sync with previous repo
This commit is contained in:
Michael Collins
@ -0,0 +1,95 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}{{ matrix_nginx_proxy_data_path_extension }};
|
||||
|
||||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location /.well-known/matrix {
|
||||
root {{ matrix_static_files_base_path }};
|
||||
{#
|
||||
A somewhat long expires value is used to prevent outages
|
||||
in case this is unreachable due to network failure.
|
||||
#}
|
||||
expires 4h;
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
|
||||
server_name {{ matrix_nginx_proxy_base_domain_hostname }};
|
||||
server_tokens off;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_base_domain_hostname }};
|
||||
server_tokens off;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,95 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-bot-go-neb:4050";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:4050;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,104 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header Content-Security-Policy "frame-ancestors 'self'";
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-client-element:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:8765;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_element_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_element_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,102 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-client-hydrogen:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:8768;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,98 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-dimension:8184";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:8184;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,293 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
{% macro render_nginx_status_location_block(addresses) %}
|
||||
{# Empty first line to make indentation prettier. #}
|
||||
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
{% for address in addresses %}
|
||||
allow {{ address }};
|
||||
{% endfor %}
|
||||
deny all;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
location /.well-known/matrix {
|
||||
root {{ matrix_static_files_base_path }};
|
||||
{#
|
||||
A somewhat long expires value is used to prevent outages
|
||||
in case this is unreachable due to network failure or
|
||||
due to the base domain's server completely dying.
|
||||
#}
|
||||
expires 4h;
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
|
||||
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
|
||||
location ^~ /_matrix/corporal {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
|
||||
location ^~ /_matrix/identity {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
|
||||
location ^~ /_matrix/client/r0/user_directory/search {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
|
||||
location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
{#
|
||||
This handles the Matrix Client API only.
|
||||
The Matrix Federation API is handled by a separate vhost.
|
||||
#}
|
||||
location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
|
||||
{#
|
||||
We only handle the root URI for this redirect or homepage serving.
|
||||
Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,
|
||||
instead of causing a redirect.
|
||||
See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
|
||||
#}
|
||||
location ~* ^/$ {
|
||||
{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
|
||||
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
|
||||
{% else %}
|
||||
rewrite ^/$ /_matrix/static/ last;
|
||||
{% endif %}
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
|
||||
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
|
||||
{#
|
||||
This federation vhost is a little special.
|
||||
It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.
|
||||
#}
|
||||
server {
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
|
||||
listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
|
||||
{% else %}
|
||||
listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};
|
||||
{% endif %}
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }};
|
||||
server_tokens off;
|
||||
|
||||
root /dev/null;
|
||||
|
||||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
|
||||
ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,106 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
# duplicate X-Content-Type-Options & X-Frame-Options header
|
||||
# Enabled by grafana by default
|
||||
# add_header X-Content-Type-Options nosniff;
|
||||
# add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
proxy_cookie_path / "/; HTTPOnly; Secure";
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-grafana:3000";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,140 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-jitsi-web:80";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:13080;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
}
|
||||
|
||||
# colibri (JVB) websockets
|
||||
location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-jitsi-jvb:9090";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:13090;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
proxy_http_version 1.1;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
# XMPP websocket
|
||||
location = /xmpp-websocket {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend {{ matrix_jitsi_xmpp_bosh_url_base }};
|
||||
proxy_pass $backend/xmpp-websocket;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:5280;
|
||||
{% endif %}
|
||||
proxy_set_header Host $host;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_read_timeout 900s;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
tcp_nodelay on;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,87 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||
add_header Permissions-Policy interest-cohort=() always;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ matrix_nginx_proxy_proxy_element_hostname }}$request_uri;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,97 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% macro render_vhost_directives() %}
|
||||
gzip on;
|
||||
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
||||
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
{% else %}
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
{% endif %}
|
||||
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options DENY;
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-sygnal:6000";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:6000;
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
{% endmacro %}
|
||||
|
||||
server {
|
||||
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
||||
server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
location /.well-known/acme-challenge {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "matrix-certbot:8080";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$http_host$request_uri;
|
||||
}
|
||||
{% else %}
|
||||
{{ render_vhost_directives() }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_https_enabled %}
|
||||
server {
|
||||
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem;
|
||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem;
|
||||
|
||||
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
||||
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
||||
{% endif %}
|
||||
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
||||
|
||||
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
||||
ssl_session_tickets off;
|
||||
{% endif %}
|
||||
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
||||
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
||||
|
||||
{{ render_vhost_directives() }}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,231 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
|
||||
{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %}
|
||||
{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %}
|
||||
{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %}
|
||||
{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %}
|
||||
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
||||
# Round Robin "upstream" pools for workers
|
||||
|
||||
{% if generic_workers %}
|
||||
upstream generic_worker_upstream {
|
||||
# ensures that requests from the same client will always be passed
|
||||
# to the same server (except when this server is unavailable)
|
||||
hash $http_x_forwarded_for;
|
||||
|
||||
{% for worker in generic_workers %}
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}";
|
||||
{% else %}
|
||||
server "127.0.0.1:{{ worker.port }}";
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if frontend_proxy_workers %}
|
||||
upstream frontend_proxy_upstream {
|
||||
{% for worker in frontend_proxy_workers %}
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}";
|
||||
{% else %}
|
||||
server "127.0.0.1:{{ worker.port }}";
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if media_repository_workers %}
|
||||
upstream media_repository_upstream {
|
||||
{% for worker in media_repository_workers %}
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}";
|
||||
{% else %}
|
||||
server "127.0.0.1:{{ worker.port }}";
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if user_dir_workers %}
|
||||
upstream user_dir_upstream {
|
||||
{% for worker in user_dir_workers %}
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
server "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.port }}";
|
||||
{% else %}
|
||||
server "127.0.0.1:{{ worker.port }}";
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
server {
|
||||
listen 12080;
|
||||
server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }};
|
||||
|
||||
server_tokens off;
|
||||
root /dev/null;
|
||||
|
||||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
||||
{# Workers redirects BEGIN #}
|
||||
|
||||
{% if generic_workers %}
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
||||
{% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %}
|
||||
location ~ {{ location }} {
|
||||
proxy_pass http://generic_worker_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if media_repository_workers %}
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository
|
||||
{% for location in matrix_nginx_proxy_synapse_media_repository_locations %}
|
||||
location ~ {{ location }} {
|
||||
proxy_pass http://media_repository_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if user_dir_workers %}
|
||||
# FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir
|
||||
{% for location in matrix_nginx_proxy_synapse_user_dir_locations %}
|
||||
location ~ {{ location }} {
|
||||
proxy_pass http://user_dir_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if frontend_proxy_workers %}
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy
|
||||
{% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %}
|
||||
location ~ {{ location }} {
|
||||
proxy_pass http://frontend_proxy_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
{% endfor %}
|
||||
{% if matrix_nginx_proxy_synapse_presence_disabled %}
|
||||
# FIXME: keep in sync with synapse workers documentation manually
|
||||
location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status {
|
||||
proxy_pass http://frontend_proxy_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{# Workers redirects END #}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics %}
|
||||
location /_synapse/metrics {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
|
||||
auth_basic "protected";
|
||||
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{# Everything else just goes to the API server ##}
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_synapse_federation_api_enabled %}
|
||||
server {
|
||||
listen 12088;
|
||||
|
||||
server_name {{ matrix_nginx_proxy_proxy_synapse_hostname }};
|
||||
server_tokens off;
|
||||
|
||||
root /dev/null;
|
||||
|
||||
gzip on;
|
||||
gzip_types text/plain application/json;
|
||||
|
||||
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
||||
{% if generic_workers %}
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
||||
{% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %}
|
||||
location ~ {{ location }} {
|
||||
proxy_pass http://generic_worker_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if media_repository_workers %}
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository
|
||||
{% for location in matrix_nginx_proxy_synapse_media_repository_locations %}
|
||||
location ~ {{ location }} {
|
||||
proxy_pass http://media_repository_upstream$request_uri;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver 127.0.0.11 valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
|
||||
client_body_buffer_size 25M;
|
||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
}
|
||||
{% endif %}
|
||||
@ -0,0 +1,14 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
# The default is aligned to the CPU's cache size,
|
||||
# which can sometimes be too low to handle our 2 vhosts (Synapse and Element).
|
||||
#
|
||||
# Thus, we ensure a larger bucket size value is used.
|
||||
server_names_hash_bucket_size 64;
|
||||
|
||||
{% if matrix_nginx_proxy_http_level_resolver %}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }};
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
@ -0,0 +1,3 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
# User and password for protecting /_synapse/metrics URI
|
||||
prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }}
|
||||
61
roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
Normal file
61
roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
Normal file
@ -0,0 +1,61 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
# This is a custom nginx configuration file that we use in the container (instead of the default one),
|
||||
# because it allows us to run nginx with a non-root user.
|
||||
#
|
||||
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
|
||||
#
|
||||
# The following changes have been done compared to a default nginx configuration file:
|
||||
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
|
||||
# - the `user` directive was removed, as we don't want nginx to switch users
|
||||
|
||||
worker_processes {{ matrix_nginx_proxy_worker_processes }};
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /tmp/nginx.pid;
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_additional_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
events {
|
||||
worker_connections {{ matrix_nginx_proxy_worker_connections }};
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
{% if matrix_nginx_proxy_access_log_enabled %}
|
||||
access_log /var/log/nginx/access.log main;
|
||||
{% else %}
|
||||
access_log off;
|
||||
{% endif %}
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
server_tokens off;
|
||||
|
||||
#gzip on;
|
||||
{# Map directive needed for proxied WebSocket upgrades #}
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
Reference in New Issue
Block a user