Commit Graph

326 Commits

Author SHA1 Message Date
oxmie
5df4d68829 Make federation domain customizable 2021-06-30 23:02:27 +02:00
sakkiii
0217644b48
Content-Security-Policy For Element Web
https://github.com/vector-im/element-web#configuration-best-practices
2021-06-18 23:27:23 +05:30
Slavi Pantaleev
963f38ee7b Upgrade certbot (v1.14.0 -> v1.16.0) 2021-06-10 12:18:42 +03:00
pushytoxin
bee14550ab Fix local/bin scripts autocompletion by adding rx perms to everyone
It's mildly annoying when trying to execute these scripts while logged
in as a regular user, as the missing execute permissions will hinder
autocompletion even when trying to use with sudo.

These shell scripts don't contain secrets, but may fail when ran by a
regular user. The failure is due to the lack of access to the /matrix
directory, and does not result in any damage.
2021-05-28 10:39:27 +02:00
Slavi Pantaleev
4880dcceb0 Fix OCSP-stapling-related errors due to missing resolver
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-28 11:14:33 +03:00
rakshazi
4ddd8bbb84
Updated nginx-proxy (1.20.0 -> 1.21.0) 2021-05-25 17:06:39 +00:00
Slavi Pantaleev
1ed0857019 Fix syntax error
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024
2021-05-25 11:45:17 +03:00
sakkiii
4a4a7f136e changes added to hydrogen client 2021-05-25 11:42:51 +05:30
sakkiii
25e67b51d1 Merge branch 'spantaleev:master' into master 2021-05-25 11:40:56 +05:30
sakkiii
3436f9c10a rename to matrix_nginx_proxy_hsts_preload_enabled 2021-05-25 00:56:59 +05:30
sakkiii
7cc5328ede Comments & Ref 2021-05-24 17:20:54 +05:30
sakkiii
df2d91970d matrix_nginx_proxy_xss_protection 2021-05-24 17:02:47 +05:30
Slavi Pantaleev
6f80292745
Add OCSP stapling support and other SSL optimizations to Hydrogen vhost
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-21 13:40:37 +03:00
Slavi Pantaleev
d0de21ab34
Delete Hydrogen nginx configuration file when disabled 2021-05-21 12:58:32 +03:00
Aaron Raimist
04548f8df2
Merge branch 'master' into hydrogen 2021-05-21 04:09:18 -05:00
Aaron Raimist
9437f78c9e
Build using custom config.json, add CSP, update to 0.1.53 2021-05-21 03:45:21 -05:00
sakkiii
e9b878b9e9 Optimize SSL session 2021-05-18 19:39:43 +05:30
Slavi Pantaleev
e6afa05f7b Enable OCSP stapling for the federation port
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Not sure if this is beneficial though.
2021-05-18 08:15:42 +03:00
Slavi Pantaleev
57a6a98a50 Fix incorrect SSL certificate path
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
2021-05-18 07:58:47 +03:00
Slavi Pantaleev
b9c4e8ce16
Merge pull request #1057 from sakkiii/ssl_staple
Enable OCSP Stapling
2021-05-18 07:50:35 +03:00
sakkiii
d31b55b2a7 SSL-enabled block only 2021-05-18 03:24:06 +05:30
Slavi Pantaleev
e4dd933cf0 Make missing /_synapse/admin correctly return 404 responses
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.

For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
2021-05-17 11:45:35 +03:00
sakkiii
2c3da6599b Added warning 2021-05-15 16:07:52 +05:30
sakkiii
0dd4459799 matrix_nginx_proxy_ocsp_stapling_enabled variable added 2021-05-15 16:01:49 +05:30
sakkiii
c05021640d Enable OCSP Stapling 2021-05-15 15:57:05 +05:30
Aaron Raimist
ca361af616
Add Hydrogen 2021-05-15 04:23:36 -05:00
sakkiii
29cf6a0087 Merge branch 'spantaleev:master' into master 2021-05-10 15:10:18 +05:30
sakkiii
bb0810302d Merge branch 'spantaleev:master' into master 2021-05-07 23:03:55 +05:30
Béla Becker
b10655ebb1 Jitsi XMPP Websocket support
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
2021-05-05 19:10:58 +02:00
Dan Arnfield
cfaa3e598a Update nginx (1.19.10 -> 1.20.0) 2021-05-03 16:00:11 -05:00
sakkiii
40fe6bd5c1 variable matrix_nginx_proxy_hsts_preload_enable added 2021-04-24 20:04:20 +05:30
Slavi Pantaleev
389dc26615 Fix Synapse generic worker balancing
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
2021-04-24 11:52:45 +03:00
sakkiii
5b4fdf9b87 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-24 12:15:34 +05:30
sakkiii
0ccf0fbf1c HSTS preload + X-XSS enables
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
2021-04-24 12:12:34 +05:30
sakkiii
3564635f0f
Merge branch 'master' into master 2021-04-24 11:46:52 +05:30
sakkiii
29bba5161b Element More security headers
More Production ready nginx headers for Matrix client element.
2021-04-24 11:10:40 +05:30
Slavi Pantaleev
d691cc0920 Move variable definition a bit 2021-04-21 13:59:20 +03:00
Slavi Pantaleev
e00ef04b57 Add opt-out-of-FLoC headers by default 2021-04-21 13:58:24 +03:00
Slavi Pantaleev
4a1739f604
Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version
Don't expose nginx version with each response
2021-04-18 21:33:11 +03:00
teutat3s
2bf7c26cfa
Don't expose nginx version with each response 2021-04-18 16:24:13 +02:00
sakkiii
1958d0792d Update matrix-client-element.conf.j2 2021-04-17 21:33:07 +05:30
sakkiii
b6d45c5fd8 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-17 21:03:26 +05:30
sakkiii
05042f5ff1 Improve security grafana
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
2021-04-17 21:03:05 +05:30
sakkiii
5dc642ace1
Nginx element web: XSS protection & nosniff header
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
2021-04-16 14:45:04 +05:30
Slavi Pantaleev
c7c137df74 Upgrade nginx and certbot 2021-04-14 13:24:41 +03:00
Ahmad Haghighi
e335f3fc77 rename matrix_global_registry to matrix_container_global_registry_prefix related to #990
Signed-off-by: Ahmad Haghighi <haghighi@fedoraproject.org>
2021-04-12 17:23:55 +04:30
Ahmad Haghighi
f52a8b6484 use custom docker registry 2021-04-12 17:23:55 +04:30
Christoph Johannes Kleine
fcd66b2889
rename variables 2021-03-30 16:41:32 +02:00
Christoph Johannes Kleine
8ba1105010
rename variable 2021-03-30 15:59:10 +02:00
Christoph Johannes Kleine
3a772f2f65
matrix-nginx-proxy: add custom nginx options to nginx.conf.j2 2021-03-30 14:11:20 +02:00
Dan Arnfield
97d8527e00 Update nginx (1.19.6 -> 1.19.8) 2021-03-24 09:42:08 -05:00
Slavi Pantaleev
06c74728eb Move matrix_nginx_proxy_proxy_synapse_federation_api_enabled definition to the role
This variable was previously undefined in the role and was only getting
defined via `group_vars/matrix_servers`.

We now properly initialize it (and its good default value) in the role
itself.
2021-03-23 10:28:32 +02:00
Slavi Pantaleev
9a0222fa47 Add Sygnal support
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
2021-03-20 13:32:22 +02:00
Aaron Raimist
32b3650c12
Set X-Forwarded-Proto on federation requests 2021-03-17 18:51:10 -05:00
Aaron Raimist
466827139a
Also check if matrix_ssl_lets_encrypt_support_email is blank 2021-03-17 00:54:05 -05:00
Slavi Pantaleev
011e95c1d2
Merge pull request #893 from GoMatrixHosting/master
matrix-awx - the GoMatrixHosting v0.3.0 initial PR
2021-03-16 08:40:15 +02:00
Slavi Pantaleev
6181861ffe
Merge pull request #929 from Zir0h/master
Added support for the Go-NEB bot
2021-03-16 07:49:53 +02:00
Alexandros Afentoulis
28c255539c matrix-nginx-proxy: specify Origin header, comply with CORS
Self-checks against the .well-known URIs look for the HTTP header
"Access-Control-Allow-Origin" indicating that the remode endpoint
supports CORS. But the remote server is not required to include
said header in the response if the HTTP request does not include
the "Origin" header. This is in accordance with the specification
[1] stating: 'A CORS request is an HTTP request that includes an
"Origin" header.'

This is in fact true for Gitlab pages hosting and that's why the
issue was identified.

Let's specify "Origin" header in the respective uri tasks performing
the HTTP request and ensure a CORS request.

[1] https://fetch.spec.whatwg.org/#http-requests
2021-03-15 14:24:55 +02:00
Yannick Goossens
51e2547484 Added support for the Go-NEB bot 2021-03-11 19:23:01 +01:00
Slavi Pantaleev
9b72384df7 Upgrade Synapse (1.28.0 -> 1.29.0) 2021-03-08 17:24:09 +02:00
Slavi Pantaleev
f0698ee641 Do not overwrite X-Forwarded-For when reverse-proxying to Synapse
We have a flow like this:
1. matrix.DOMAIN vhost (matrix-domain.conf)
2. matrix-synapse vhost (matrix-synapse.conf); or matrix-corporal container, if enabled
3. (optional) matrix-synapse vhost (matrix-synapse.conf), if matrix-corporal enabled
4. matrix-synapse container

We are setting `X-Forwarded-For` correctly in step #1, but were
overwriting it in step #2 with something inaccurate.

Not doing anything in step #2 is better than doing the wrong thing.
It's probably best if we append another reverse-proxy address there
though, although what we're doing now (with this patch) seems to yield
the correct result (when matrix-corporal is not enabled).

When matrix-corporal is enabled, we still seem to do the wrong thing for
some reason. It's something to be fixed later on.
2021-03-08 17:24:09 +02:00
SierraKiloBravo
0de0716527 Added nginx proxy worker configuration to template and defaults 2021-03-02 11:30:09 +01:00
Slavi Pantaleev
009efdad49 Fix matrix.DOMAIN/_synapse/metrics exposing
This is something that got lost during
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
and more specifically 4d62a75f6f.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/914
2021-03-02 07:59:59 +02:00
Slavi Pantaleev
a25b8135b8 Fix point overlap between matrix-domain and Jitsi
Mostly affects people who disable the integrated `matrix-nginx-proxy`.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
and more specifically 4d62a75f6f.
2021-03-01 20:27:45 +02:00
Michael
33ec5710d9 0.2.1 revision 2021-02-28 22:21:40 +08:00
Hardy Erlinger
f4930d789e Run Let's Encrypt renewal checks daily instead of weekly.
This ensures more timely updates of certifcates.
2021-02-27 21:11:22 +01:00
Slavi Pantaleev
6baa91dd9f Do not delete matrix-ssl-lets-encrypt-certificates-renew only to recreate it later
This seems to have been added to the list of "deprecated files to
remove" by mistake.
2021-02-26 13:37:51 +02:00
Slavi Pantaleev
1ef683d366 Make nginx proxy config (when disabled) obey matrix_federation_public_port
People who were disabling matrix-nginx-proxy (in favor of their own
nginx webserver) and also overriding `matrix_federation_public_port`,
found that the generated nginx configuration still hardcoded `8448`,
which forced their nginx server to use that, regardless of the fact
that `matrix_federation_public_port` was pointing elsewhere.

We now allow for the in-container federation port to be configurable,
and also automatically wire things properly.
2021-02-24 08:19:20 +02:00
rakshazi
2f887f292c
added "matrix_%SERVICE%_version" variable to all roles, use it in "matrix_%SERVICE%_docker_image" var (preserving backward-compatibility) 2021-02-20 19:08:28 +02:00
Michael
4c882c513b initial PR 2021-02-20 17:19:17 +08:00
Slavi Pantaleev
eaea215282 Allow Synapse workers to be used with an external nginx webserver
We're talking about a webserver running on the same machine, which
imports the configuration files generated by the `matrix-nginx-proxy`
in the `/matrix/nginx-proxy/conf.d` directory.

Users who run an nginx webserver on some other machine will need to do
something different.
2021-02-19 11:36:48 +02:00
Slavi Pantaleev
d6c4d41c2b Define instanceId property on workers
This give us the possibility to run multiple instances of
workers that that don't expose a port.

Right now, we don't support that, but in the future we could
run multiple `federation_sender` or `pusher` workers, without
them fighting over naming (previously, they'd all be named
something like `matrix-synapse-worker-pusher-0`, because
they'd all define `port` as `0`).
2021-02-18 18:19:51 +02:00
Slavi Pantaleev
5cfeae806b Merge branch 'master' into synapse-workers 2021-02-14 13:00:57 +02:00
Slavi Pantaleev
894679750e
Merge pull request #862 from s-thom/nginx-additional
Add additional domains for Let's Encrypt certificates to be obtained
2021-02-14 11:05:25 +02:00
Slavi Pantaleev
a8e9f35708 Touch up documentation a bit 2021-02-14 11:05:05 +02:00
Peetz0r
989100b1c1 Grafana nginx proxy config 2021-02-10 22:54:14 +01:00
Stuart Thomson
064b2e533c Add variable for extra domains to get LE certs for
I felt that adding another variable was probably going to be the easiest way to do this. I may end up adding another variable to enable this feature, for consistency with some of the other things.
2021-02-06 20:02:39 +13:00
Slavi Pantaleev
889b299bc2
Merge pull request #804 from pushytoxin/matrix-etherpad
Self-hosted Etherpad
2021-01-31 09:55:46 +02:00
Slavi Pantaleev
26b287bd17 Upgrade certbot (1.10.1 -> 1.11.0) 2021-01-27 21:51:46 +02:00
Slavi Pantaleev
d98a1ceadd Merge branch 'master' into synapse-workers 2021-01-27 10:27:17 +02:00
Slavi Pantaleev
512f42aa76 Do not report docker kill/rm attempts as errors
These are just defensive cleanup tasks that we run.
In the good case, there's nothing to kill or remove, so they trigger an
error like this:

> Error response from daemon: Cannot kill container: something: No such container: something

and:

> Error: No such container: something

People often ask us if this is a problem, so instead of always having to
answer with "no, this is to be expected", we'd rather eliminate it now
and make logs cleaner.

In the event that:
- a container is really stuck and needs cleanup using kill/rm
- and cleanup fails, and we fail to report it because of error
suppression (`2>/dev/null`)

.. we'd still get an error when launching ("container name already in use .."),
so it shouldn't be too hard to investigate.
2021-01-27 10:22:46 +02:00
Béla Becker
7bc9be95cb Add map directive to the base of nginx.conf
This needs to be added for WebSocket upgrades to work properly (see doc:
http://nginx.org/en/docs/http/websocket.html)
2021-01-26 05:04:47 +01:00
Slavi Pantaleev
778b66876c Merge branch 'master' into synapse-workers 2021-01-25 14:56:55 +02:00
Slavi Pantaleev
70796703d3 Run Synapse workers in their own containers
This switches the `docker exec` method of spawning
Synapse workers inside the `matrix-synapse` container with
dedicated containers for each worker.

We also have dedicated systemd services for each worker,
so this are now:
- more consistent with everything else (we don't use systemd
instantiated services anywhere)
- we don't need the "parse systemd instance name into worker name +
port" part
- we don't need to keep track of PIDs manually
- we don't need jq (less depenendencies)
- workers dying would be restarted by systemd correctly, like any other
service
- `docker ps` shows each worker separately and we can observe resource
usage
2021-01-25 12:14:46 +02:00
Slavi Pantaleev
4d62a75f6f Get matrix-corporal to play nicely with a Synapse worker setup
We do this by creating one more layer of indirection.

First we reach some generic vhost handling matrix.DOMAIN.
A bunch of override rules are added there (capturing traffic to send to
ma1sd, etc). nginx-status and similar generic things also live there.

We then proxy to the homeserver on some other vhost (only Synapse being
available right now, but repointing this to Dendrite or other will be
possible in the future).
Then that homeserver-specific vhost does its thing to proxy to the
homeserver. It may or may not use workers, etc.

Without matrix-corporal, the flow is now:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-nginx-proxy/matrix-synapse.conf
3. matrix-synapse

With matrix-corporal enabled, it becomes:
1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf)
2. matrix-corporal
3. matrix-nginx-proxy/matrix-synapse.conf
4. matrix-synapse

(matrix-corporal gets injected at step 2).
2021-01-25 09:46:41 +02:00
Slavi Pantaleev
5ca68210cd Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port
I guess it didn't hurt to do it until now, but it's not great serving
federation APIs on the client-server API port, etc.

matrix-corporal doesn't work yet (still something to be solved in the
future), but its firewalling operations will also be sabotaged
by Client-Server APIs being served on the federation port (it's a way to get around its firewalling).
2021-01-24 22:22:57 +02:00
Slavi Pantaleev
8fa913dca7 Fix Ansible warning 2021-01-24 19:11:35 +02:00
Marcel Partap
183adec3d8 Merge remote-tracking branch 'origin/master' into synapse-workers 2021-01-23 15:04:11 +01:00
pushytoxin
d51ea25219 When validating LE certs, do not wait for a random time
While administering we will occasionally invoke this script interactively with the "non-interactive" switch still there, yet still sit at the desk waiting for 300 seconds for this timer to run out.

The systemd-timer already uses a 3h randomized delay for automatic renewals, which serves this purpose well.
2021-01-19 18:41:45 +01:00
Slavi Pantaleev
1692a28fe4 Work around annoying Docker warning about undefined $HOME
> WARNING: Error loading config file: .dockercfg: $HOME is not defined

.. which appeared in Docker 20.10.
2021-01-15 00:23:01 +02:00
Slavi Pantaleev
e1690722f7 Replace cronjobs with systemd timers
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737

I feel like timers are somewhat more complicated and dirty (compared to
cronjobs), but they come with these benefits:

- log output goes to journald
- on newer systemd distros, you can see when the timer fired, when it
will fire, etc.
- we don't need to rely on cron (reducing our dependencies to just
systemd + Docker)

Cronjobs work well, but it's one more dependency that needs to be
installed. We were even asking people to install it manually
(in `docs/prerequisites.md`), which could have gone unnoticed.

Once in a while someone says "my SSL certificates didn't renew"
and it's likely because they forgot to install a cron daemon.

Switching to systemd timers means that installation is simpler
and more unified.
2021-01-14 23:35:50 +02:00
Slavi Pantaleev
05ca9357a8 Add .service suffix to systemd units list
We'll be adding `.timer` units later on, so it's good to be
more explicit.
2021-01-14 23:02:10 +02:00
Slavi Pantaleev
57ea43d8b0 Remove unused variable
This variable has been useless since 2019-01-08.
We probably don't need to check for its usage anymore,
given how much time has passed since then, but ..
2021-01-14 17:47:13 +02:00
Slavi Pantaleev
7a90eb6d4f Relocate some validation tasks 2021-01-14 17:00:46 +02:00
Marcel Partap
cd8100544b Merge remote-tracking branch 'origin/master' into synapse-workers
Sync with upstream
2021-01-08 20:58:50 +01:00
Slavi Pantaleev
f7ae050eaf Remove useless quotes around ssl_ciphers value
Not sure if it breaks with them or not, but no other directive
uses quotes and the nginx docs show examples without quotes,
so we're being consistent with all of that.
2021-01-08 21:22:44 +02:00
Slavi Pantaleev
5822ba0c01 Use a more natural if statement 2021-01-08 21:21:33 +02:00
Slavi Pantaleev
de6ecd8818
Update inaccurate comments 2021-01-08 21:15:14 +02:00
Agustin Ferrario
5156c63a76 Clean up code
Code was clean up and simplified to make it simpler and easier to
maintain. No features were modified.
2021-01-08 18:35:27 +01:00
Agustin Ferrario
25d423e6b6 Fix errors per spantaleev suggestions
The different configurations are now all lower case, for consistent
naming.

`matrix_nginx_proxy_ssl_config` is now called
`matrix_nginx_proxy_ssl_preset`. The different options for "modern",
"intermediate" and "old" are stored in the main.yml file, instead of
being hardcoded in the configuration files. This will improve the
maintainability of the code.

The "custom" preset was removed. Now if one of the variables is set, it
will use it instead of the preset. This will allow to mix and match more
easily, for example using all the intermediate options but only
supporting TLSv1.2. This will also provide better backward
compatibility.
2021-01-08 11:32:10 +01:00