Przeglądaj źródła
Document the new variables for ngingx SSL config
The new variables created to the nginx reverse proxy are properly added to the documentation.pull/755/head
Agustin Ferrario
5 lat temu
2 zmienionych plików z 25 dodań i 1 usunięć
+ 23
- 0
docs/configuring-playbook-nginx.md
Wyświetl plik
| @@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: | |||||
| - 1.1.1.1 | - 1.1.1.1 | ||||
| ``` | ``` | ||||
| ## Adjusting SSL in your server | |||||
| You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS | |||||
| Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. | |||||
| The posible values are: | |||||
| - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility | |||||
| - "Intermediate" - Recommended configuration for a general-purpose server | |||||
| - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 | |||||
| - "Custom" - For defining your own protocols an ciphers | |||||
| The default is set to `"Intermediate"`. | |||||
| **Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the | |||||
| [Federarion tester](https://federationtester.matrix.org/) won't work. | |||||
| If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: | |||||
| - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. | |||||
| - `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". | |||||
| - `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. | |||||
| For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. | |||||
| ## Synapse + OpenID Connect for Single-Sign-On | ## Synapse + OpenID Connect for Single-Sign-On | ||||
+ 2
- 1
docs/configuring-playbook-own-webserver.md
Wyświetl plik
| @@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n | |||||
| You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` | You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` | ||||
| Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: | |||||
| Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: | |||||
| ```yaml | ```yaml | ||||
| # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. | # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. | ||||
| matrix_nginx_proxy_ssl_config: "Custom" | |||||
| matrix_nginx_proxy_ssl_protocols: "TLSv1.2" | matrix_nginx_proxy_ssl_protocols: "TLSv1.2" | ||||
| ``` | ``` | ||||