|
|
matrix_nginx_proxy_enabled: true
|
|
|
matrix_nginx_proxy_version: 1.21.3-alpine
|
|
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
|
# that is frequently out of date.
|
|
|
matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}"
|
|
|
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
|
|
|
|
|
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
|
|
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
|
|
matrix_nginx_proxy_data_path_in_container: "/nginx-data"
|
|
|
matrix_nginx_proxy_data_path_extension: "/matrix_domain"
|
|
|
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
|
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service depends on
|
|
|
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
|
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service wants
|
|
|
matrix_nginx_proxy_systemd_wanted_services_list: []
|
|
|
|
|
|
# A list of additional "volumes" to mount in the container.
|
|
|
# This list gets populated dynamically at runtime. You can provide a different default value,
|
|
|
# if you wish to mount your own files into the container.
|
|
|
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
|
|
matrix_nginx_proxy_container_additional_volumes: []
|
|
|
|
|
|
# A list of extra arguments to pass to the container
|
|
|
matrix_nginx_proxy_container_extra_arguments: []
|
|
|
|
|
|
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
|
|
|
#
|
|
|
# If enabled:
|
|
|
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
|
|
|
# - the HTTP vhost would be made a redirect to the HTTPS vhost
|
|
|
#
|
|
|
# If not enabled:
|
|
|
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
|
|
|
# - naturally, there's no HTTPS vhost
|
|
|
# - services are served directly from the HTTP vhost
|
|
|
matrix_nginx_proxy_https_enabled: true
|
|
|
|
|
|
# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header
|
|
|
#
|
|
|
# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.
|
|
|
matrix_nginx_proxy_trust_forwarded_proto: false
|
|
|
matrix_nginx_proxy_x_forwarded_header_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"
|
|
|
|
|
|
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
|
|
#
|
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
|
|
matrix_nginx_proxy_container_http_host_bind_port: '80'
|
|
|
|
|
|
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
|
|
|
#
|
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
|
|
|
#
|
|
|
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
|
|
|
# Otherwise, there are no HTTPS vhosts to expose.
|
|
|
matrix_nginx_proxy_container_https_host_bind_port: '443'
|
|
|
|
|
|
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
|
|
|
#
|
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
|
|
|
#
|
|
|
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
|
|
|
# Otherwise, there is no Matrix Federation port to expose.
|
|
|
#
|
|
|
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
|
|
|
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
|
|
|
matrix_nginx_proxy_container_federation_host_bind_port: '8448'
|
|
|
|
|
|
# Controls whether matrix-nginx-proxy should serve the base domain.
|
|
|
#
|
|
|
# This is useful for when you only have your Matrix server, but you need to serve
|
|
|
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
|
|
# Server-Discovery (Federation) and for Client-Discovery.
|
|
|
#
|
|
|
# Besides serving these Matrix files, a homepage would be served with content
|
|
|
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
|
|
# You can also put additional files to use for this webpage
|
|
|
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
|
|
matrix_nginx_proxy_base_domain_serving_enabled: false
|
|
|
|
|
|
# Controls whether the base domain directory and default index.html file are created.
|
|
|
matrix_nginx_proxy_base_domain_create_directory: true
|
|
|
|
|
|
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
|
|
|
|
|
# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file
|
|
|
# in the `/matrix/nginx-proxy/data/matrix-domain` directory.
|
|
|
#
|
|
|
# If you would instead like to serve a static website by yourself, you can disable this.
|
|
|
# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually
|
|
|
# and can expect that the playbook won't intefere with the `index.html` file.
|
|
|
matrix_nginx_proxy_base_domain_homepage_enabled: true
|
|
|
|
|
|
matrix_nginx_proxy_base_domain_homepage_template: |-
|
|
|
<!doctype html>
|
|
|
<meta charset="utf-8" />
|
|
|
<html>
|
|
|
<body>
|
|
|
Hello from {{ matrix_domain }}!
|
|
|
</body>
|
|
|
</html>
|
|
|
|
|
|
# Option to disable the access log
|
|
|
matrix_nginx_proxy_access_log_enabled: true
|
|
|
|
|
|
# Controls whether proxying the riot domain should be done.
|
|
|
matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false
|
|
|
matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"
|
|
|
|
|
|
# Controls whether proxying the Synapse domain should be done.
|
|
|
matrix_nginx_proxy_proxy_synapse_enabled: false
|
|
|
matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"
|
|
|
matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
|
|
|
# The addresses where the Federation API is, when using Synapse.
|
|
|
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048"
|
|
|
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048"
|
|
|
|
|
|
# Controls whether proxying the Element domain should be done.
|
|
|
matrix_nginx_proxy_proxy_element_enabled: false
|
|
|
matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
|
|
|
|
|
# Controls whether proxying the Hydrogen domain should be done.
|
|
|
matrix_nginx_proxy_proxy_hydrogen_enabled: false
|
|
|
matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
|
|
|
|
|
|
# Controls whether proxying the matrix domain should be done.
|
|
|
matrix_nginx_proxy_proxy_matrix_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}"
|
|
|
# The port name used for federation in the nginx configuration.
|
|
|
# This is not necessarily the port that it's actually on,
|
|
|
# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_port: 8448
|
|
|
|
|
|
# Controls whether proxying the dimension domain should be done.
|
|
|
matrix_nginx_proxy_proxy_dimension_enabled: false
|
|
|
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
|
|
|
|
|
# Controls whether proxying the goneb domain should be done.
|
|
|
matrix_nginx_proxy_proxy_bot_go_neb_enabled: false
|
|
|
matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
|
|
|
|
|
|
# Controls whether proxying the jitsi domain should be done.
|
|
|
matrix_nginx_proxy_proxy_jitsi_enabled: false
|
|
|
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
|
|
|
|
|
# Controls whether proxying the grafana domain should be done.
|
|
|
matrix_nginx_proxy_proxy_grafana_enabled: false
|
|
|
matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
|
|
|
|
|
|
# Controls whether proxying the sygnal domain should be done.
|
|
|
matrix_nginx_proxy_proxy_sygnal_enabled: false
|
|
|
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
|
|
|
|
|
|
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
|
|
|
|
|
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
|
|
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
|
|
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
|
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090"
|
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
|
|
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
|
|
# This allows another service to control registrations involving 3PIDs.
|
|
|
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090"
|
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
|
|
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
|
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
|
|
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
|
|
matrix_nginx_proxy_proxy_synapse_metrics: false
|
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
|
|
|
|
|
# The addresses where the Matrix Client API is.
|
|
|
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"
|
|
|
|
|
|
# The addresses where the Matrix Client API is, when using Synapse.
|
|
|
matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008"
|
|
|
matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008"
|
|
|
|
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
|
|
|
|
|
|
|
|
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
|
|
|
|
|
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
|
|
# Enable this if you need OpenID Connect authentication support.
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
|
|
|
|
|
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
|
|
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
|
|
|
|
|
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
|
|
# the location prefixes that get forwarded to the Matrix Client API server.
|
|
|
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
|
|
{{
|
|
|
(['/_matrix'])
|
|
|
+
|
|
|
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
|
|
+
|
|
|
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
|
|
+
|
|
|
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
|
|
+
|
|
|
(['/_synapse/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
|
|
|
}}
|
|
|
|
|
|
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
|
|
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
|
|
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
|
|
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
|
|
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
|
|
|
|
|
|
# Controls whether proxying for the Matrix Federation API should be done.
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
|
|
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
|
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
|
|
|
# for big matrixservers to enlarge the number of open files to prevent timeouts
|
|
|
# matrix_nginx_proxy_proxy_additional_configuration_blocks:
|
|
|
# - 'worker_rlimit_nofile 30000;'
|
|
|
matrix_nginx_proxy_proxy_additional_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
|
|
|
matrix_nginx_proxy_proxy_event_additional_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
|
|
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).
|
|
|
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf).
|
|
|
matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).
|
|
|
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
|
|
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
|
|
matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
|
|
|
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).
|
|
|
matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).
|
|
|
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).
|
|
|
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
|
|
|
matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
|
|
|
|
|
|
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
|
|
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
|
|
|
|
|
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
|
|
|
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
|
|
|
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
|
|
|
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
|
|
|
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
|
|
|
#
|
|
|
# For more information visit:
|
|
|
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
|
|
|
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
|
|
|
#
|
|
|
# Here we are sticking with nginx default values change this value carefully.
|
|
|
matrix_nginx_proxy_connect_timeout: 60
|
|
|
matrix_nginx_proxy_send_timeout: 60
|
|
|
matrix_nginx_proxy_read_timeout: 60
|
|
|
matrix_nginx_send_timeout: 60
|
|
|
|
|
|
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
|
|
|
#
|
|
|
# Learn more about what it is here:
|
|
|
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
|
|
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
|
|
# - https://amifloced.org/
|
|
|
#
|
|
|
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
|
|
matrix_nginx_proxy_floc_optout_enabled: true
|
|
|
|
|
|
# HSTS Preloading Enable
|
|
|
#
|
|
|
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
|
|
# indicates a willingness to be “preloaded” into browsers:
|
|
|
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
|
|
# For more information visit:
|
|
|
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
|
# - https://hstspreload.org/#opt-in
|
|
|
matrix_nginx_proxy_hsts_preload_enabled: false
|
|
|
|
|
|
# X-XSS-Protection Enable
|
|
|
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
|
|
# Note: Not applicable for grafana
|
|
|
#
|
|
|
# Learn more about it is here:
|
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
|
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
|
|
matrix_nginx_proxy_xss_protection: "1; mode=block"
|
|
|
|
|
|
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
|
|
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
|
|
#
|
|
|
# The posible values are:
|
|
|
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
|
|
# - "intermediate" - Recommended configuration for a general-purpose server
|
|
|
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
|
|
#
|
|
|
# For more information visit:
|
|
|
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
|
|
# - https://ssl-config.mozilla.org/#server=nginx
|
|
|
matrix_nginx_proxy_ssl_preset: "intermediate"
|
|
|
|
|
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
|
|
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
|
|
# if you wish to use something more custom.
|
|
|
matrix_nginx_proxy_ssl_presets:
|
|
|
modern:
|
|
|
protocols: TLSv1.3
|
|
|
ciphers: ""
|
|
|
prefer_server_ciphers: "off"
|
|
|
intermediate:
|
|
|
protocols: TLSv1.2 TLSv1.3
|
|
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
|
prefer_server_ciphers: "off"
|
|
|
old:
|
|
|
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
|
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
|
|
prefer_server_ciphers: "on"
|
|
|
|
|
|
|
|
|
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
|
|
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
|
|
|
|
|
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
|
|
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
|
|
|
|
|
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
|
|
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
|
|
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
|
|
|
|
|
# Controls whether the self-check feature should validate SSL certificates.
|
|
|
matrix_nginx_proxy_self_check_validate_certificates: true
|
|
|
|
|
|
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
|
|
|
#
|
|
|
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
|
|
|
# so we default to not following redirects as well.
|
|
|
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
|
|
|
|
|
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
|
|
#
|
|
|
# Otherwise, we get warnings like this:
|
|
|
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
|
|
|
#
|
|
|
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
|
|
#
|
|
|
# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
|
|
|
# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
|
|
|
# It might also be that no such warnings occur when not running in a container.
|
|
|
matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
|
|
|
|
|
|
# By default, this playbook automatically retrieves and auto-renews
|
|
|
# free SSL certificates from Let's Encrypt.
|
|
|
#
|
|
|
# The following retrieval methods are supported:
|
|
|
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
|
|
# - "self-signed" - the playbook generates and self-signs certificates
|
|
|
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
|
|
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
|
|
#
|
|
|
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
|
|
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
|
|
# obeying the following hierarchy:
|
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
|
|
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).
|
|
|
#
|
|
|
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
|
|
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
|
|
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
|
|
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
|
|
|
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
|
|
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
|
|
|
|
|
matrix_ssl_architecture: "amd64"
|
|
|
|
|
|
# The full list of domains that this role will obtain certificates for.
|
|
|
# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).
|
|
|
# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.
|
|
|
matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
|
|
|
|
|
|
# A list of additional domain names to obtain certificates for.
|
|
|
matrix_ssl_additional_domains_to_obtain_certificates_for: []
|
|
|
|
|
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
|
|
matrix_ssl_lets_encrypt_staging: false
|
|
|
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.19.0"
|
|
|
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
|
|
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
|
|
matrix_ssl_lets_encrypt_support_email: ~
|
|
|
|
|
|
# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to
|
|
|
# when it tries to obtain initial certificates in standalone mode.
|
|
|
#
|
|
|
# This should normally be a public interface and port.
|
|
|
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
|
|
|
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
|
|
|
|
|
|
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
|
|
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
|
|
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
|
|
|
|
|
# If you'd like to start some service before a certificate is obtained, specify it here.
|
|
|
# This could be something like `matrix-dynamic-dns`, etc.
|
|
|
matrix_ssl_pre_obtaining_required_service_name: ~
|
|
|
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|
|
|
|
|
# Nginx Optimize SSL Session
|
|
|
#
|
|
|
# ssl_session_cache:
|
|
|
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
|
|
# and thus can improve the performance of application.
|
|
|
# - Default session cache is not optimal as it can be used by only one worker process
|
|
|
# and can cause memory fragmentation. It is much better to use shared cache.
|
|
|
# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
|
#
|
|
|
# ssl_session_timeout:
|
|
|
# - Nginx by default it is set to 5 minutes which is very low.
|
|
|
# should be like 4h or 1d but will require you to increase the size of cache.
|
|
|
# - Learn More:
|
|
|
# https://github.com/certbot/certbot/issues/6903
|
|
|
# https://github.com/mozilla/server-side-tls/issues/198
|
|
|
#
|
|
|
# ssl_session_tickets:
|
|
|
# - In case of session tickets, information about session is given to the client.
|
|
|
# Enabling this improve performance also make Perfect Forward Secrecy useless.
|
|
|
# - If you would instead like to use ssl_session_tickets by yourself, you can set
|
|
|
# matrix_nginx_proxy_ssl_session_tickets_off false.
|
|
|
# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
|
|
|
#
|
|
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
|
|
matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
|
|
|
matrix_nginx_proxy_ssl_session_timeout: "1d"
|
|
|
matrix_nginx_proxy_ssl_session_tickets_off: true
|
|
|
|
|
|
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
|
|
# OCSP stapling can provide a performance boost of up to 30%
|
|
|
# nginx web server supports OCSP stapling since version 1.3.7.
|
|
|
#
|
|
|
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
|
|
|
# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
|
|
|
#
|
|
|
# Learn more about what it is here:
|
|
|
# - https://en.wikipedia.org/wiki/OCSP_stapling
|
|
|
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
|
|
|
# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
|
|
matrix_nginx_proxy_ocsp_stapling_enabled: true
|
|
|
|
|
|
# nginx status page configurations.
|
|
|
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
|
|
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
|
|
|
|
|
|
|
|
|
# synapse worker activation and endpoint mappings
|
|
|
matrix_nginx_proxy_synapse_workers_enabled: false
|
|
|
matrix_nginx_proxy_synapse_workers_list: []
|
|
|
matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []
|
|
|
matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
|
|
|
matrix_nginx_proxy_synapse_media_repository_locations: []
|
|
|
matrix_nginx_proxy_synapse_user_dir_locations: []
|
|
|
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
|
|
|
|
|
|
# The amount of worker processes and connections
|
|
|
# Consider increasing these when you are expecting high amounts of traffic
|
|
|
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
|
matrix_nginx_proxy_worker_processes: 1
|
|
|
matrix_nginx_proxy_worker_connections: 1024
|