Add TLS v1.3 support to matrix-nginx-proxy

This was mentioned in #27 (Github Pull Request),
but it's just now that the nginx Docker image actually supports
TLS v1.3 and we can enable it.
development
Slavi Pantaleev 6 years ago
parent d5a0f562ba
commit cd332d9b4e

@ -1,3 +1,18 @@
# 2019-02-01
## TLS v1.3 support
Now that the [nginx Docker image](https://hub.docker.com/_/nginx) has [added support for TLS v1.3](https://github.com/nginxinc/docker-nginx/issues/190), we have enabled that protocol by default.
When using:
- the **integrated nginx server**: TLS v1.3 support might not kick in immediately, because the nginx version hasn't been bumped and you may have an older build of the nginx Docker image (currently `nginx:1.15.8-alpine`). Typically, we do not re-pull images that you already have. When the nginx version gets bumped in the future, everyone will get the update. Until then, you could manually force-pull the rebuilt Docker image by running this on the server: `docker pull nginx:1.15.8-alpine`.
- **your own external nginx server**: if your external nginx server is too old, the new configuration we generate for you in `/matrix/nginx-proxy/conf.d/` might not work anymore, because it mentions `TLSv1.3` and your nginx version might not support that. You can adjust the SSL protocol list by overriding the `matrix_nginx_proxy_ssl_protocols` variable. Learn more in the documentation page for [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md)
- **another web server**: you don't need to do anything to accommodate this change
# 2019-01-31
## IRC bridging support

@ -14,11 +14,15 @@ All it takes is:
```yaml
matrix_nginx_proxy_enabled: false
# If you use an external nginx, we'll generate some configuration for you in `/matrix/nginx-proxy/conf.d/`.
# You might need to tweak the protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
```
**Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards.
**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`. Please note that if your nginx version is old, it might not like our default SSL protocols (particularly the fact that `TLSv1.3` is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable.
**If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and:

@ -57,9 +57,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse
# Note TLSv1.3 is not yet available in dockerized nginx
# See: https://github.com/nginxinc/docker-nginx/issues/190
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
# By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt.

Loading…
Cancel
Save