titanz
/
matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Document the new variables for ngingx SSL config

Browse Source 
The new variables created to the nginx reverse proxy are properly added
to the documentation.
development
Agustin Ferrario 4 years ago
parent 2082242499
commit ff6db5fd3b
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File

23
docs/configuring-playbook-nginx.md
Unescape View File

@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 1.1.1.1 - 1.1.1.1
``` ```
## Adjusting SSL in your server
You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS
Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
The posible values are:
- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- "Intermediate" - Recommended configuration for a general-purpose server
- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
- "Custom" - For defining your own protocols an ciphers
The default is set to `"Intermediate"`.
**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the
[Federarion tester](https://federationtester.matrix.org/) won't work.
If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set:
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off".
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
## Synapse + OpenID Connect for Single-Sign-On ## Synapse + OpenID Connect for Single-Sign-On

3
docs/configuring-playbook-own-webserver.md
Unescape View File

@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
```yaml ```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version. # Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_config: "Custom"
matrix_nginx_proxy_ssl_protocols: "TLSv1.2" matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
``` ```

Write Preview
Loading…
Cancel
Save