Merge pull request #2526 from jalemann/master

Add example config + readme for fronting playbook's traefik with own nginx on same server

docs/configuring-playbook-own-webserver.md

@@ -143,6 +143,8 @@ devture_traefik_additional_entrypoints_auto:
     config: {}
 ```
 
+For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
+
 (Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this:
 
 ```yaml
@@ -232,4 +234,4 @@ Some of these services are configured with certain default expecations with rega
 
 For each new playbook service that you enable, you'll need special handling.
 
-The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc.
+The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc.

examples/nginx/README.md

@@ -0,0 +1,17 @@
+# Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
+
+This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
+
+
+## Prerequisite configuration
+
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
+
+
+## Using the nginx configuration
+
+Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`).
+
+This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.
+
+Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager.

examples/nginx/matrix.conf

@@ -0,0 +1,96 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # TODO: add/remove services and their subdomains if you use/don't use them
+    # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
+    # if you don't use those, you can remove them
+    # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
+    server_name example.com matrix.example.com element.example.com;
+
+    location / {
+        # note: do not add a path (even a single /) after the port in `proxy_pass`,
+        # otherwise, nginx will canonicalise the URI and cause signature verification
+        # errors.
+        proxy_pass http://localhost:81;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+
+        access_log /var/log/nginx/matrix.access.log;
+        error_log /var/log/nginx/matrix.error.log;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# settings for matrix federation
+server {
+    # For the federation port
+    listen 8448 ssl http2 default_server;
+    listen [::]:8448 ssl http2 default_server;
+
+    server_name matrix.example.com;
+
+    location / {
+        proxy_pass http://localhost:8449;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        access_log /var/log/nginx/matrix.access.log;
+        error_log /var/log/nginx/matrix.error.log;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
+    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# ensure using https
+# TODO: remove server blocks that you don't use / add server blocks for domains you do use
+server {
+    if ($host = example.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name example.com;
+    listen 80;
+    return 404; # managed by Certbot
+}
+
+server {
+    if ($host = matrix.example.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name matrix.example.com;
+    listen 80;
+    return 404; # managed by Certbot
+}
+
+server {
+    if ($host = element.example.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name element.example.com;
+    listen 80;
+    return 404; # managed by Certbot
+}