haproxy/certs/element.example.com.pem /etc/haproxy/certs/matrix.example.com.pem
+    reqadd X-Forwarded-Proto:\ https
+    option httplog
+    option http-server-close
+    #
+    # Matrix
+    #
+    # matrix.example.com
+    acl matrix_domain hdr_dom(host) -i matrix.example.com
+    acl static_files path -i -m beg /.well-known/matrix
+    use_backend nginx-static if static_files
+    # /_matrix/identity and /_matrix/client/r0/user_directory/search
+    acl matrix_identity path -i -m beg /_matrix/identity
+    acl matrix_search path -i -m beg /_matrix/client/r0/user_directory/search
+    # Send to :8090
+    use_backend matrix-supporting if matrix_identity or matrix_search
+    # /_matrix and /_synapse/admin
+    acl matrix_path path -i -m beg /_matrix
+    acl synapse_admin path -i -m beg /_synapse/admin
+    # Send to :8008
+    use_backend matrix-main if matrix_path or synapse_admin
+    # element.example.com
+    acl element_domain hdr_dom(host) -i element.example.com
+    # Send to 8765
+    use_backend element if element_domain
+    # If nothing else match, just send to default matrix backend
+    use_backend matrix-main if matrix_domain
+    #default_backend matrix-main
+
+frontend matrix-federation
+  bind *:8448 ssl crt /etc/haproxy/certs/star-example.com.pem
+  reqadd X-Forwarded-Proto:\ https
+  option httplog
+  option http-server-close
+  default_backend synapse
+
+backend matrix-supporting
+     server matrix-supporting 127.0.0.1:8090 check
+
+backend matrix-main
+     server matrix-main 127.0.0.1:8008 check
+
+backend synapse
+     server synapse 127.0.0.1:8048 check
+
+backend nginx-static
+     capture request header origin len 128
+     http-response add-header Access-Control-Allow-Origin *
+     rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
+     rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
+     rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }
+     server nginx 127.0.0.1:40888 check
+
+backend element
+     server element 127.0.0.1:8765 check
+

examples/haproxy/nginx.conf

@@ -0,0 +1,15 @@
+worker_processes auto;
+daemon off;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  server_tokens off;
+  server {
+    listen 80;
+    index index.html;
+    root /var/www;
+  }
+}

examples/hosts

@@ -0,0 +1,19 @@
+# We explicitly ask for your server's external IP address, because the same value is used for configuring Coturn.
+# If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
+#
+# To connect using a non-root user (and elevate to root with sudo later),
+# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
+#
+# For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
+# If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
+# to the host line below or by adding `ansible_ssh_pipelining: False` to your variables file.
+#
+# If you're running this Ansible playbook on the same server as the one you're installing to,
+# consider adding an additional `ansible_connection=local` argument to the host line below.
+#
+# Ansible may fail to discover which Python interpreter to use on the host for some distros (like Ubuntu 20.04).
+# You may sometimes need to explicitly add the argument `ansible_python_interpreter=/usr/bin/python3`
+# to the host line below.
+
+[matrix_servers]
+matrix.<your-domain> ansible_host=<your-server's external IP address> ansible_ssh_user=root

examples/vars.yml

@@ -0,0 +1,35 @@
+# The bare domain name which represents your Matrix identity.
+# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
+#
+# Note: this playbook does not touch the server referenced here.
+# Installation happens on another server ("matrix.<matrix-domain>").
+#
+# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
+# because you can't change the Domain after deployment.
+#
+# Example value: example.com
+matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE
+
+# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
+#
+# In case SSL renewal fails at some point, you'll also get an email notification there.
+#
+# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
+# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
+#
+# Example value: someone@example.com
+matrix_ssl_lets_encrypt_support_email: ''
+
+# A shared secret (between Coturn and Synapse) used for authentication.
+# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
+matrix_coturn_turn_static_auth_secret: ''
+
+# A secret used to protect access keys issued by the server.
+# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
+matrix_synapse_macaroon_secret_key: ''
+
+# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
+#
+# The playbook creates additional Postgres users and databases (one for each enabled service)
+# using this superuser account.
+matrix_postgres_connection_password: ''