186 lines
11 KiB
YAML
186 lines
11 KiB
YAML
---
|
|
|
|
# matrix-homeserver-proxy is a role which brings up a containerized nginx webserver which helps with reverse-proxying to the Matrix homeserver (Synapse, etc.).
|
|
#
|
|
# Certain services (like matrix-media-repo, matrix-corporal, identity servers, etc.) may need to capture some requests destined for the homeserver
|
|
# and handle them instead of it.
|
|
#
|
|
# This role helps other services (bots, bridges, etc.) reach the homeserver in a way that:
|
|
# - is not very direct, so as to allow for some routes (media repo, etc.) to actually go elsewhere
|
|
# - is not via the public network and/or via HTTPS, which introduces major performance penalties
|
|
#
|
|
# Performance-wise, benchmarks show that:
|
|
# - each local (container) nginx hop adds about a 200 rps penalty
|
|
# - SSL termination (on the Traefik side) adds a 350 rps penalty
|
|
# - going over the public network adds another 70 rps penalty
|
|
#
|
|
# It's something like this for an existing flow (which will be gone soon):
|
|
# 1. public network, Traefik + SSL: 70 rps
|
|
# 2. `matrix-nginx-proxy:8008`: 600 rps
|
|
# 3. `matrix-nginx-proxy:12080` 850 rps
|
|
# 4. `matrix-synapse-reverse-proxy-companion:8008`: 1000 rps
|
|
# 5. `matrix-synapse:8008`: 1200 rps
|
|
#
|
|
# Traefik was additionally benchmarked to see where the slowness comes from. Results are like this:
|
|
# 1. public network, Traefik + SSL: 70 rps
|
|
# 2. local (container) network, Traefik + SSL: 150 rps
|
|
# 3. local (container) network, Traefik without SSL: 500 rps
|
|
# 4. `matrix-nginx-proxy:8008`: 600 rps
|
|
#
|
|
# It's obvious that minimizing the number of hops helps a lot and that not using SSL and/or the public network is important.
|
|
|
|
matrix_homeserver_proxy_enabled: true
|
|
|
|
matrix_homeserver_proxy_identifier: matrix-homeserver-proxy
|
|
|
|
# renovate: datasource=docker depName=nginx
|
|
matrix_homeserver_proxy_version: 1.25.3-alpine
|
|
|
|
matrix_homeserver_proxy_base_path: "{{ matrix_base_data_path }}/homeserver-proxy"
|
|
matrix_homeserver_proxy_confd_path: "{{ matrix_homeserver_proxy_base_path }}/conf.d"
|
|
|
|
# List of systemd services that matrix-homeserver-proxy.service depends on
|
|
matrix_homeserver_proxy_systemd_required_services_list: ['docker.service']
|
|
|
|
# List of systemd services that matrix-homeserver-proxy.service wants
|
|
matrix_homeserver_proxy_systemd_wanted_services_list: "{{ matrix_homeserver_proxy_systemd_wanted_services_list_auto + matrix_homeserver_proxy_systemd_wanted_services_list_custom }}"
|
|
matrix_homeserver_proxy_systemd_wanted_services_list_auto: []
|
|
matrix_homeserver_proxy_systemd_wanted_services_list_custom: []
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but that is frequently out of date.
|
|
matrix_homeserver_proxy_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_homeserver_proxy_version }}"
|
|
matrix_homeserver_proxy_container_image_force_pull: "{{ matrix_homeserver_proxy_container_image.endswith(':latest') }}"
|
|
|
|
matrix_homeserver_proxy_container_network: matrix-homeserver-proxy
|
|
|
|
# A list of additional container networks that matrix-homeserver-proxy would be connected to.
|
|
# The playbook does not create these networks, so make sure they already exist.
|
|
matrix_homeserver_proxy_container_additional_networks: []
|
|
|
|
# Controls whether the matrix-homeserver-proxy container exposes its HTTP Client-Server API port (tcp/8008 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
|
|
matrix_homeserver_proxy_container_client_api_host_bind_port: ''
|
|
|
|
# Controls whether the matrix-homeserver-proxy container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
|
|
matrix_homeserver_proxy_container_federation_api_host_bind_port: ''
|
|
|
|
# Option to disable the access log
|
|
matrix_homeserver_proxy_access_log_enabled: true
|
|
|
|
# Controls whether to send access logs to a remote syslog-compatible server
|
|
matrix_homeserver_proxy_access_log_syslog_integration_enabled: false
|
|
matrix_homeserver_proxy_access_log_syslog_integration_server_port: ''
|
|
# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed.
|
|
matrix_homeserver_proxy_access_log_syslog_integration_tag: matrix_homeserver_proxy
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_homeserver_proxy_tmp_directory_size_mb: "{{ (matrix_homeserver_proxy_federation_api_client_max_body_size_mb | int) * 50 }}"
|
|
matrix_homeserver_proxy_tmp_cache_directory_size_mb: "{{ (matrix_homeserver_proxy_cache_max_size_mb | int) * 2 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
|
|
# for big matrixservers to enlarge the number of open files to prevent timeouts
|
|
# matrix_homeserver_proxy_additional_configuration_blocks:
|
|
# - 'worker_rlimit_nofile 30000;'
|
|
matrix_homeserver_proxy_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
|
|
matrix_homeserver_proxy_event_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
|
matrix_homeserver_proxy_http_additional_server_configuration_blocks: []
|
|
|
|
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
|
|
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
|
|
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
|
|
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
|
|
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
|
|
#
|
|
# For more information visit:
|
|
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
|
|
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
|
|
#
|
|
# Here we are sticking with nginx default values change this value carefully.
|
|
matrix_homeserver_proxy_proxy_connect_timeout: 60
|
|
matrix_homeserver_proxy_proxy_send_timeout: 60
|
|
matrix_homeserver_proxy_proxy_read_timeout: 60
|
|
matrix_homeserver_proxy_send_timeout: 60
|
|
|
|
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
|
#
|
|
# Otherwise, we get warnings like this:
|
|
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
|
|
#
|
|
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
|
matrix_homeserver_proxy_http_level_resolver: 127.0.0.11
|
|
|
|
matrix_homeserver_proxy_hostname: "{{ matrix_homeserver_proxy_identifier }}"
|
|
|
|
# matrix_homeserver_proxy_client_api_addr specifies the address where the Client-Server API is
|
|
matrix_homeserver_proxy_client_api_addr: ''
|
|
# This needs to be equal or higher than the maximum upload size accepted by the homeserver.
|
|
matrix_homeserver_proxy_client_api_client_max_body_size_mb: 50
|
|
|
|
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
|
matrix_homeserver_proxy_client_api_forwarded_location_synapse_client_api_enabled: true
|
|
|
|
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
|
# Enable this if you need OpenID Connect authentication support.
|
|
matrix_homeserver_proxy_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
|
|
|
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
|
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
|
matrix_homeserver_proxy_client_api_forwarded_location_synapse_admin_api_enabled: false
|
|
|
|
# `matrix_homeserver_proxy_client_api_forwarded_location_prefix_regexes` holds
|
|
# the location prefixes that get forwarded to the Matrix Client API server.
|
|
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
|
matrix_homeserver_proxy_client_api_forwarded_location_prefix_regexes: |
|
|
{{
|
|
(['/_matrix'])
|
|
+
|
|
(['/_synapse/client'] if matrix_homeserver_proxy_client_api_forwarded_location_synapse_client_api_enabled else [])
|
|
+
|
|
(['/_synapse/oidc'] if matrix_homeserver_proxy_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
|
+
|
|
(['/_synapse/admin'] if matrix_homeserver_proxy_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
|
}}
|
|
|
|
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
|
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
|
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
|
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
|
matrix_homeserver_proxy_client_redirect_root_uri_to_domain: ""
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Client-Server API
|
|
matrix_homeserver_proxy_client_api_additional_server_configuration_blocks: "{{ matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_auto + matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_custom }}"
|
|
matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_auto: []
|
|
matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_custom: []
|
|
|
|
# matrix_homeserver_proxy_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done
|
|
matrix_homeserver_proxy_federation_api_enabled: true
|
|
# matrix_homeserver_proxy_federation_api_addr specifies the address where the Federation (Server-Server) API is
|
|
matrix_homeserver_proxy_federation_api_addr: ''
|
|
matrix_homeserver_proxy_federation_api_client_max_body_size_mb: "{{ (matrix_homeserver_proxy_client_api_client_max_body_size_mb | int) * 3 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Federation (Server-Server) API
|
|
matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks: "{{ matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_auto + matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_custom }}"
|
|
matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_auto: []
|
|
matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_custom: []
|
|
|
|
# Controls whether matrix-homeserver-proxy trusts an upstream server's X-Forwarded-Proto header.
|
|
# The `matrix-homeserver-proxy` does not terminate SSL and always expects to be fronted by another reverse-proxy server.
|
|
# As such, it trusts the protocol scheme forwarded by the upstream proxy.
|
|
matrix_homeserver_proxy_trust_forwarded_proto: true
|
|
matrix_homeserver_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_homeserver_proxy_trust_forwarded_proto else '$scheme' }}"
|
|
|
|
# The amount of worker processes and connections
|
|
# Consider increasing these when you are expecting high amounts of traffic
|
|
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
matrix_homeserver_proxy_worker_processes: auto
|
|
matrix_homeserver_proxy_worker_connections: 1024
|