Initial work on Synapse 0.99/1.0 preparation

roles/matrix-nginx-proxy/defaults/main.yml

@@ -57,8 +57,14 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
 
+# Controls whether proxying for the Matrix Federation API should be done.
+matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
+matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
+matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048"
+matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}"
+
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
-matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 50 }}"
+matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}"
 
 # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
 matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []

roles/matrix-nginx-proxy/tasks/self_check_well_known.yml

@@ -1,65 +1,13 @@
 ---
 
-- set_fact:
-    well_known_url_matrix: "https://{{ hostname_matrix }}/.well-known/matrix/client"
-    well_known_url_identity: "https://{{ hostname_identity }}/.well-known/matrix/client"
-
-# These well-known files may be served without a `Content-Type: application/json` header,
-# so we can't rely on the uri module's automatic parsing of JSON.
-- name: Check .well-known on the matrix hostname
-  uri:
-    url: "{{ well_known_url_matrix }}"
-    follow_redirects: false
-    return_content: true
-  register: result_well_known_matrix
-  ignore_errors: true
-
-- name: Fail if .well-known not working on the matrix hostname
-  fail:
-    msg: "Failed checking that well-known is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
-  when: "result_well_known_matrix.failed"
-
-- name: Parse JSON for well-known payload at the matrix hostname
-  set_fact:
-    well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
-
-- name: Fail if .well-known not CORS-aware on the matrix hostname
-  fail:
-    msg: "Well-known serving for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
-  when: "'access_control_allow_origin' not in result_well_known_matrix"
-
-- name: Report working .well-known on the matrix hostname
-  debug:
-    msg: "well-known is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
-
-- name: Check .well-known on the identity hostname
-  uri:
-    url: "{{ well_known_url_identity }}"
-    follow_redirects: false
-    return_content: true
-  register: result_well_known_identity
-  ignore_errors: true
-
-- name: Fail if .well-known not working on the identity hostname
-  fail:
-    msg: "Failed checking that well-known is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
-  when: "result_well_known_identity.failed"
-
-- name: Parse JSON for well-known payload at the identity hostname
-  set_fact:
-    well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
-
-- name: Fail if .well-known not CORS-aware on the identity hostname
-  fail:
-    msg: "Well-known serving for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
-  when: "'access_control_allow_origin' not in result_well_known_identity"
-
-# For people who manually copy the well-known file, try to detect if it's outdated
-- name: Fail if well-known is different on matrix hostname and identity hostname
-  fail:
-    msg: "The well-known files at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file manually before and now it's outdated?"
-  when: "well_known_matrix_payload != well_known_identity_payload"
-
-- name: Report working .well-known on the identity hostname
-  debug:
-    msg: "well-known is configured correctly for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)"
+- name: Perform well-known checks
+  include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
+  with_items:
+    - path: /.well-known/matrix/server
+      purpose: Server Discovery
+      cors: false
+    - path: /.well-known/matrix/client
+      purpose: Client Discovery
+      cors: true
+  loop_control:
+    loop_var: well_known_file_check

roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml

@@ -0,0 +1,65 @@
+---
+
+- set_fact:
+    well_known_url_matrix: "https://{{ hostname_matrix }}{{ well_known_file_check.path }}"
+    well_known_url_identity: "https://{{ hostname_identity }}{{ well_known_file_check.path }}"
+
+# These well-known files may be served without a `Content-Type: application/json` header,
+# so we can't rely on the uri module's automatic parsing of JSON.
+- name: Check .well-known on the matrix hostname
+  uri:
+    url: "{{ well_known_url_matrix }}"
+    follow_redirects: false
+    return_content: true
+  register: result_well_known_matrix
+  ignore_errors: true
+
+- name: Fail if .well-known not working on the matrix hostname
+  fail:
+    msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
+  when: "result_well_known_matrix.failed"
+
+- name: Parse JSON for well-known payload at the matrix hostname
+  set_fact:
+    well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
+
+- name: Fail if .well-known not CORS-aware on the matrix hostname
+  fail:
+    msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
+  when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
+
+- name: Report working .well-known on the matrix hostname
+  debug:
+    msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ hostname_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
+
+- name: Check .well-known on the identity hostname
+  uri:
+    url: "{{ well_known_url_identity }}"
+    follow_redirects: false
+    return_content: true
+  register: result_well_known_identity
+  ignore_errors: true
+
+- name: Fail if .well-known not working on the identity hostname
+  fail:
+    msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
+  when: "result_well_known_identity.failed"
+
+- name: Parse JSON for well-known payload at the identity hostname
+  set_fact:
+    well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
+
+- name: Fail if .well-known not CORS-aware on the identity hostname
+  fail:
+    msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
+  when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
+
+# For people who manually copy the well-known file, try to detect if it's outdated
+- name: Fail if well-known is different on matrix hostname and identity hostname
+  fail:
+    msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ hostname_matrix }}` and `{{ hostname_identity }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
+  when: "well_known_matrix_payload != well_known_identity_payload"
+
+- name: Report working .well-known on the identity hostname
+  debug:
+    msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ hostname_identity }}` (checked endpoint: `{{ well_known_url_identity }}`)"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -39,7 +39,7 @@ server {
 	ssl_prefer_server_ciphers on;
 	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 
-	location /.well-known/matrix/client {
+	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
 		expires 1m;
 		default_type application/json;
@@ -101,6 +101,10 @@ server {
 		{{- configuration_block }}
 	{% endfor %}
 
+	{#
+		This handles the Matrix Client API only.
+		The Matrix Federation API is handled by a separate vhost.
+	#}
 	location /_matrix {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
@@ -146,3 +150,43 @@ server {
 		rewrite ^/$ /_matrix/static/ last;
 	}
 }
+
+{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
+server {
+	listen 8448 ssl http2;
+	listen [::]:8448 ssl http2;
+
+	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	gzip on;
+	gzip_types text/plain application/json;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+	location / {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+
+		client_body_buffer_size 25M;
+		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
+		proxy_max_temp_file_size 0;
+	}
+}
+{% endif %}

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			--network={{ matrix_docker_network }} \
 			-p 80:8080 \
 			-p 443:8443 \
+			{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
+			-p 8448:8448 \
+			{% endif %}
 			-v {{ matrix_nginx_proxy_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
 			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d:ro \
 			-v {{ matrix_ssl_config_dir_path }}:{{ matrix_ssl_config_dir_path }}:ro \