overmind
/
matrix-docker-ansible-deploy
zrcadlo https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Vydání 0 Wiki Aktivita
Matrix Docker Ansible eploy
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
6908 Revize
12 Větve
511 MiB
 
 
Strom: 8c531b7971
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „8c531b7971“
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

414 řádky
16 KiB
Surový Blame Historie 

  1. #jinja2: lstrip_blocks: "True"

  2. {% macro render_nginx_status_location_block(addresses) %}

  3. 	{# Empty first line to make indentation prettier. #}

  4. 

  5. 	location /nginx_status {

  6. 		stub_status on;

  7. 		access_log off;

  8. 		{% for address in addresses %}

  9. 		allow {{ address }};

  10. 		{% endfor %}

  11. 		deny all;

  12. 	}

  13. {% endmacro %}

  14. 

  15. 

  16. {% macro render_vhost_directives() %}

  17. 	gzip on;

  18. 	gzip_types text/plain application/json;

  19. 

  20. 	{% if matrix_nginx_proxy_floc_optout_enabled %}

  21. 		add_header Permissions-Policy interest-cohort=() always;

  22. 	{% endif %}

  23. 

  24. 	{% if matrix_nginx_proxy_hsts_preload_enabled %}

  25. 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  26. 	{% else %}

  27. 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  28. 	{% endif %}

  29. 

  30. 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";

  31. 

  32. 	location /.well-known/matrix {

  33. 		root {{ matrix_static_files_base_path }};

  34. 		{#

  35. 			A somewhat long expires value is used to prevent outages

  36. 			in case this is unreachable due to network failure or

  37. 			due to the base domain's server completely dying.

  38. 		#}

  39. 		expires 4h;

  40. 		default_type application/json;

  41. 		add_header Access-Control-Allow-Origin *;

  42. 	}

  43. 

  44. 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  45. 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  46. 	{% endif %}

  47. 

  48. 	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}

  49. 	location /metrics {

  50. 		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}

  51. 			auth_basic "protected";

  52. 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};

  53. 		{% endif %}

  54. 

  55. 		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}

  56. 			{{- configuration_block }}

  57. 		{% endfor %}

  58. 	}

  59. 	{% endif %}

  60. 

  61. 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}

  62. 	location ^~ /_matrix/corporal {

  63. 		{% if matrix_nginx_proxy_enabled %}

  64. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  65. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  66. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";

  67. 			proxy_pass http://$backend;

  68. 		{% else %}

  69. 			{# Generic configuration for use outside of our container setup #}

  70. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};

  71. 		{% endif %}

  72. 

  73. 		proxy_set_header Host $host;

  74. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  75. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  76. 	}

  77. 	{% endif %}

  78. 

  79. 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}

  80. 	location ^~ /_matrix/identity {

  81. 		{% if matrix_nginx_proxy_enabled %}

  82. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  83. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  84. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";

  85. 			proxy_pass http://$backend;

  86. 		{% else %}

  87. 			{# Generic configuration for use outside of our container setup #}

  88. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};

  89. 		{% endif %}

  90. 

  91. 		proxy_set_header Host $host;

  92. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  93. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  94. 	}

  95. 	{% endif %}

  96. 

  97. 	{% if matrix_nginx_proxy_proxy_media_repo_enabled %}

  98. 	# Redirect all media endpoints to the media-repo

  99. 	location ^~ /_matrix/media {

  100. 		{% if matrix_nginx_proxy_enabled %}

  101. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  102. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  103. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  104. 			proxy_pass http://$backend;

  105. 		{% else %}

  106. 			{# Generic configuration for use outside of our container setup #}

  107. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  108. 		{% endif %}

  109. 

  110. 		# Make sure this matches your homeserver in media-repo.yaml

  111. 		# You may have to manually specify it if using delegation or the

  112. 		# incoming Host doesn't match.

  113. 		proxy_set_header Host $host;

  114. 

  115. 		proxy_set_header X-Real-IP $remote_addr;

  116. 		proxy_set_header X-Forwarded-For $remote_addr;

  117. 

  118. 		client_body_buffer_size {{ ((matrix_media_repo_max_bytes | int) / 4) | int }};

  119. 		client_max_body_size {{ matrix_media_repo_max_bytes }};

  120. 	}

  121. 

  122. 	# Redirect other endpoints registered by the media-repo to its container

  123. 	# /_matrix/client/r0/logout

  124. 	# /_matrix/client/r0/logout/all

  125. 	location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {

  126. 		{% if matrix_nginx_proxy_enabled %}

  127. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  128. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  129. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  130. 			proxy_pass http://$backend;

  131. 		{% else %}

  132. 			{# Generic configuration for use outside of our container setup #}

  133. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  134. 		{% endif %}

  135. 

  136. 		# Make sure this matches your homeserver in media-repo.yaml

  137. 		# You may have to manually specify it if using delegation or the

  138. 		# incoming Host doesn't match.

  139. 		proxy_set_header Host $host;

  140. 

  141. 		proxy_set_header X-Real-IP $remote_addr;

  142. 		proxy_set_header X-Forwarded-For $remote_addr;

  143. 	}

  144. 

  145. 	# Redirect other endpoints registered by the media-repo to its container

  146. 	# /_matrix/client/r0/admin/purge_media_cache

  147. 	# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}

  148. 	location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {

  149. 		{% if matrix_nginx_proxy_enabled %}

  150. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  151. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  152. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  153. 			proxy_pass http://$backend;

  154. 		{% else %}

  155. 			{# Generic configuration for use outside of our container setup #}

  156. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  157. 		{% endif %}

  158. 

  159. 		# Make sure this matches your homeserver in media-repo.yaml

  160. 		# You may have to manually specify it if using delegation or the

  161. 		# incoming Host doesn't match.

  162. 		proxy_set_header Host $host;

  163. 

  164. 		proxy_set_header X-Real-IP $remote_addr;

  165. 		proxy_set_header X-Forwarded-For $remote_addr;

  166. 	}

  167. 

  168. 	# Redirect other endpoints registered by the media-repo to its container

  169. 	location ^~ /_matrix/client/unstable/io.t2bot.media {

  170. 		{% if matrix_nginx_proxy_enabled %}

  171. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  172. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  173. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  174. 			proxy_pass http://$backend;

  175. 		{% else %}

  176. 			{# Generic configuration for use outside of our container setup #}

  177. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  178. 		{% endif %}

  179. 

  180. 		# Make sure this matches your homeserver in media-repo.yaml

  181. 		# You may have to manually specify it if using delegation or the

  182. 		# incoming Host doesn't match.

  183. 		proxy_set_header Host $host;

  184. 

  185. 		proxy_set_header X-Real-IP $remote_addr;

  186. 		proxy_set_header X-Forwarded-For $remote_addr;

  187. 	}

  188. 	{% endif %}

  189. 

  190. 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}

  191. 	location ~ ^/_matrix/client/(r0|v3)/user_directory/search {

  192. 		{% if matrix_nginx_proxy_enabled %}

  193. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  194. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  195. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";

  196. 			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}

  197. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  198. 			{% endif %}

  199. 			proxy_pass http://$backend;

  200. 		{% else %}

  201. 			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}

  202. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  203. 			{% endif %}

  204. 			{# Generic configuration for use outside of our container setup #}

  205. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};

  206. 		{% endif %}

  207. 

  208. 		proxy_set_header Host $host;

  209. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  210. 	}

  211. 	{% endif %}

  212. 

  213. 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}

  214. 	location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {

  215. 		{% if matrix_nginx_proxy_enabled %}

  216. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  217. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  218. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";

  219. 			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}

  220. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  221. 			{% endif %}

  222. 			proxy_pass http://$backend;

  223. 		{% else %}

  224. 			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}

  225. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  226. 			{% endif %}

  227. 			{# Generic configuration for use outside of our container setup #}

  228. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};

  229. 		{% endif %}

  230. 

  231. 		proxy_set_header Host $host;

  232. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  233. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  234. 	}

  235. 	{% endif %}

  236. 

  237. 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}

  238. 		{{- configuration_block }}

  239. 	{% endfor %}

  240. 

  241. 	{#

  242. 		This handles the Matrix Client API only.

  243. 		The Matrix Federation API is handled by a separate vhost.

  244. 	#}

  245. 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {

  246. 		{% if matrix_nginx_proxy_enabled %}

  247. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  248. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  249. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";

  250. 			proxy_pass http://$backend;

  251. 		{% else %}

  252. 			{# Generic configuration for use outside of our container setup #}

  253. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};

  254. 		{% endif %}

  255. 

  256. 		proxy_set_header Host $host;

  257. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  258. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  259. 

  260. 		client_body_buffer_size 25M;

  261. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  262. 		proxy_max_temp_file_size 0;

  263. 	}

  264. 

  265. 	{#

  266. 		We only handle the root URI for this redirect or homepage serving.

  267. 		Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,

  268. 		instead of causing a redirect.

  269. 		See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

  270. 	#}

  271. 	location ~* ^/$ {

  272. 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}

  273. 			return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;

  274. 		{% else %}

  275. 			rewrite ^/$ /_matrix/static/ last;

  276. 		{% endif %}

  277. 	}

  278. {% endmacro %}

  279. 

  280. server {

  281. 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  282. 	listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  283. 

  284. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  285. 

  286. 	server_tokens off;

  287. 	root /dev/null;

  288. 

  289. 	{% if matrix_nginx_proxy_https_enabled %}

  290. 		location /.well-known/acme-challenge {

  291. 			{% if matrix_nginx_proxy_enabled %}

  292. 				{# Use the embedded DNS resolver in Docker containers to discover the service #}

  293. 				resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  294. 				set $backend "matrix-certbot:8080";

  295. 				proxy_pass http://$backend;

  296. 			{% else %}

  297. 				{# Generic configuration for use outside of our container setup #}

  298. 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};

  299. 			{% endif %}

  300. 		}

  301. 

  302. 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  303. 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  304. 		{% endif %}

  305. 

  306. 		location / {

  307. 			return 301 https://$http_host$request_uri;

  308. 		}

  309. 	{% else %}

  310. 		{{ render_vhost_directives() }}

  311. 	{% endif %}

  312. }

  313. 

  314. {% if matrix_nginx_proxy_https_enabled %}

  315. server {

  316. 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  317. 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  318. 

  319. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  320. 

  321. 	server_tokens off;

  322. 	root /dev/null;

  323. 

  324. 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;

  325. 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;

  326. 

  327. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  328. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  329. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  330. 	{% endif %}

  331. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  332. 

  333. 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}

  334. 		ssl_stapling on;

  335. 		ssl_stapling_verify on;

  336. 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;

  337. 	{% endif %}

  338. 

  339. 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}

  340. 		ssl_session_tickets off;

  341. 	{% endif %}

  342. 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};

  343. 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

  344. 

  345. 	{{ render_vhost_directives() }}

  346. }

  347. {% endif %}

  348. 

  349. {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}

  350. {#

  351. 	This federation vhost is a little special.

  352. 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.

  353. #}

  354. server {

  355. 	{% if matrix_nginx_proxy_https_enabled %}

  356. 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;

  357. 		listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;

  358. 	{% else %}

  359. 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};

  360. 	{% endif %}

  361. 

  362. 	server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }};

  363. 	server_tokens off;

  364. 

  365. 	root /dev/null;

  366. 

  367. 	gzip on;

  368. 	gzip_types text/plain application/json;

  369. 

  370. 	{% if matrix_nginx_proxy_https_enabled %}

  371. 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};

  372. 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};

  373. 

  374. 		ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  375. 		{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  376. 			ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  377. 		{% endif %}

  378. 		ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  379. 

  380. 		{% if matrix_nginx_proxy_ocsp_stapling_enabled %}

  381. 			ssl_stapling on;

  382. 			ssl_stapling_verify on;

  383. 			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};

  384. 		{% endif %}

  385. 

  386. 		{% if matrix_nginx_proxy_ssl_session_tickets_off %}

  387. 			ssl_session_tickets off;

  388. 		{% endif %}

  389. 		ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};

  390. 		ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

  391. 	{% endif %}

  392. 

  393. 	location / {

  394. 		{% if matrix_nginx_proxy_enabled %}

  395. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  396. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  397. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";

  398. 			proxy_pass http://$backend;

  399. 		{% else %}

  400. 			{# Generic configuration for use outside of our container setup #}

  401. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};

  402. 		{% endif %}

  403. 

  404. 		proxy_set_header Host $host;

  405. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  406. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  407. 

  408. 		client_body_buffer_size 25M;

  409. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  410. 		proxy_max_temp_file_size 0;

  411. 	}

  412. }

  413. {% endif %}