|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
server_name {{ hostname_riot }};
|
|
|
|
|
|
|
|
server_tokens off;
|
|
|
|
|
|
|
|
location /.well-known/acme-challenge {
|
|
|
|
{#
|
|
|
|
The proxy can access the files directly.
|
|
|
|
An external server likely does not have permission to read these files,
|
|
|
|
so we'll just proxy to acme's :402 port.
|
|
|
|
#}
|
|
|
|
|
|
|
|
{%- if matrix_nginx_proxy_enabled -%}
|
|
|
|
default_type "text/plain";
|
|
|
|
alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
|
|
|
|
{%- else -%}
|
|
|
|
proxy_pass http://localhost:402;
|
|
|
|
{% endif %}
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
return 301 https://$http_host$request_uri;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
|
|
|
|
server_name {{ hostname_riot }};
|
|
|
|
|
|
|
|
server_tokens off;
|
|
|
|
root /dev/null;
|
|
|
|
|
|
|
|
ssl on;
|
|
|
|
ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain;
|
|
|
|
ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://{{ 'riot' if matrix_nginx_proxy_enabled else 'localhost' }}:8765;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
}
|
|
|
|
}
|