2a35ad5a0a
* update http2 config due to deprecation the previous way to let `http2` follow a `listen` was depracated, it moved to `http2 on;` * enable quic and http3 I hope the comments are somewhat understandable. if someone can describe the `reuseport` part more concise, please do.
119 lines
4.9 KiB
Plaintext
119 lines
4.9 KiB
Plaintext
server {
|
|
# TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport`
|
|
#listen 443 quic reuseport;
|
|
listen 443 quic;
|
|
listen 443 ssl;
|
|
# TODO: if you replaced the line above for port 443 and IPv4, you probably want to do the same for port 443 IPv6 by switching the two lines below
|
|
#listen [::]:443 quic reuseport;
|
|
listen [::]:443 quic;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
http3 on;
|
|
|
|
# TODO: add/remove services and their subdomains if you use/don't use them
|
|
# this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
|
|
# if you don't use those, you can remove them
|
|
# if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
|
|
server_name example.com matrix.example.com element.example.com;
|
|
|
|
location / {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise, nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://localhost:81;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
access_log /var/log/nginx/matrix.access.log;
|
|
error_log /var/log/nginx/matrix.error.log;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# required for browsers to direct them to quic port
|
|
add_header Alt-Svc 'h3=":443"; ma=86400';
|
|
}
|
|
|
|
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
|
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
|
|
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
|
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
}
|
|
|
|
# settings for matrix federation
|
|
server {
|
|
# For the federation port
|
|
# TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport`
|
|
#listen 8448 quic reuseport;
|
|
listen 8448 quic;
|
|
listen 8448 ssl default_server;
|
|
# TODO: if you replaced the line above for port 8448 and IPv4, you probably want to do the same for port 8448 IPv6 by switching the two lines below
|
|
#listen [::]:8448 quic reuseport;
|
|
listen [::]:8448 quic;
|
|
listen [::]:8448 ssl default_server;
|
|
http2 on;
|
|
http3 on;
|
|
|
|
server_name matrix.example.com;
|
|
|
|
location / {
|
|
proxy_pass http://localhost:8449;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
access_log /var/log/nginx/matrix.access.log;
|
|
error_log /var/log/nginx/matrix.error.log;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# required for browsers to direct them to quic port
|
|
add_header Alt-Svc 'h3=":8448"; ma=86400';
|
|
}
|
|
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
|
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
|
|
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
|
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
}
|
|
|
|
# ensure using https
|
|
# TODO: remove server blocks that you don't use / add server blocks for domains you do use
|
|
server {
|
|
if ($host = example.com) {
|
|
return 301 https://$host$request_uri;
|
|
} # managed by Certbot
|
|
|
|
server_name example.com;
|
|
listen 80;
|
|
return 404; # managed by Certbot
|
|
}
|
|
|
|
server {
|
|
if ($host = matrix.example.com) {
|
|
return 301 https://$host$request_uri;
|
|
} # managed by Certbot
|
|
|
|
server_name matrix.example.com;
|
|
listen 80;
|
|
return 404; # managed by Certbot
|
|
}
|
|
|
|
server {
|
|
if ($host = element.example.com) {
|
|
return 301 https://$host$request_uri;
|
|
} # managed by Certbot
|
|
|
|
server_name element.example.com;
|
|
listen 80;
|
|
return 404; # managed by Certbot
|
|
}
|