overmind
/
matrix-docker-ansible-deploy
镜像来自 https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
複製 0
程式碼 問題管理 0 版本發佈 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6381 Commit
13 分支
908 MiB
 
 
目錄樹: 330dfd4eaf
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '330dfd4eaf'
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

399 line
15 KiB
原始文件 Blame 文件歷史 

  1. #jinja2: lstrip_blocks: "True"

  2. {% macro render_nginx_status_location_block(addresses) %}

  3. 	{# Empty first line to make indentation prettier. #}

  4. 

  5. 	location /nginx_status {

  6. 		stub_status on;

  7. 		access_log off;

  8. 		{% for address in addresses %}

  9. 		allow {{ address }};

  10. 		{% endfor %}

  11. 		deny all;

  12. 	}

  13. {% endmacro %}

  14. 

  15. 

  16. {% macro render_vhost_directives() %}

  17. 	gzip on;

  18. 	gzip_types text/plain application/json;

  19. 

  20. 	{% if matrix_nginx_proxy_floc_optout_enabled %}

  21. 		add_header Permissions-Policy interest-cohort=() always;

  22. 	{% endif %}

  23. 

  24. 	{% if matrix_nginx_proxy_hsts_preload_enabled %}

  25. 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  26. 	{% else %}

  27. 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  28. 	{% endif %}

  29. 

  30. 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";

  31. 

  32. 	location /.well-known/matrix {

  33. 		root {{ matrix_static_files_base_path }};

  34. 		{#

  35. 			A somewhat long expires value is used to prevent outages

  36. 			in case this is unreachable due to network failure or

  37. 			due to the base domain's server completely dying.

  38. 		#}

  39. 		expires 4h;

  40. 		default_type application/json;

  41. 		add_header Access-Control-Allow-Origin *;

  42. 	}

  43. 

  44. 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  45. 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  46. 	{% endif %}

  47. 

  48. 	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}

  49. 	location /metrics {

  50. 		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}

  51. 			auth_basic "protected";

  52. 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};

  53. 		{% endif %}

  54. 

  55. 		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}

  56. 			{{- configuration_block }}

  57. 		{% endfor %}

  58. 	}

  59. 	{% endif %}

  60. 

  61. 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}

  62. 	location ^~ /_matrix/corporal {

  63. 		{% if matrix_nginx_proxy_enabled %}

  64. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  65. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  66. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";

  67. 			proxy_pass http://$backend;

  68. 		{% else %}

  69. 			{# Generic configuration for use outside of our container setup #}

  70. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};

  71. 		{% endif %}

  72. 

  73. 		proxy_set_header Host $host;

  74. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  75. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  76. 	}

  77. 	{% endif %}

  78. 

  79. 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}

  80. 	location ^~ /_matrix/identity {

  81. 		{% if matrix_nginx_proxy_enabled %}

  82. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  83. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  84. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";

  85. 			proxy_pass http://$backend;

  86. 		{% else %}

  87. 			{# Generic configuration for use outside of our container setup #}

  88. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};

  89. 		{% endif %}

  90. 

  91. 		proxy_set_header Host $host;

  92. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  93. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  94. 	}

  95. 	{% endif %}

  96. 

  97. 	{% if matrix_nginx_proxy_proxy_media_repo_enabled %}

  98. 	# Redirect all media endpoints to the media-repo

  99. 	location ^~ /_matrix/media {

  100. 		{% if matrix_nginx_proxy_enabled %}

  101. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  102. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  103. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  104. 			proxy_pass http://$backend;

  105. 		{% else %}

  106. 			{# Generic configuration for use outside of our container setup #}

  107. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  108. 		{% endif %}

  109. 

  110. 		# Make sure this matches your homeserver in media-repo.yaml

  111. 		# You may have to manually specify it if using delegation or the

  112. 		# incoming Host doesn't match.

  113. 		proxy_set_header Host $host;

  114. 

  115. 		proxy_set_header X-Real-IP $remote_addr;

  116. 		proxy_set_header X-Forwarded-For $remote_addr;

  117. 	}

  118. 

  119. 	# Redirect other endpoints registered by the media-repo to its container

  120. 	# /_matrix/client/r0/logout

  121. 	# /_matrix/client/r0/logout/all

  122. 	location ^~ /_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {

  123. 		{% if matrix_nginx_proxy_enabled %}

  124. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  125. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  126. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  127. 			proxy_pass http://$backend;

  128. 		{% else %}

  129. 			{# Generic configuration for use outside of our container setup #}

  130. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  131. 		{% endif %}

  132. 

  133. 		# Make sure this matches your homeserver in media-repo.yaml

  134. 		# You may have to manually specify it if using delegation or the

  135. 		# incoming Host doesn't match.

  136. 		proxy_set_header Host $host;

  137. 

  138. 		proxy_set_header X-Real-IP $remote_addr;

  139. 		proxy_set_header X-Forwarded-For $remote_addr;

  140. 	}

  141. 

  142. 	# Redirect other endpoints registered by the media-repo to its container

  143. 	# /_matrix/client/r0/admin/purge_media_cache

  144. 	# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}

  145. 	location ^~ /_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {

  146. 		{% if matrix_nginx_proxy_enabled %}

  147. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  148. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  149. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  150. 			proxy_pass http://$backend;

  151. 		{% else %}

  152. 			{# Generic configuration for use outside of our container setup #}

  153. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  154. 		{% endif %}

  155. 

  156. 		# Make sure this matches your homeserver in media-repo.yaml

  157. 		# You may have to manually specify it if using delegation or the

  158. 		# incoming Host doesn't match.

  159. 		proxy_set_header Host $host;

  160. 

  161. 		proxy_set_header X-Real-IP $remote_addr;

  162. 		proxy_set_header X-Forwarded-For $remote_addr;

  163. 	}

  164. 

  165. 	# Redirect other endpoints registered by the media-repo to its container

  166. 	location ^~ /_matrix/client/unstable/io.t2bot.media {

  167. 		{% if matrix_nginx_proxy_enabled %}

  168. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  169. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  170. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  171. 			proxy_pass http://$backend;

  172. 		{% else %}

  173. 			{# Generic configuration for use outside of our container setup #}

  174. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  175. 		{% endif %}

  176. 

  177. 		# Make sure this matches your homeserver in media-repo.yaml

  178. 		# You may have to manually specify it if using delegation or the

  179. 		# incoming Host doesn't match.

  180. 		proxy_set_header Host $host;

  181. 

  182. 		proxy_set_header X-Real-IP $remote_addr;

  183. 		proxy_set_header X-Forwarded-For $remote_addr;

  184. 	}

  185. 	{% endif %}

  186. 

  187. 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}

  188. 	location ^~ /_matrix/client/r0/user_directory/search {

  189. 		{% if matrix_nginx_proxy_enabled %}

  190. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  191. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  192. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";

  193. 			proxy_pass http://$backend;

  194. 		{% else %}

  195. 			{# Generic configuration for use outside of our container setup #}

  196. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};

  197. 		{% endif %}

  198. 

  199. 		proxy_set_header Host $host;

  200. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  201. 	}

  202. 	{% endif %}

  203. 

  204. 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}

  205. 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {

  206. 		{% if matrix_nginx_proxy_enabled %}

  207. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  208. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  209. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";

  210. 			proxy_pass http://$backend;

  211. 		{% else %}

  212. 			{# Generic configuration for use outside of our container setup #}

  213. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};

  214. 		{% endif %}

  215. 

  216. 		proxy_set_header Host $host;

  217. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  218. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  219. 	}

  220. 	{% endif %}

  221. 

  222. 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}

  223. 		{{- configuration_block }}

  224. 	{% endfor %}

  225. 

  226. 	{#

  227. 		This handles the Matrix Client API only.

  228. 		The Matrix Federation API is handled by a separate vhost.

  229. 	#}

  230. 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {

  231. 		{% if matrix_nginx_proxy_enabled %}

  232. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  233. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  234. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";

  235. 			proxy_pass http://$backend;

  236. 		{% else %}

  237. 			{# Generic configuration for use outside of our container setup #}

  238. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};

  239. 		{% endif %}

  240. 

  241. 		proxy_set_header Host $host;

  242. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  243. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  244. 

  245. 		client_body_buffer_size 25M;

  246. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  247. 		proxy_max_temp_file_size 0;

  248. 	}

  249. 

  250. 	{#

  251. 		We only handle the root URI for this redirect or homepage serving.

  252. 		Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,

  253. 		instead of causing a redirect.

  254. 		See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

  255. 	#}

  256. 	location ~* ^/$ {

  257. 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}

  258. 			return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;

  259. 		{% else %}

  260. 			rewrite ^/$ /_matrix/static/ last;

  261. 		{% endif %}

  262. 	}

  263. {% endmacro %}

  264. 

  265. server {

  266. 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  267. 	listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  268. 

  269. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  270. 

  271. 	server_tokens off;

  272. 	root /dev/null;

  273. 

  274. 	{% if matrix_nginx_proxy_https_enabled %}

  275. 		location /.well-known/acme-challenge {

  276. 			{% if matrix_nginx_proxy_enabled %}

  277. 				{# Use the embedded DNS resolver in Docker containers to discover the service #}

  278. 				resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  279. 				set $backend "matrix-certbot:8080";

  280. 				proxy_pass http://$backend;

  281. 			{% else %}

  282. 				{# Generic configuration for use outside of our container setup #}

  283. 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};

  284. 			{% endif %}

  285. 		}

  286. 

  287. 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  288. 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  289. 		{% endif %}

  290. 

  291. 		location / {

  292. 			return 301 https://$http_host$request_uri;

  293. 		}

  294. 	{% else %}

  295. 		{{ render_vhost_directives() }}

  296. 	{% endif %}

  297. }

  298. 

  299. {% if matrix_nginx_proxy_https_enabled %}

  300. server {

  301. 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  302. 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  303. 

  304. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  305. 

  306. 	server_tokens off;

  307. 	root /dev/null;

  308. 

  309. 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;

  310. 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;

  311. 

  312. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  313. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  314. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  315. 	{% endif %}

  316. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  317. 

  318. 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}

  319. 		ssl_stapling on;

  320. 		ssl_stapling_verify on;

  321. 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;

  322. 	{% endif %}

  323. 

  324. 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}

  325. 		ssl_session_tickets off;

  326. 	{% endif %}

  327. 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};

  328. 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

  329. 

  330. 	{{ render_vhost_directives() }}

  331. }

  332. {% endif %}

  333. 

  334. {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}

  335. {#

  336. 	This federation vhost is a little special.

  337. 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.

  338. #}

  339. server {

  340. 	{% if matrix_nginx_proxy_https_enabled %}

  341. 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;

  342. 		listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;

  343. 	{% else %}

  344. 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};

  345. 	{% endif %}

  346. 

  347. 	server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }};

  348. 	server_tokens off;

  349. 

  350. 	root /dev/null;

  351. 

  352. 	gzip on;

  353. 	gzip_types text/plain application/json;

  354. 

  355. 	{% if matrix_nginx_proxy_https_enabled %}

  356. 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};

  357. 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};

  358. 

  359. 		ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  360. 		{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  361. 			ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  362. 		{% endif %}

  363. 		ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  364. 

  365. 		{% if matrix_nginx_proxy_ocsp_stapling_enabled %}

  366. 			ssl_stapling on;

  367. 			ssl_stapling_verify on;

  368. 			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};

  369. 		{% endif %}

  370. 

  371. 		{% if matrix_nginx_proxy_ssl_session_tickets_off %}

  372. 			ssl_session_tickets off;

  373. 		{% endif %}

  374. 		ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};

  375. 		ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

  376. 	{% endif %}

  377. 

  378. 	location / {

  379. 		{% if matrix_nginx_proxy_enabled %}

  380. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  381. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  382. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";

  383. 			proxy_pass http://$backend;

  384. 		{% else %}

  385. 			{# Generic configuration for use outside of our container setup #}

  386. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};

  387. 		{% endif %}

  388. 

  389. 		proxy_set_header Host $host;

  390. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  391. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  392. 

  393. 		client_body_buffer_size 25M;

  394. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  395. 		proxy_max_temp_file_size 0;

  396. 	}

  397. }

  398. {% endif %}