fossilfranv/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nginx sample config for own webserver

Browse Source
This commit is contained in:
thigg 2022-12-20 07:36:43 +01:00 committed by GitHub
parent b138c25937
commit 279604ab04
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 95 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
docs/configuring-playbook-own-webserver.md
View File

@ -250,3 +250,98 @@ networks:
traefik: traefik:
external: true external: true
``` ```
### Sample Configuration behind nginx
Put this into your hostvars
```yaml
# setup proxy
matrix_ssl_retrieval_method: none
matrix_nginx_proxy_https_enabled: false
matrix_nginx_proxy_trust_forwarded_proto: true
matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:8181' # ->:443
matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' # -> 8449
# Coturn relies on SSL certificates that have already been obtained and is not proxied.
matrix_coturn_enabled: true
matrix_coturn_tls_enabled: true
matrix_coturn_tls_cert_path: /etc/letsencrypt/live/<your server name>/fullchain.pem
matrix_coturn_tls_key_path: /etc/letsencrypt/live/<your server name>/privkey.pem
```
And use this configuration for your own reverse proxy in `/etc/nginx/conf.d/`. This assumes you have certbot running for your domain.
```
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80; # comment to disable IPv6
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
listen 443 ssl http2;
listen [::]:443 ssl http2; # comment to disable IPv6
server_name <your server name>;
location / {
resolver localhost;
proxy_pass http://127.0.0.1:8181$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/<your server name>/fullchain.pem; #certbot
ssl_certificate_key /etc/letsencrypt/live/<your server name>/privkey.pem; # certbot
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
}
server {
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
server_name <your server name>;
server_tokens off;
gzip on;
gzip_types text/plain application/json;
ssl_certificate /etc/letsencrypt/live/<your server name>/fullchain.pem; #managed by certbot
ssl_certificate_key /etc/letsencrypt/live/<your server name>/privkey.pem; # managed by certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://127.0.0.1:8449;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
```