From 8dacdb038b67dc41711bf72648f749a106c550e6 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Mon, 27 Feb 2023 15:34:37 +0100 Subject: [PATCH] add: nginx example conf + readme for fronting playbooks traefik with own nginx --- examples/nginx/README.md | 32 +++++++++++++ examples/nginx/matrix.conf | 96 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 examples/nginx/README.md create mode 100644 examples/nginx/matrix.conf diff --git a/examples/nginx/README.md b/examples/nginx/README.md new file mode 100644 index 000000000..d2d2a6ce1 --- /dev/null +++ b/examples/nginx/README.md @@ -0,0 +1,32 @@ +# Nginx reverse-proxy fronting playbook's Traefik + +This directory contains a sample config that show you how to do reverse-proxying using Nginx and the playbook's internal traefik container. + +This is for when you wish to front the playbook's integrated traefik container with a self-managed Nginx reverse-proxy running on the same server. +See the [Using your own webserver, instead of this playbook's nginx proxy & Fronting the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation page and follow the instructions for the playbook's configuration (`inventory/host_vars/matrix./vars.yml`). + +That is this part: +**For Traefik** fronted by another reverse-proxy, you would need some configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +# Ensure that public urls use https +matrix_playbook_ssl_enabled: true + +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +devture_traefik_config_entrypoint_web_secure_enabled: false + +devture_traefik_container_web_host_bind_port: '127.0.0.1:81' + +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: 8449 + host_bind_port: '127.0.0.1:8449' + config: {} +``` + +**NOTE**: +- that this also disables SSL certificate retrieval, which then has to be done manually (e.g. by using certbot and setting the appropriate path as found in [the example nginx configuration file](./matrix.conf)). For the example nginx config one certificate is used that contains all the used subdomains. +- that [the example nginx configuration file](./matrix.conf) has to be adapted to whatever services you are using. For example, remove element.domain.com from the `server_name` list if you don't use Element web client or add dimension.domain.com to it if you do use Dimension. +- that this is just an example and may not be entirely accurate. It may also not cover other use cases (enabling various services or bridges requires additional reverse-proxying configuration). diff --git a/examples/nginx/matrix.conf b/examples/nginx/matrix.conf new file mode 100644 index 000000000..366a8a8eb --- /dev/null +++ b/examples/nginx/matrix.conf @@ -0,0 +1,96 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # TODO: add/remove services and their subdomains if you use/don't use them + # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com + # if you don't use those, you can remove them + # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list + server_name example.com matrix.example.com element.example.com; + + location / { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise, nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:81; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# settings for matrix federation +server { + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.example.com; + + location / { + proxy_pass http://localhost:8449; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + access_log /var/log/nginx/matrix.access.log; + error_log /var/log/nginx/matrix.error.log; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot + # TODO: adapt the path to your ssl certificate for the domains listed on server_name + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +# ensure using https +# TODO: remove server blocks that you don't use / add server blocks for domains you do use +server { + if ($host = example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = matrix.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name matrix.example.com; + listen 80; + return 404; # managed by Certbot +} + +server { + if ($host = element.example.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name element.example.com; + listen 80; + return 404; # managed by Certbot +} \ No newline at end of file