matrix-docker-ansible-deploy/roles/custom/matrix-homeserver-proxy/defaults/main.yml

186 lines
11 KiB
YAML

---
# matrix-homeserver-proxy is a role which brings up a containerized nginx webserver which helps with reverse-proxying to the Matrix homeserver (Synapse, etc.).
#
# Certain services (like matrix-media-repo, matrix-corporal, identity servers, etc.) may need to capture some requests destined for the homeserver
# and handle them instead of it.
#
# This role helps other services (bots, bridges, etc.) reach the homeserver in a way that:
# - is not very direct, so as to allow for some routes (media repo, etc.) to actually go elsewhere
# - is not via the public network and/or via HTTPS, which introduces major performance penalties
#
# Performance-wise, benchmarks show that:
# - each local (container) nginx hop adds about a 200 rps penalty
# - SSL termination (on the Traefik side) adds a 350 rps penalty
# - going over the public network adds another 70 rps penalty
#
# It's something like this for an existing flow (which will be gone soon):
# 1. public network, Traefik + SSL: 70 rps
# 2. `matrix-nginx-proxy:8008`: 600 rps
# 3. `matrix-nginx-proxy:12080` 850 rps
# 4. `matrix-synapse-reverse-proxy-companion:8008`: 1000 rps
# 5. `matrix-synapse:8008`: 1200 rps
#
# Traefik was additionally benchmarked to see where the slowness comes from. Results are like this:
# 1. public network, Traefik + SSL: 70 rps
# 2. local (container) network, Traefik + SSL: 150 rps
# 3. local (container) network, Traefik without SSL: 500 rps
# 4. `matrix-nginx-proxy:8008`: 600 rps
#
# It's obvious that minimizing the number of hops helps a lot and that not using SSL and/or the public network is important.
matrix_homeserver_proxy_enabled: true
matrix_homeserver_proxy_identifier: matrix-homeserver-proxy
# renovate: datasource=docker depName=nginx
matrix_homeserver_proxy_version: 1.25.3-alpine
matrix_homeserver_proxy_base_path: "{{ matrix_base_data_path }}/homeserver-proxy"
matrix_homeserver_proxy_confd_path: "{{ matrix_homeserver_proxy_base_path }}/conf.d"
# List of systemd services that matrix-homeserver-proxy.service depends on
matrix_homeserver_proxy_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-homeserver-proxy.service wants
matrix_homeserver_proxy_systemd_wanted_services_list: "{{ matrix_homeserver_proxy_systemd_wanted_services_list_auto + matrix_homeserver_proxy_systemd_wanted_services_list_custom }}"
matrix_homeserver_proxy_systemd_wanted_services_list_auto: []
matrix_homeserver_proxy_systemd_wanted_services_list_custom: []
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but that is frequently out of date.
matrix_homeserver_proxy_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_homeserver_proxy_version }}"
matrix_homeserver_proxy_container_image_force_pull: "{{ matrix_homeserver_proxy_container_image.endswith(':latest') }}"
matrix_homeserver_proxy_container_network: matrix-homeserver-proxy
# A list of additional container networks that matrix-homeserver-proxy would be connected to.
# The playbook does not create these networks, so make sure they already exist.
matrix_homeserver_proxy_container_additional_networks: []
# Controls whether the matrix-homeserver-proxy container exposes its HTTP Client-Server API port (tcp/8008 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
matrix_homeserver_proxy_container_client_api_host_bind_port: ''
# Controls whether the matrix-homeserver-proxy container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
matrix_homeserver_proxy_container_federation_api_host_bind_port: ''
# Option to disable the access log
matrix_homeserver_proxy_access_log_enabled: true
# Controls whether to send access logs to a remote syslog-compatible server
matrix_homeserver_proxy_access_log_syslog_integration_enabled: false
matrix_homeserver_proxy_access_log_syslog_integration_server_port: ''
# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed.
matrix_homeserver_proxy_access_log_syslog_integration_tag: matrix_homeserver_proxy
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_homeserver_proxy_tmp_directory_size_mb: "{{ (matrix_homeserver_proxy_federation_api_client_max_body_size_mb | int) * 50 }}"
matrix_homeserver_proxy_tmp_cache_directory_size_mb: "{{ (matrix_homeserver_proxy_cache_max_size_mb | int) * 2 }}"
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
# for big matrixservers to enlarge the number of open files to prevent timeouts
# matrix_homeserver_proxy_additional_configuration_blocks:
# - 'worker_rlimit_nofile 30000;'
matrix_homeserver_proxy_additional_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
matrix_homeserver_proxy_event_additional_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
matrix_homeserver_proxy_http_additional_server_configuration_blocks: []
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
#
# For more information visit:
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
#
# Here we are sticking with nginx default values change this value carefully.
matrix_homeserver_proxy_proxy_connect_timeout: 60
matrix_homeserver_proxy_proxy_send_timeout: 60
matrix_homeserver_proxy_proxy_read_timeout: 60
matrix_homeserver_proxy_send_timeout: 60
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
#
# Otherwise, we get warnings like this:
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
#
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
matrix_homeserver_proxy_http_level_resolver: 127.0.0.11
matrix_homeserver_proxy_hostname: "{{ matrix_homeserver_proxy_identifier }}"
# matrix_homeserver_proxy_client_api_addr specifies the address where the Client-Server API is
matrix_homeserver_proxy_client_api_addr: ''
# This needs to be equal or higher than the maximum upload size accepted by the homeserver.
matrix_homeserver_proxy_client_api_client_max_body_size_mb: 50
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
matrix_homeserver_proxy_client_api_forwarded_location_synapse_client_api_enabled: true
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
# Enable this if you need OpenID Connect authentication support.
matrix_homeserver_proxy_client_api_forwarded_location_synapse_oidc_api_enabled: false
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
matrix_homeserver_proxy_client_api_forwarded_location_synapse_admin_api_enabled: false
# `matrix_homeserver_proxy_client_api_forwarded_location_prefix_regexes` holds
# the location prefixes that get forwarded to the Matrix Client API server.
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
matrix_homeserver_proxy_client_api_forwarded_location_prefix_regexes: |
{{
(['/_matrix'])
+
(['/_synapse/client'] if matrix_homeserver_proxy_client_api_forwarded_location_synapse_client_api_enabled else [])
+
(['/_synapse/oidc'] if matrix_homeserver_proxy_client_api_forwarded_location_synapse_oidc_api_enabled else [])
+
(['/_synapse/admin'] if matrix_homeserver_proxy_client_api_forwarded_location_synapse_admin_api_enabled else [])
}}
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
matrix_homeserver_proxy_client_redirect_root_uri_to_domain: ""
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Client-Server API
matrix_homeserver_proxy_client_api_additional_server_configuration_blocks: "{{ matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_auto + matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_custom }}"
matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_auto: []
matrix_homeserver_proxy_client_api_additional_server_configuration_blocks_custom: []
# matrix_homeserver_proxy_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done
matrix_homeserver_proxy_federation_api_enabled: true
# matrix_homeserver_proxy_federation_api_addr specifies the address where the Federation (Server-Server) API is
matrix_homeserver_proxy_federation_api_addr: ''
matrix_homeserver_proxy_federation_api_client_max_body_size_mb: "{{ (matrix_homeserver_proxy_client_api_client_max_body_size_mb | int) * 3 }}"
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Federation (Server-Server) API
matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks: "{{ matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_auto + matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_custom }}"
matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_auto: []
matrix_homeserver_proxy_federation_api_additional_server_configuration_blocks_custom: []
# Controls whether matrix-homeserver-proxy trusts an upstream server's X-Forwarded-Proto header.
# The `matrix-homeserver-proxy` does not terminate SSL and always expects to be fronted by another reverse-proxy server.
# As such, it trusts the protocol scheme forwarded by the upstream proxy.
matrix_homeserver_proxy_trust_forwarded_proto: true
matrix_homeserver_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_homeserver_proxy_trust_forwarded_proto else '$scheme' }}"
# The amount of worker processes and connections
# Consider increasing these when you are expecting high amounts of traffic
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
matrix_homeserver_proxy_worker_processes: auto
matrix_homeserver_proxy_worker_connections: 1024