ansol
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git
7
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update reverse-proxy examples

This commit is contained in:
Slavi Pantaleev 2024-01-14 17:23:28 +02:00
parent aff57d67c0
commit 0e831db3e5
16 changed files with 89 additions and 617 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
examples/apache/README.md
View File

@ -1,17 +1,14 @@
# Apache reverse-proxy
This directory contains sample files that show you how to do reverse-proxying using Apache.
This directory contains sample files that show you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your Apache reverse-proxy.
This is for when you wish to have your own Apache webserver sitting in front of Matrix services installed by this playbook.
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
## Prerequisite configuration
To use your own Apache reverse-proxy, you first need to disable the integrated nginx server.
You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
```yaml
matrix_nginx_proxy_enabled: false
```
## Using the Apache configuration
You can then use the configuration files from this directory as an example for how to configure your Apache server.
`matrix-domain.conf` contains configuration for the Matrix domain, which handles both the Client-Server API (port `443`) and the Matrix Federation API (port `8448`).
**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration).
`matrix-client-element.conf` is an example for when you're hosting Element at `element.DOMAIN`.
This configuration can also be used as an example for handling other domains, depending on the services you enable with the playbook (e.g. `dimension.DOMAIN`, etc).

14
examples/apache/matrix-client-element.conf
View File

@ -4,14 +4,8 @@
<VirtualHost *:80>
ServerName element.DOMAIN
ProxyVia On
# Map /.well-known/acme-challenge to the certbot server
# If you manage SSL certificates by yourself, this will differ.
<Location /.well-known/acme-challenge>
ProxyPreserveHost On
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
</Location>
# You may wish to handle the /.well-known/acme-challenge paths here somehow,
# if you're using ACME (Let's Encrypt) certificates.
Redirect permanent / https://element.DOMAIN/
</VirtualHost>
@ -33,8 +27,8 @@
ProxyRequests Off
ProxyVia On
ProxyPass / http://127.0.0.1:8765/
ProxyPassReverse / http://127.0.0.1:8765/
ProxyPass / http://127.0.0.1:81/
ProxyPassReverse / http://127.0.0.1:81/
ErrorLog ${APACHE_LOG_DIR}/element.DOMAIN-error.log
CustomLog ${APACHE_LOG_DIR}/element.DOMAIN-access.log combined

41
examples/apache/matrix-dimension.conf
View File

@ -1,41 +0,0 @@
# This is a sample file demonstrating how to set up reverse-proxy for dimension.DOMAIN.
# If you're not using Dimension (`matrix_dimension_enabled: false`, which is also the default), you won't need this.
<VirtualHost *:80>
ServerName dimension.DOMAIN
ProxyVia On
# Map /.well-known/acme-challenge to the certbot server
# If you manage SSL certificates by yourself, this will differ.
<Location /.well-known/acme-challenge>
ProxyPreserveHost On
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
</Location>
Redirect permanent / https://dimension.DOMAIN/
</VirtualHost>
<VirtualHost *:443>
ServerName dimension.DOMAIN
SSLEngine On
# If you manage SSL certificates by yourself, these paths will differ.
SSLCertificateFile /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem
SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
ProxyPass / http://127.0.0.1:8184/
ProxyPassReverse / http://127.0.0.1:8184/
ErrorLog ${APACHE_LOG_DIR}/dimension.DOMAIN-error.log
CustomLog ${APACHE_LOG_DIR}/dimension.DOMAIN-access.log combined
</VirtualHost>

65
examples/apache/matrix-domain.conf Normal file
View File

@ -0,0 +1,65 @@
# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
<VirtualHost *:80>
ServerName matrix.DOMAIN
# You may wish to handle the /.well-known/acme-challenge paths here somehow,
# if you're using ACME (Let's Encrypt) certificates.
Redirect permanent / https://matrix.DOMAIN/
</VirtualHost>
# Client-Server API
<VirtualHost *:443>
ServerName matrix.DOMAIN
SSLEngine On
# If you manage SSL certificates by yourself, these paths will differ.
SSLCertificateFile /path/to/matrix.DOMAIN/fullchain.pem
SSLCertificateKeyFile /path/to/matrix.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:81 retry=0 nocanon
ProxyPassReverse / http://127.0.0.1:81/
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>
# Server-Server (federation) API
Listen 8448
<VirtualHost *:8448>
ServerName matrix.DOMAIN
SSLEngine On
# If you manage SSL certificates by yourself, these paths will differ.
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:8449/ retry=0 nocanon
ProxyPassReverse / http://127.0.0.1:8449/
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>

146
examples/apache/matrix-synapse.conf
View File

@ -1,146 +0,0 @@
# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN
<VirtualHost *:80>
ServerName matrix.DOMAIN
ProxyVia On
# Map /.well-known/acme-challenge to the certbot server
# If you manage SSL certificates by yourself, this will differ.
<Location /.well-known/acme-challenge>
ProxyPreserveHost On
ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
</Location>
Redirect permanent / https://matrix.DOMAIN/
</VirtualHost>
# Client-Server API
<VirtualHost *:443>
ServerName matrix.DOMAIN
SSLEngine On
# If you manage SSL certificates by yourself, these paths will differ.
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
# Keep some URIs free for different proxy/location
ProxyPassMatch ^/.well-known/matrix/client !
ProxyPassMatch ^/.well-known/matrix/server !
ProxyPassMatch ^/.well-known/matrix/support !
ProxyPassMatch ^/_matrix/identity !
ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
# Proxy all remaining traffic to Synapse
AllowEncodedSlashes NoDecode
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
# Proxy Admin API (necessary for Synapse-Admin)
# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
# Proxy Synapse-Admin
# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
# Map /.well-known/matrix/client for client discovery
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
<Files "/matrix/static-files/.well-known/matrix/client">
Require all granted
</Files>
<Location "/.well-known/matrix/client">
Header always set Content-Type "application/json"
Header always set Access-Control-Allow-Origin "*"
</Location>
# Map /.well-known/matrix/server for server discovery
Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
<Files "/matrix/static-files/.well-known/matrix/server">
Require all granted
</Files>
<Location "/.well-known/matrix/server">
Header always set Content-Type "application/json"
</Location>
# Map /.well-known/matrix/support for support discovery
Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
<Files "/matrix/static-files/.well-known/matrix/support">
Require all granted
</Files>
<Location "/.well-known/matrix/support">
Header always set Content-Type "application/json"
</Location>
<Directory /matrix/static-files/.well-known/matrix/>
AllowOverride All
# Apache 2.4:
Require all granted
# Or for Apache 2.2:
#order allow,deny
</Directory>
# Map /_matrix/identity to the identity server
<Location /_matrix/identity>
ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
</Location>
# Map /_matrix/client/r0/user_directory/search to the identity server
<Location /_matrix/client/r0/user_directory/search>
ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
</Location>
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>
# Server-Server (federation) API
# Use this apache reverse proxy template to enable matrix server-to-server federation traffic
# Be sure that network traffic on port 8448 is possible
#
# You can check your federation config at https://federationtester.matrix.org/
# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
#
# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
Listen 8448
<VirtualHost *:8448>
ServerName matrix.DOMAIN
SSLEngine On
# If you manage SSL certificates by yourself, these paths will differ.
SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on
SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
# Proxy all remaining traffic to the Synapse port
# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
# Of course you can use another IPADRESS in case of using other synapse servers in your network
AllowEncodedSlashes NoDecode
ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix
ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>

8
examples/caddy/matrix-client-element
View File

@ -1,8 +0,0 @@
https://element.DOMAIN {
# These might differ if you are supplying your own certificates
tls /matrix/ssl/config/live/element.DOMAIN/fullchain.pem /matrix/ssl/config/live/element.DOMAIN/privkey.pem
proxy / http://127.0.0.1:8765 {
transparent
}
}

9
examples/caddy/matrix-dimension
View File

@ -1,9 +0,0 @@
https://dimension.DOMAIN {
# These might differ if you are supplying your own certificates
# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
tls /matrix/ssl/config/live/dimension.DOMAIN/fullchain.pem /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
proxy / http://127.0.0.1:8184/ {
transparent
}
}

31
examples/caddy/matrix-synapse
View File

@ -1,31 +0,0 @@
https://matrix.DOMAIN {
# If you use your own certificates, your path may differ
# If you wish to use Caddy's built-in Let's Encrypt support, you can also supply an email address here
tls /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
root /matrix/static-files
header / {
Access-Control-Allow-Origin *
Strict-Transport-Security "mag=age=31536000;"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
}
# Identity server traffic
proxy /_matrix/identity matrix-ma1sd:8090 {
transparent
}
proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 {
transparent
}
# Synapse Client<>Server API
proxy /_matrix matrix-synapse-reverse-proxy-companion:8008 {
transparent
except /_matrix/identity/ /_matrix/client/r0/user_directory/search
}
proxy /_synapse/client matrix-synapse-reverse-proxy-companion:8008 {
transparent
}
}

7
examples/caddy/matrix-util
View File

@ -1,7 +0,0 @@
:80 {
# Redirect ACME-Challenge traffic to port 2402
proxy /.well-known/acme-challenge http://127.0.0.1:2402
# Redirect all other traffic to HTTPS
redir / https://{host}{uri} 301
}

269
examples/caddy2/Caddyfile.deprecated
View File

@ -1,269 +0,0 @@
(cors) {
@cors_preflight method OPTIONS
handle @cors_preflight {
header Access-Control-Allow-Origin "{args.0}"
header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
header Access-Control-Allow-Headers "Content-Type, Authorization"
header Access-Control-Max-Age "3600"
}
}
matrix.DOMAIN.tld {
# creates letsencrypt certificate
# tls your@email.com
@identity {
path /_matrix/identity/*
}
@noidentity {
not path /_matrix/identity/*
}
@search {
path /_matrix/client/r0/user_directory/search/*
}
@nosearch {
not path /_matrix/client/r0/user_directory/search/*
}
@static {
path /matrix/static-files/*
}
@nostatic {
not path /matrix/static-files/*
}
@wellknown {
path /.well-known/matrix/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
# identity
handle @identity {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
# search
handle @search {
reverse_proxy localhost:8090 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
handle @wellknown {
encode zstd gzip
root * /matrix/static-files
header Cache-Control max-age=14400
header Content-Type application/json
header Access-Control-Allow-Origin *
file_server
}
# If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
#handle @wellknown {
# # .well-known is handled by base domain
# reverse_proxy https://DOMAIN.tld {
# header_up Host {http.reverse_proxy.upstream.hostport}
#}
handle {
encode zstd gzip
reverse_proxy localhost:8008 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
matrix.DOMAIN.tld:8448 {
handle {
encode zstd gzip
reverse_proxy 127.0.0.1:8048 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
}
element.DOMAIN.tld {
# creates letsencrypt certificate
# tls your@email.com
import cors https://*.DOMAIN.tld
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
# Content-Security-Policy frame-src https://*.DOMAIN.tld
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
}
handle {
encode zstd gzip
reverse_proxy localhost:8765 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
#dimension.DOMAIN.tld {
#
# # creates letsencrypt certificate
# # tls your@email.com
#
# import cors https://*.DOMAIN.tld
#
# header {
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
# X-XSS-Protection "1; mode=block"
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
# X-Content-Type-Options "nosniff"
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
# # X-Robots-Tag
# X-Robots-Tag "noindex, noarchive, nofollow"
# }
#
# handle {
# encode zstd gzip
#
# reverse_proxy localhost:8184 {
# header_up X-Forwarded-Port {http.request.port}
# header_up X-Forwarded-Proto {http.request.scheme}
# header_up X-Forwarded-TlsProto {tls_protocol}
# header_up X-Forwarded-TlsCipher {tls_cipher}
# header_up X-Forwarded-HttpsProto {proto}
# }
# }
#}
#jitsi.DOMAIN.tld {
#
# creates letsencrypt certificate
# tls your@email.com
#
# import cors https://*.DOMAIN.tld
#
# header {
# # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
# Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#
# # Enable cross-site filter (XSS) and tell browser to block detected attacks
# X-XSS-Protection "1; mode=block"
#
# # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
# X-Content-Type-Options "nosniff"
# # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
# Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
#
# # Disable some features
# Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
#
# # Referer
# Referrer-Policy "no-referrer"
#
# # X-Robots-Tag
# X-Robots-Tag "none"
#
# # Remove Server header
# -Server
# }
#
# handle {
# encode zstd gzip
#
# reverse_proxy 127.0.0.1:13080 {
# header_up X-Forwarded-Port {http.request.port}
# header_up X-Forwarded-Proto {http.request.scheme}
# header_up X-Forwarded-TlsProto {tls_protocol}
# header_up X-Forwarded-TlsCipher {tls_cipher}
# header_up X-Forwarded-HttpsProto {proto}
# }
# }
#}
#DOMAIN.com {
# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
# @wellknown {
# path /.well-known/matrix/*
# }
#
# handle @wellknown {
# reverse_proxy https://matrix.DOMAIN.com {
# header_up Host {http.reverse_proxy.upstream.hostport}
# }
# }
# # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
# # handle /.well-known/* {
# # encode zstd gzip
# # header Cache-Control max-age=14400
# # header Content-Type application/json
# # header Access-Control-Allow-Origin *
# #}
#
# # Configration for the base domain goes here
# # handle {
# # header -Server
# # encode zstd gzip
# # reverse_proxy localhost:4020
# # }
#}

6
examples/caddy2/README.md
View File

@ -13,8 +13,4 @@ To get started, first follow the [front the integrated reverse-proxy webserver w
You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
In both cases make sure to replace all the `example.tld` domains with your own domain.
This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
# Caddyfile.deprecated
This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
This example does not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.

12
examples/haproxy/Dockerfile
View File

@ -1,12 +0,0 @@
# Pull nginx base image
FROM nginx:latest
# Expost port 80
EXPOSE 80
# Copy custom configuration file from the current directory
COPY nginx.conf /etc/nginx/nginx.conf
# Start up nginx server
CMD ["nginx"]

19
examples/haproxy/README.md
View File

@ -3,24 +3,7 @@
This directory contains sample files that show you how to do reverse-proxying using HAproxy.
This is for when you wish to have your own HAproxy instance sitting in front of Matrix services installed by this playbook.
See the [Using your own webserver, instead of this playbook's nginx proxy](../../docs/configuring-playbook-own-webserver.md) documentation page.
To use your own HAproxy reverse-proxy, you first need to disable the integrated Nginx server.
You do that with the following custom configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_nginx_proxy_enabled: false
```
We recommend that you use HAProxy in front of Traefik. See our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation.
You can then use the configuration files from this directory as an example for how to configure your HAproxy reverse proxy.
**NOTE**: this is just an example and may not be entirely accurate. It may also not cover other use cases or performance needs.
### Configuration
HAproxy, unlike Apache, Nginx and others, does not provide you with a webserver to serve static files (i.e., `/.well-known/` directory). For this reason, in this folder you can find an example on how to use HAproxy together with a simple Nginx container whose only task is to serve those files.
* Build the Docker image. `docker build -t local/nginx .`
* Start the container. `docker-compose up -d`. Note that if you want to run Nginx on a different port, you will have to change the port both in the `docker-compose.yml` and in `haproxy.cfg`.
* If you don't want to use a wildcard certificate, you will need to modify the corresponding line in the HTTPS frontent and add the paths of all the specific certificates (as for the commented example in `haproxy.cfg`).
* Start HAproxy with the proposed configuration.

9
examples/haproxy/docker-compose.yml
View File

@ -1,9 +0,0 @@
---
version: '3'
services:
nginx:
image: local/nginx
ports:
- 40888:80
volumes:
- /matrix/static-files:/var/www/:ro

38
examples/haproxy/haproxy.cfg
View File

@ -43,29 +43,16 @@ frontend https-frontend
reqadd X-Forwarded-Proto:\ https
option httplog
option http-server-close
#
# Matrix
#
# matrix.example.com
# You can do per-domain routing (as shown above),
# or just send everything to the same backend via `default_backend`.
acl matrix_domain hdr_dom(host) -i matrix.example.com
acl static_files path -i -m beg /.well-known/matrix
use_backend nginx-static if static_files
# /_matrix/identity and /_matrix/client/r0/user_directory/search
acl matrix_identity path -i -m beg /_matrix/identity
acl matrix_search path -i -m beg /_matrix/client/r0/user_directory/search
# Send to :8090
use_backend matrix-supporting if matrix_identity or matrix_search
# /_matrix and /_synapse/admin
acl matrix_path path -i -m beg /_matrix
acl synapse_admin path -i -m beg /_synapse/admin
# Send to :8008
use_backend matrix-main if matrix_path or synapse_admin
# element.example.com
acl element_domain hdr_dom(host) -i element.example.com
# Send to 8765
use_backend element if element_domain
# If nothing else match, just send to default matrix backend
use_backend matrix-main if matrix_domain
acl matrix_domain hdr_dom(host) -i element.example.com
use_backend matrix-main if matrix_domain
#default_backend matrix-main
frontend matrix-federation
@ -75,14 +62,11 @@ frontend matrix-federation
option http-server-close
default_backend synapse
backend matrix-supporting
server matrix-supporting 127.0.0.1:8090 check
backend matrix-main
server matrix-main 127.0.0.1:8008 check
server matrix-main 127.0.0.1:81 check
backend synapse
server synapse 127.0.0.1:8048 check
backend matrix-federation
server matrix-federation 127.0.0.1:8049 check
backend nginx-static
capture request header origin len 128

15
examples/haproxy/nginx.conf
View File

@ -1,15 +0,0 @@
worker_processes auto;
daemon off;
events {
worker_connections 1024;
}
http {
server_tokens off;
server {
listen 80;
index index.html;
root /var/www;
}
}