Document the new variables for ngingx SSL config
The new variables created to the nginx reverse proxy are properly added to the documentation.
This commit is contained in:
parent
2082242499
commit
ff6db5fd3b
@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
|
||||
- 1.1.1.1
|
||||
```
|
||||
|
||||
## Adjusting SSL in your server
|
||||
|
||||
You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS
|
||||
Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
|
||||
The posible values are:
|
||||
|
||||
- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||||
- "Intermediate" - Recommended configuration for a general-purpose server
|
||||
- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||||
- "Custom" - For defining your own protocols an ciphers
|
||||
|
||||
The default is set to `"Intermediate"`.
|
||||
|
||||
**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the
|
||||
[Federarion tester](https://federationtester.matrix.org/) won't work.
|
||||
|
||||
If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set:
|
||||
|
||||
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
|
||||
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off".
|
||||
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
|
||||
|
||||
For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
|
||||
|
||||
## Synapse + OpenID Connect for Single-Sign-On
|
||||
|
||||
|
@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n
|
||||
|
||||
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
|
||||
|
||||
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
|
||||
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
|
||||
|
||||
```yaml
|
||||
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
|
||||
matrix_nginx_proxy_ssl_config: "Custom"
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
|
||||
```
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user