parent
724373b123
commit
8dacdb038b
@ -0,0 +1,32 @@
|
||||
# Nginx reverse-proxy fronting playbook's Traefik
|
||||
|
||||
This directory contains a sample config that show you how to do reverse-proxying using Nginx and the playbook's internal traefik container.
|
||||
|
||||
This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server.
|
||||
See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
|
||||
|
||||
That is this part:
|
||||
**For Traefik** fronted by another reverse-proxy, you would need some configuration like this:
|
||||
|
||||
```yaml
|
||||
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
||||
|
||||
# Ensure that public urls use https
|
||||
matrix_playbook_ssl_enabled: true
|
||||
|
||||
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval
|
||||
devture_traefik_config_entrypoint_web_secure_enabled: false
|
||||
|
||||
devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
|
||||
|
||||
devture_traefik_additional_entrypoints_auto:
|
||||
- name: matrix-federation
|
||||
port: 8449
|
||||
host_bind_port: '127.0.0.1:8449'
|
||||
config: {}
|
||||
```
|
||||
|
||||
**NOTE**:
|
||||
- that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains.
|
||||
- that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension.
|
||||
- that this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
|
@ -0,0 +1,96 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
# TODO: add/remove services and their subdomains if you use/don't use them
|
||||
# this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
|
||||
# if you don't use those, you can remove them
|
||||
# if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
|
||||
server_name example.com matrix.example.com element.example.com;
|
||||
|
||||
location / {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise, nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://localhost:81;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
access_log /var/log/nginx/matrix.access.log;
|
||||
error_log /var/log/nginx/matrix.error.log;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
}
|
||||
|
||||
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
||||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
|
||||
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
||||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
# settings for matrix federation
|
||||
server {
|
||||
# For the federation port
|
||||
listen 8448 ssl http2 default_server;
|
||||
listen [::]:8448 ssl http2 default_server;
|
||||
|
||||
server_name matrix.example.com;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:8449;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
access_log /var/log/nginx/matrix.access.log;
|
||||
error_log /var/log/nginx/matrix.error.log;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
}
|
||||
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
||||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
|
||||
# TODO: adapt the path to your ssl certificate for the domains listed on server_name
|
||||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
# ensure using https
|
||||
# TODO: remove server blocks that you don't use / add server blocks for domains you do use
|
||||
server {
|
||||
if ($host = example.com) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
server_name example.com;
|
||||
listen 80;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = matrix.example.com) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
server_name matrix.example.com;
|
||||
listen 80;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = element.example.com) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
server_name element.example.com;
|
||||
listen 80;
|
||||
return 404; # managed by Certbot
|
||||
}
|
Loading…
Reference in new issue