finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
df5d8bfc04
matrix-docker-ansible-deploy/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
Slavi Pantaleev df5d8bfc04 Remove matrix-homeserver-proxy role in favor of the new internal Traefik entrypoint 
This was meant to serve as an intermediary for services needing to reach
the homeserver. It was used like that for a while in this
`bye-bye-nginx-proxy` branch, but was never actually public.

It has recently been superseded by homeserver-like services injecting
themselves into a new internal Traefik entrypoint
(see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_*`),
so `matrix-homeserver-proxy` is no longer necessary.

---

This is probably a good moment to share some benchmarks and reasons
for going with the internal Traefik entrypoint as opposed to this nginx
service.

1. (1400 rps) Directly to Synapse (`ab -n 1000 -c 100 http://matrix-synapse:8008/_matrix/client/versions`
2. (~900 rps) Via `matrix-homeserver-proxy` (nginx) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-homeserver-proxy:8008/_matrix/client/versions`)
3. (~1200 rps) Via the new internal entrypoint of Traefik (`matrix-internal-matrix-client-api`) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-traefik:8008/_matrix/client/versions`)

Besides Traefik being quicker for some reason, there are also other
benefits to not having this `matrix-homeserver-proxy` component:

- we can reuse what we have in terms of labels. Services can register a few extra labels on the new Traefik entrypoint
- we don't need services (like `matrix-media-repo`) to inject custom nginx configs into `matrix-homeserver-proxy`. They just need to register labels, like they do already.
- Traefik seems faster than nginx on this benchmark for some reason, which is a nice bonus
- no need to run one extra container (`matrix-homeserver-proxy`) and execute one extra Ansible role
- no need to maintain a setup where some people run the `matrix-homeserver-proxy` component (because they have route-stealing services like `matrix-media-repo` enabled) and others run an optimized setup without this component and everything needs to be rewired to talk to the homeserver directly. Now, everyone can go through Traefik and we can all run an identical setup

Downsides of the new Traefik entrypoint setup are that:

- all addon services that need to talk to the homeserver now depend on Traefik
- people running their own Traefik setup will be inconvenienced - they
  need to manage one additional entrypoint
2024-01-14 10:53:14 +02:00

234 lines
21 KiB
YAML
Raw Blame History

---
# matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled.
#
# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`).
# In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit.
#
# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc.
# matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to.
matrix_synapse_reverse_proxy_companion_enabled: true
# renovate: datasource=docker depName=nginx
matrix_synapse_reverse_proxy_companion_version: 1.25.3-alpine
matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: ['docker.service']
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}"
matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
matrix_synapse_reverse_proxy_companion_container_network: ""
# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
# The playbook does not create these networks, so make sure they already exist.
matrix_synapse_reverse_proxy_companion_container_additional_networks: []
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default # noqa var-naming
matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: ''
# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: false
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}"
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }}"
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: ""
# Controls whether labels will be added that expose the /_synapse/client paths
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: true
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the /_synapse/oidc paths
# Enable this if you need OpenID Connect authentication support.
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: false
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the /_synapse/admin paths
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the Server-Server API (Federation API).
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: ''
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
# The amount of worker processes and connections
# Consider increasing these when you are expecting high amounts of traffic
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
matrix_synapse_reverse_proxy_companion_worker_processes: auto
matrix_synapse_reverse_proxy_companion_worker_connections: 1024
# Option to disable the access log
matrix_synapse_reverse_proxy_companion_access_log_enabled: true
# Controls whether to send access logs to a remote syslog-compatible server
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: ''
# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed.
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag: matrix_synapse_rev_proxy_comp
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}"
matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}"
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
# for big matrixservers to enlarge the number of open files to prevent timeouts
# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks:
# - 'worker_rlimit_nofile 30000;'
matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: []
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
#
# For more information visit:
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
#
# Here we are sticking with nginx default values change this value carefully.
matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60
matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60
matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60
matrix_synapse_reverse_proxy_companion_send_timeout: 60
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
#
# Otherwise, we get warnings like this:
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
#
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11
matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion"
# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is
matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}'
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 50
# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done
matrix_synapse_reverse_proxy_companion_federation_api_enabled: true
# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is
matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}'
matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3 }}"
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API
matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API
matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: []
# synapse worker activation and endpoint mappings
matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false
matrix_synapse_reverse_proxy_companion_synapse_workers_list: []
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: []
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: []
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: []
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: []
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: []
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: []
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: []
matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: []
matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: []
# synapse content caching
matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false
matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache
matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC"
matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m"
matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h"
matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024
matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h"
# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header.
# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server (`matrix-nginx-proxy`, etc.).
# As such, it trusts the protocol scheme forwarded by the upstream proxy.
matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true
matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}"
Reference in New Issue View Git Blame Copy Permalink