|
|
|
server {
|
|
|
|
listen 80;
|
|
|
|
server_name {{ hostname_riot }};
|
|
|
|
|
|
|
|
server_tokens off;
|
|
|
|
|
|
|
|
location /.well-known/acme-challenge {
|
|
|
|
{#
|
|
|
|
The proxy can access the files directly.
|
|
|
|
An external server likely does not have permission to read these files,
|
|
|
|
so we'll just proxy to acme's :402 port.
|
|
|
|
#}
|
|
|
|
|
|
|
|
{%- if matrix_nginx_proxy_enabled -%}
|
|
|
|
default_type "text/plain";
|
|
|
|
alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
|
|
|
|
{%- else -%}
|
|
|
|
proxy_pass http://localhost:402;
|
|
|
|
{% endif %}
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
return 301 https://$http_host$request_uri;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
|
|
|
|
server_name {{ hostname_riot }};
|
|
|
|
|
|
|
|
server_tokens off;
|
|
|
|
root /dev/null;
|
|
|
|
|
|
|
|
ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain;
|
|
|
|
ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
|
|
|
|
|
|
location / {
|
|
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
|
|
resolver 127.0.0.11 valid=5s;
|
|
|
|
set $backend "matrix-riot-web:8765";
|
|
|
|
proxy_pass http://$backend;
|
|
|
|
{% else %}
|
|
|
|
{# Generic configuration for people to use outside of our container setup #}
|
|
|
|
proxy_pass http://localhost:8765;
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
}
|
|
|
|
}
|