sakkiii
cd26af2f6f
Certbot Update (v1.20.0 -> v1.21.0)
3 years ago
sakkiii
7a4f49c457
Nginx Minio Update (1.21.3 -> 1.21.4)
3 years ago
Slavi Pantaleev
735c966ab6
Disable systemd services when stopping to uninstall them
...
Until now, we were leaving services "enabled"
(symlinks in /etc/systemd/system/multi-user.target.wants/).
We clean these up now. Broken symlinks may still exist in older
installations that enabled/disabled services. We're not taking care
to fix these up. It's just a cosmetic defect anyway.
3 years ago
b
6eaa8ac65a
add server_name to matrix-synapsel.conf only if matrix_nginx_proxy_enabled
3 years ago
b
dcda17595a
change port 8090 to matrix_ma1sd_default_port
3 years ago
Slavi Pantaleev
06bcdcf9d2
Merge pull request #1311 from HarHarLinks/master
...
add auto proxy synapse worker metrics
3 years ago
Kim Brose
5f6bbafa17
fix space before tab in indent
3 years ago
HarHarLinks
7b33fc8e19
fixup! auto-generate prometheus.yml for workers metrics
3 years ago
HarHarLinks
ce41674e61
auto-generate prometheus.yml for workers metrics
3 years ago
HarHarLinks
4209c4208c
add own variable for worker metrics
...
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1311#issuecomment-945718866
3 years ago
Slavi Pantaleev
2bf052369d
Upgrade certbot (v1.19.0 -> v1.20.0)
3 years ago
Kim Brose
1ba7760ea4
add how to generate htpasswd
...
for matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
resolves #1308
3 years ago
HarHarLinks
d9fa2f7ed4
add auto proxy synapse worker metrics
...
when matrix_nginx_proxy_proxy_synapse_metrics is enabled
3 years ago
Slavi Pantaleev
31396f0615
Merge pull request #1295 from nogweii/feat-support-upstream-https-forwarded
...
Support trusting the upstream server when it says the protocol is HTTPS
3 years ago
Aaron Raimist
a676b5358c
Fix hydrogen OCSP typo
...
From 6f80292745
3 years ago
Colin Shea
2578ca4cee
rename matrix_nginx_proxy_x_forwarded_header_value -> matrix_nginx_proxy_x_forwarded_proto_value
3 years ago
Colin Shea
d0cd67044e
replace $scheme with X-Forwarded-Proto when enabled
3 years ago
sakkiii
3055b3996e
Updates Certbot -> v1.19.0, nginx ->1.21.3-alpine
3 years ago
sakkiii
ae6caf158a
Added variable matrix_nginx_proxy_request_timeout ( #1265 )
...
* add timeout param for nginx proxy
default value matrix_nginx_proxy_request_timeout is 60s
* default matrix_nginx_proxy_request_timeout - 60s
* few more variables for request timeout
* Update nginx.conf.j2
* Update nginx.conf.j2
3 years ago
Slavi Pantaleev
a911207854
Revert "nginx update v1.21.2"
...
This reverts commit 732051b8fc
.
There's no such container image published yet.
3 years ago
sakkiii
732051b8fc
nginx update v1.21.2
...
http://nginx.org/en/CHANGES
3 years ago
sakkiii
f5a7e6d78b
Certbot update v1.18.0
3 years ago
Michael Collins
4d57a41b3f
remove matrix_awx_enabled from these
3 years ago
Michael Collins
2e30802b87
use group variables instead
3 years ago
Michael Collins
8238d65e5f
simplify template conditional
3 years ago
Michael Collins
bfb61e776e
GMH v0.5.7... maybe!
3 years ago
Slavi Pantaleev
4105ba854b
Merge pull request #1147 from datenkollektiv-net/allow-custom-federation-fqn
...
Make federation domain customizable
3 years ago
JokerGermany
9345d840be
root path for the base domain is wrong ( #1189 )
...
* root path for the base domain
* Fix path when running in a container
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
3 years ago
sakkiii
7a51268dfc
Upgrade certbot & nginx
...
Upgrade certbot (v1.16.0 -> v1.17.0) nginx (1.21.0 -> 1.21.1)
3 years ago
Slavi Pantaleev
6294e58304
Fix Content-Security-Policy for Element
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1154
According to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy ,
having both a header and the `<meta>`-tag provided by Element itself is
not a problem. The 2 CSP policies get combined.
3 years ago
oxmie
5df4d68829
Make federation domain customizable
3 years ago
sakkiii
0217644b48
Content-Security-Policy For Element Web
...
https://github.com/vector-im/element-web#configuration-best-practices
4 years ago
Slavi Pantaleev
963f38ee7b
Upgrade certbot (v1.14.0 -> v1.16.0)
4 years ago
pushytoxin
bee14550ab
Fix local/bin scripts autocompletion by adding rx perms to everyone
...
It's mildly annoying when trying to execute these scripts while logged
in as a regular user, as the missing execute permissions will hinder
autocompletion even when trying to use with sudo.
These shell scripts don't contain secrets, but may fail when ran by a
regular user. The failure is due to the lack of access to the /matrix
directory, and does not result in any damage.
4 years ago
Slavi Pantaleev
4880dcceb0
Fix OCSP-stapling-related errors due to missing resolver
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
4 years ago
rakshazi
4ddd8bbb84
Updated nginx-proxy (1.20.0 -> 1.21.0)
4 years ago
Slavi Pantaleev
1ed0857019
Fix syntax error
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024
4 years ago
sakkiii
4a4a7f136e
changes added to hydrogen client
4 years ago
sakkiii
25e67b51d1
Merge branch 'spantaleev:master' into master
4 years ago
sakkiii
3436f9c10a
rename to matrix_nginx_proxy_hsts_preload_enabled
4 years ago
sakkiii
7cc5328ede
Comments & Ref
4 years ago
sakkiii
df2d91970d
matrix_nginx_proxy_xss_protection
4 years ago
Slavi Pantaleev
6f80292745
Add OCSP stapling support and other SSL optimizations to Hydrogen vhost
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
4 years ago
Slavi Pantaleev
d0de21ab34
Delete Hydrogen nginx configuration file when disabled
4 years ago
Aaron Raimist
04548f8df2
Merge branch 'master' into hydrogen
4 years ago
Aaron Raimist
9437f78c9e
Build using custom config.json, add CSP, update to 0.1.53
4 years ago
sakkiii
e9b878b9e9
Optimize SSL session
4 years ago
Slavi Pantaleev
e6afa05f7b
Enable OCSP stapling for the federation port
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
Not sure if this is beneficial though.
4 years ago
Slavi Pantaleev
57a6a98a50
Fix incorrect SSL certificate path
...
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
4 years ago
Slavi Pantaleev
b9c4e8ce16
Merge pull request #1057 from sakkiii/ssl_staple
...
Enable OCSP Stapling
4 years ago
sakkiii
d31b55b2a7
SSL-enabled block only
4 years ago
Slavi Pantaleev
e4dd933cf0
Make missing /_synapse/admin correctly return 404 responses
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.
For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
4 years ago
sakkiii
2c3da6599b
Added warning
4 years ago
sakkiii
0dd4459799
matrix_nginx_proxy_ocsp_stapling_enabled variable added
4 years ago
sakkiii
c05021640d
Enable OCSP Stapling
4 years ago
Aaron Raimist
ca361af616
Add Hydrogen
4 years ago
sakkiii
29cf6a0087
Merge branch 'spantaleev:master' into master
4 years ago
sakkiii
bb0810302d
Merge branch 'spantaleev:master' into master
4 years ago
Béla Becker
b10655ebb1
Jitsi XMPP Websocket support
...
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
4 years ago
Dan Arnfield
cfaa3e598a
Update nginx (1.19.10 -> 1.20.0)
4 years ago
sakkiii
40fe6bd5c1
variable matrix_nginx_proxy_hsts_preload_enable added
4 years ago
Slavi Pantaleev
389dc26615
Fix Synapse generic worker balancing
...
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
4 years ago
sakkiii
5b4fdf9b87
Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy
4 years ago
sakkiii
0ccf0fbf1c
HSTS preload + X-XSS enables
...
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts ) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
4 years ago
sakkiii
3564635f0f
Merge branch 'master' into master
4 years ago
sakkiii
29bba5161b
Element More security headers
...
More Production ready nginx headers for Matrix client element.
4 years ago
Slavi Pantaleev
d691cc0920
Move variable definition a bit
4 years ago
Slavi Pantaleev
e00ef04b57
Add opt-out-of-FLoC headers by default
4 years ago
Slavi Pantaleev
4a1739f604
Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version
...
Don't expose nginx version with each response
4 years ago
teutat3s
2bf7c26cfa
Don't expose nginx version with each response
4 years ago
sakkiii
1958d0792d
Update matrix-client-element.conf.j2
4 years ago
sakkiii
b6d45c5fd8
Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy
4 years ago
sakkiii
05042f5ff1
Improve security grafana
...
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy )
4 years ago
sakkiii
5dc642ace1
Nginx element web: XSS protection & nosniff header
...
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
4 years ago
Slavi Pantaleev
c7c137df74
Upgrade nginx and certbot
4 years ago
Ahmad Haghighi
e335f3fc77
rename matrix_global_registry to matrix_container_global_registry_prefix related to #990
...
Signed-off-by: Ahmad Haghighi <haghighi@fedoraproject.org>
4 years ago
Ahmad Haghighi
f52a8b6484
use custom docker registry
4 years ago
Christoph Johannes Kleine
fcd66b2889
rename variables
4 years ago
Christoph Johannes Kleine
8ba1105010
rename variable
4 years ago
Christoph Johannes Kleine
3a772f2f65
matrix-nginx-proxy: add custom nginx options to nginx.conf.j2
4 years ago
Dan Arnfield
97d8527e00
Update nginx (1.19.6 -> 1.19.8)
4 years ago
Slavi Pantaleev
06c74728eb
Move matrix_nginx_proxy_proxy_synapse_federation_api_enabled definition to the role
...
This variable was previously undefined in the role and was only getting
defined via `group_vars/matrix_servers`.
We now properly initialize it (and its good default value) in the role
itself.
4 years ago
Slavi Pantaleev
9a0222fa47
Add Sygnal support
...
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
4 years ago
Aaron Raimist
32b3650c12
Set X-Forwarded-Proto on federation requests
4 years ago
Aaron Raimist
466827139a
Also check if matrix_ssl_lets_encrypt_support_email is blank
4 years ago
Slavi Pantaleev
011e95c1d2
Merge pull request #893 from GoMatrixHosting/master
...
matrix-awx - the GoMatrixHosting v0.3.0 initial PR
4 years ago
Slavi Pantaleev
6181861ffe
Merge pull request #929 from Zir0h/master
...
Added support for the Go-NEB bot
4 years ago
Alexandros Afentoulis
28c255539c
matrix-nginx-proxy: specify Origin header, comply with CORS
...
Self-checks against the .well-known URIs look for the HTTP header
"Access-Control-Allow-Origin" indicating that the remode endpoint
supports CORS. But the remote server is not required to include
said header in the response if the HTTP request does not include
the "Origin" header. This is in accordance with the specification
[1] stating: 'A CORS request is an HTTP request that includes an
"Origin" header.'
This is in fact true for Gitlab pages hosting and that's why the
issue was identified.
Let's specify "Origin" header in the respective uri tasks performing
the HTTP request and ensure a CORS request.
[1] https://fetch.spec.whatwg.org/#http-requests
4 years ago
Yannick Goossens
51e2547484
Added support for the Go-NEB bot
4 years ago
Slavi Pantaleev
9b72384df7
Upgrade Synapse (1.28.0 -> 1.29.0)
4 years ago
Slavi Pantaleev
f0698ee641
Do not overwrite X-Forwarded-For when reverse-proxying to Synapse
...
We have a flow like this:
1. matrix.DOMAIN vhost (matrix-domain.conf)
2. matrix-synapse vhost (matrix-synapse.conf); or matrix-corporal container, if enabled
3. (optional) matrix-synapse vhost (matrix-synapse.conf), if matrix-corporal enabled
4. matrix-synapse container
We are setting `X-Forwarded-For` correctly in step #1 , but were
overwriting it in step #2 with something inaccurate.
Not doing anything in step #2 is better than doing the wrong thing.
It's probably best if we append another reverse-proxy address there
though, although what we're doing now (with this patch) seems to yield
the correct result (when matrix-corporal is not enabled).
When matrix-corporal is enabled, we still seem to do the wrong thing for
some reason. It's something to be fixed later on.
4 years ago
SierraKiloBravo
0de0716527
Added nginx proxy worker configuration to template and defaults
4 years ago
Slavi Pantaleev
009efdad49
Fix matrix.DOMAIN/_synapse/metrics exposing
...
This is something that got lost during
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
and more specifically 4d62a75f6f
.
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/914
4 years ago
Slavi Pantaleev
a25b8135b8
Fix point overlap between matrix-domain and Jitsi
...
Mostly affects people who disable the integrated `matrix-nginx-proxy`.
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
and more specifically 4d62a75f6f
.
4 years ago
Michael
33ec5710d9
0.2.1 revision
4 years ago
Hardy Erlinger
f4930d789e
Run Let's Encrypt renewal checks daily instead of weekly.
...
This ensures more timely updates of certifcates.
4 years ago
Slavi Pantaleev
6baa91dd9f
Do not delete matrix-ssl-lets-encrypt-certificates-renew only to recreate it later
...
This seems to have been added to the list of "deprecated files to
remove" by mistake.
4 years ago
Slavi Pantaleev
1ef683d366
Make nginx proxy config (when disabled) obey matrix_federation_public_port
...
People who were disabling matrix-nginx-proxy (in favor of their own
nginx webserver) and also overriding `matrix_federation_public_port`,
found that the generated nginx configuration still hardcoded `8448`,
which forced their nginx server to use that, regardless of the fact
that `matrix_federation_public_port` was pointing elsewhere.
We now allow for the in-container federation port to be configurable,
and also automatically wire things properly.
4 years ago
rakshazi
2f887f292c
added "matrix_%SERVICE%_version" variable to all roles, use it in "matrix_%SERVICE%_docker_image" var (preserving backward-compatibility)
4 years ago
Michael
4c882c513b
initial PR
4 years ago