Commit Graph

22 Commits

Author SHA1 Message Date
Stefan Warnat
ab398276af Always use resolver variable in nginx conf.d files 2022-10-30 00:55:36 +02:00
JokerGermany
c0656448f7 Port 80 for IPv6 2021-11-13 01:18:22 +01:00
Slavi Pantaleev
1ed0857019 Fix syntax error
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024
2021-05-25 11:45:17 +03:00
sakkiii
25e67b51d1 Merge branch 'spantaleev:master' into master 2021-05-25 11:40:56 +05:30
sakkiii
3436f9c10a rename to matrix_nginx_proxy_hsts_preload_enabled 2021-05-25 00:56:59 +05:30
sakkiii
df2d91970d matrix_nginx_proxy_xss_protection 2021-05-24 17:02:47 +05:30
sakkiii
e9b878b9e9 Optimize SSL session 2021-05-18 19:39:43 +05:30
Slavi Pantaleev
57a6a98a50 Fix incorrect SSL certificate path
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-18 07:58:47 +03:00
sakkiii
d31b55b2a7 SSL-enabled block only 2021-05-18 03:24:06 +05:30
sakkiii
c05021640d Enable OCSP Stapling 2021-05-15 15:57:05 +05:30
Slavi Pantaleev
e00ef04b57 Add opt-out-of-FLoC headers by default 2021-04-21 13:58:24 +03:00
Slavi Pantaleev
f7ae050eaf Remove useless quotes around ssl_ciphers value
Not sure if it breaks with them or not, but no other directive
uses quotes and the nginx docs show examples without quotes,
so we're being consistent with all of that.
2021-01-08 21:22:44 +02:00
Slavi Pantaleev
5822ba0c01 Use a more natural if statement 2021-01-08 21:21:33 +02:00
Agustin Ferrario
5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario
25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00
Agustin Ferrario
2082242499 Add matrix_nginx_proxy_ssl_config
A new variable called `matrix_nginx_proxy_ssl_config` is created for
configuring how the nginx proxy configures SSL. Also a new configuration
validation option and other auxiliary variables are created.

A new variable configuration called `matrix_nginx_proxy_ssl_config` is
created. This allow to set the SSL configuration easily using the
default options proposed by Mozilla. The default configuration is set to
"Intermediate", removing the weak ciphers used in the old
configurations.

The new variable can also be set to "Custom" for a more granular control.
This allows to set another three variables called:

- `matrix_nginx_proxy_ssl_protocols`,
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`
- `matrix_nginx_proxy_ssl_ciphers`

Also a new task is added to validate the SSL configuration variable.
2020-12-16 10:35:37 +01:00
Slavi Pantaleev
c6ab1c6a90 Riot is now Element
Fixes #586 (Github Issue)
2020-07-17 11:31:20 +03:00
Daniel Hoffend
b280b05c25 matrix-nginx-proxy: adding additional configuration blocks 2020-02-10 23:42:41 +01:00
Slavi Pantaleev
ca3b158d94 Add support to matrix-nginx-proxy to work in HTTP-only mode 2019-12-06 11:53:15 +02:00
Hugues De Keyzer
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
Aaron Raimist
1f0cc92b33
Use IPv4 localhost everywhere (or almost everywhere) 2019-02-04 09:49:45 -06:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00