Logan Pulley
6 yıl önce
1 değiştirilmiş dosya ile 80 ekleme ve 2 silme
Birleşik Görünüm
Diff Seçenekleri
+ 80
- 2
docs/configuring-playbook-own-webserver.md
Dosyayı Görüntüle
| @@ -115,5 +115,83 @@ All services would be served locally on `127.0.0.1:81` and `127.0.0.1:8449` (as | |||||
| You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. | You can then set up another reverse-proxy server on ports 80/443/8448 for all of the expected domains and make traffic go to these local ports. | ||||
| The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional). | The expected domains vary depending on the services you have enabled (`matrix.DOMAIN` for sure; `riot.DOMAIN` and `dimension.DOMAIN` are optional). | ||||
| We don't have sample webserver configuration for this use-case yet, but hope to expand on this documentation entry in the future. | |||||
| For [Traefik](https://traefik.io/), you can [see some work in progress examples here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/296). | |||||
| ### Sample configuration for running behind Traefik 2.0 | |||||
| Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. | |||||
| ```yaml | |||||
| # Disable generation and retrieval of SSL certs | |||||
| matrix_ssl_retrieval_method: none | |||||
| # Configure Nginx to only use plain HTTP | |||||
| matrix_nginx_proxy_https_enabled: false | |||||
| # Don't bind any HTTP or federation port to the host | |||||
| # (Traefik will proxy directly into the containers) | |||||
| matrix_nginx_proxy_container_http_host_bind_port: '' | |||||
| matrix_nginx_proxy_container_federation_host_bind_port: '' | |||||
| # Disable Coturn because it needs SSL certs | |||||
| # (Clients can, though exposing IP address, use Matrix.org TURN) | |||||
| matrix_coturn_enabled: false | |||||
| # All containers need to be on the same Docker network as Traefik | |||||
| # (This network should already exist and Traefik should be using this network) | |||||
| matrix_docker_network: 'traefik' | |||||
| matrix_nginx_proxy_container_extra_arguments: | |||||
| # May be unnecessary depending on Traefik config, but can't hurt | |||||
| - '--label "traefik.enable=true"' | |||||
| # The Nginx proxy container will receive traffic from these subdomains | |||||
| # (Replace DOMAIN with your domain, e.g. example.com) | |||||
| - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`matrix.DOMAIN`,`riot.DOMAIN`,`dimension.DOMAIN`)"' | |||||
| # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) | |||||
| - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' | |||||
| # (The 'default' certificate resolver must be defined in Traefik config) | |||||
| - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' | |||||
| # The Nginx proxy container uses port 8080 internally | |||||
| - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' | |||||
| matrix_synapse_container_extra_arguments: | |||||
| # May be unnecessary depending on Traefik config, but can't hurt | |||||
| - '--label "traefik.enable=true"' | |||||
| # The Synapse container will receive traffic from this subdomain | |||||
| # (Replace DOMAIN with your domain, e.g. example.com) | |||||
| - '--label "traefik.http.routers.matrix-synapse.rule=Host(`matrix.DOMAIN`)"' | |||||
| # (The 'synapse' entrypoint must bind to port 8448 in Traefik config) | |||||
| - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"' | |||||
| # (The 'default' certificate resolver must be defined in Traefik config) | |||||
| - '--label "traefik.http.routers.matrix-synapse.tls.certResolver=default"' | |||||
| # The Synapse container uses port 8048 internally | |||||
| - '--label "traefik.http.services.matrix-synapse.loadbalancer.server.port=8048"' | |||||
| ``` | |||||
| This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `riot.DOMAIN`, and `dimension.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. | |||||
| Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 433 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: | |||||
| ```toml | |||||
| [http] | |||||
| [http.routers] | |||||
| [http.routers.redirect-http] | |||||
| entrypoints = ["web"] # The 'web' entrypoint must bind to port 80 | |||||
| rule = "HostRegexp(`{host:.+}`)" # Change if you don't want to redirect all hosts to HTTPS | |||||
| service = "dummy" # Unused, but all routers need services (for now) | |||||
| middlewares = ["https"] | |||||
| [http.services] | |||||
| [http.services.dummy.loadbalancer] | |||||
| [[http.services.dummy.loadbalancer.servers]] | |||||
| url = "localhost" | |||||
| [http.middlewares] | |||||
| [http.middlewares.https.redirectscheme] | |||||
| scheme = "https" | |||||
| permanent = true | |||||
| ``` | |||||