mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-22 04:34:00 +00:00
Add TLS v1.3 support to matrix-nginx-proxy
This was mentioned in #27 (Github Pull Request), but it's just now that the nginx Docker image actually supports TLS v1.3 and we can enable it.
This commit is contained in:
parent
d5a0f562ba
commit
cd332d9b4e
15
CHANGELOG.md
15
CHANGELOG.md
@ -1,3 +1,18 @@
|
||||
# 2019-02-01
|
||||
|
||||
## TLS v1.3 support
|
||||
|
||||
Now that the [nginx Docker image](https://hub.docker.com/_/nginx) has [added support for TLS v1.3](https://github.com/nginxinc/docker-nginx/issues/190), we have enabled that protocol by default.
|
||||
|
||||
When using:
|
||||
|
||||
- the **integrated nginx server**: TLS v1.3 support might not kick in immediately, because the nginx version hasn't been bumped and you may have an older build of the nginx Docker image (currently `nginx:1.15.8-alpine`). Typically, we do not re-pull images that you already have. When the nginx version gets bumped in the future, everyone will get the update. Until then, you could manually force-pull the rebuilt Docker image by running this on the server: `docker pull nginx:1.15.8-alpine`.
|
||||
|
||||
- **your own external nginx server**: if your external nginx server is too old, the new configuration we generate for you in `/matrix/nginx-proxy/conf.d/` might not work anymore, because it mentions `TLSv1.3` and your nginx version might not support that. You can adjust the SSL protocol list by overriding the `matrix_nginx_proxy_ssl_protocols` variable. Learn more in the documentation page for [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md)
|
||||
|
||||
- **another web server**: you don't need to do anything to accommodate this change
|
||||
|
||||
|
||||
# 2019-01-31
|
||||
|
||||
## IRC bridging support
|
||||
|
@ -14,11 +14,15 @@ All it takes is:
|
||||
|
||||
```yaml
|
||||
matrix_nginx_proxy_enabled: false
|
||||
|
||||
# If you use an external nginx, we'll generate some configuration for you in `/matrix/nginx-proxy/conf.d/`.
|
||||
# You might need to tweak the protocol list (removing `TLSv1.3`) to suit your nginx version.
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
|
||||
```
|
||||
|
||||
**Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards.
|
||||
|
||||
**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
|
||||
**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`. Please note that if your nginx version is old, it might not like our default SSL protocols (particularly the fact that `TLSv1.3` is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable.
|
||||
|
||||
**If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and:
|
||||
|
||||
|
@ -57,9 +57,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
||||
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||||
|
||||
# Specifies which SSL protocols to use when serving Riot and Synapse
|
||||
# Note TLSv1.3 is not yet available in dockerized nginx
|
||||
# See: https://github.com/nginxinc/docker-nginx/issues/190
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
|
||||
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
|
||||
|
||||
# By default, this playbook automatically retrieves and auto-renews
|
||||
# free SSL certificates from Let's Encrypt.
|
||||
|
Loading…
Reference in New Issue
Block a user