overmind
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7019 Commits
13 Branches
487 MiB
 
 
Tree: 95e5a5c62e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '95e5a5c62e'
${ noResults }
matrix-docker-ansible-deploy/examples/caddy2/Caddyfile.deprecated

270 lines
9.4 KiB
Raw Blame History 

  1. (cors) {

  2. 	@cors_preflight method OPTIONS

  3. 

  4. 	handle @cors_preflight {

  5. 		header Access-Control-Allow-Origin "{args.0}"

  6. 		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"

  7. 		header Access-Control-Allow-Headers "Content-Type, Authorization"

  8. 		header Access-Control-Max-Age "3600"

  9. 	}

  10. }

  11. 

  12. 

  13. matrix.DOMAIN.tld {

  14. 

  15.   # creates letsencrypt certificate

  16.   # tls your@email.com

  17. 

  18.   @identity {

  19.         path /_matrix/identity/*

  20.   }

  21. 

  22.   @noidentity {

  23.         not path /_matrix/identity/*

  24.   }

  25. 

  26.   @search {

  27.         path /_matrix/client/r0/user_directory/search/*

  28.   }

  29. 

  30.   @nosearch {

  31.         not path /_matrix/client/r0/user_directory/search/*

  32.   }

  33. 

  34.   @static {

  35.         path /matrix/static-files/*

  36.   }

  37. 

  38.   @nostatic {

  39.         not path /matrix/static-files/*

  40.   }

  41. 

  42.   @wellknown {

  43.         path /.well-known/matrix/*

  44.   }

  45. 

  46.   header {

  47.         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS

  48.         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  49.         # Enable cross-site filter (XSS) and tell browser to block detected attacks

  50.         X-XSS-Protection "1; mode=block"

  51.         # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type

  52.         X-Content-Type-Options "nosniff"

  53.         # Disallow the site to be rendered within a frame (clickjacking protection)

  54.         X-Frame-Options "DENY"

  55.         # X-Robots-Tag

  56.         X-Robots-Tag "noindex, noarchive, nofollow"

  57.   }

  58. 

  59.   # Cache

  60.   header @static {

  61.         # Cache

  62.     Cache-Control "public, max-age=31536000"

  63.     defer

  64.   }

  65. 

  66.   # identity

  67.   handle @identity {

  68.         reverse_proxy localhost:8090  {

  69.                header_up X-Forwarded-Port {http.request.port}

  70.                header_up X-Forwarded-Proto {http.request.scheme}

  71.                header_up X-Forwarded-TlsProto {tls_protocol}

  72.                header_up X-Forwarded-TlsCipher {tls_cipher}

  73.                header_up X-Forwarded-HttpsProto {proto}

  74.         }

  75.   }

  76. 

  77.   # search

  78.   handle @search {

  79.         reverse_proxy localhost:8090   {

  80.                header_up X-Forwarded-Port {http.request.port}

  81.                header_up X-Forwarded-Proto {http.request.scheme}

  82.                header_up X-Forwarded-TlsProto {tls_protocol}

  83.                header_up X-Forwarded-TlsCipher {tls_cipher}

  84.                header_up X-Forwarded-HttpsProto {proto}

  85.         }

  86.   }

  87. 

  88.   handle @wellknown {

  89.         encode zstd gzip

  90.         root * /matrix/static-files

  91. 	header Cache-Control max-age=14400

  92.         header Content-Type application/json

  93.         header Access-Control-Allow-Origin *

  94.         file_server

  95.   }

  96.   

  97.   # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain

  98.   #handle @wellknown {

  99.   #  # .well-known is handled by base domain

  100.   #  reverse_proxy https://DOMAIN.tld {

  101.   #  header_up Host {http.reverse_proxy.upstream.hostport}

  102.   #}

  103. 

  104.   handle {

  105.         encode zstd gzip

  106. 

  107.         reverse_proxy localhost:8008  {

  108.                header_up X-Forwarded-Port {http.request.port}

  109.                header_up X-Forwarded-Proto {http.request.scheme}

  110.                header_up X-Forwarded-TlsProto {tls_protocol}

  111.                header_up X-Forwarded-TlsCipher {tls_cipher}

  112.                header_up X-Forwarded-HttpsProto {proto}

  113.         }

  114.   }

  115. }

  116. 

  117. matrix.DOMAIN.tld:8448 {

  118.     handle {

  119.         encode zstd gzip

  120. 

  121.         reverse_proxy 127.0.0.1:8048 {

  122.                header_up X-Forwarded-Port {http.request.port}

  123.                header_up X-Forwarded-Proto {http.request.scheme}

  124.                header_up X-Forwarded-TlsProto {tls_protocol}

  125.                header_up X-Forwarded-TlsCipher {tls_cipher}

  126.                header_up X-Forwarded-HttpsProto {proto}

  127.         }

  128.     }

  129. }

  130. 

  131. element.DOMAIN.tld {

  132. 

  133.       # creates letsencrypt certificate

  134.       # tls your@email.com

  135. 

  136.       import cors https://*.DOMAIN.tld

  137. 

  138.       header {

  139.                 # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS

  140.                 Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  141.                 # Enable cross-site filter (XSS) and tell browser to block detected attacks

  142.                 X-XSS-Protection "1; mode=block"

  143.                 # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type

  144.                 X-Content-Type-Options "nosniff"

  145.                 # Disallow the site to be rendered within a frame (clickjacking protection)

  146.                 X-Frame-Options "DENY"

  147.                 # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered

  148.                 # Content-Security-Policy frame-src https://*.DOMAIN.tld

  149.                 # X-Robots-Tag

  150.                 X-Robots-Tag "noindex, noarchive, nofollow"

  151.         }

  152. 

  153.         handle {

  154.               encode zstd gzip

  155. 

  156.               reverse_proxy localhost:8765 {

  157.                      header_up X-Forwarded-Port {http.request.port}

  158.                      header_up X-Forwarded-Proto {http.request.scheme}

  159.                      header_up X-Forwarded-TlsProto {tls_protocol}

  160.                      header_up X-Forwarded-TlsCipher {tls_cipher}

  161.                      header_up X-Forwarded-HttpsProto {proto}

  162.         }

  163. }

  164. 

  165. #dimension.DOMAIN.tld {

  166. #

  167. #      # creates letsencrypt certificate

  168. #      # tls your@email.com

  169. #

  170. #      import cors https://*.DOMAIN.tld

  171. #

  172. #      header {

  173. #          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS

  174. #          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  175. #          # Enable cross-site filter (XSS) and tell browser to block detected attacks

  176. #          X-XSS-Protection "1; mode=block"

  177. #          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type

  178. #          X-Content-Type-Options "nosniff"

  179. #          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)

  180. #          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld

  181. #          # X-Robots-Tag

  182. #          X-Robots-Tag "noindex, noarchive, nofollow"

  183. #    }

  184. #

  185. #      handle {

  186. #          encode zstd gzip

  187. #

  188. #          reverse_proxy localhost:8184  {

  189. #                  header_up X-Forwarded-Port {http.request.port}

  190. #                  header_up X-Forwarded-Proto {http.request.scheme}

  191. #                  header_up X-Forwarded-TlsProto {tls_protocol}

  192. #                  header_up X-Forwarded-TlsCipher {tls_cipher}

  193. #                  header_up X-Forwarded-HttpsProto {proto}

  194. #          }

  195. #    }

  196. #}

  197. 

  198. 

  199. #jitsi.DOMAIN.tld {

  200. #

  201. #  creates letsencrypt certificate

  202. #  tls your@email.com

  203. #

  204. #  import cors https://*.DOMAIN.tld

  205. #

  206. #  header {

  207. #        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS

  208. #        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  209. #

  210. #        # Enable cross-site filter (XSS) and tell browser to block detected attacks

  211. #        X-XSS-Protection "1; mode=block"

  212. #

  213. #        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type

  214. #        X-Content-Type-Options "nosniff"

  215. 

  216. #        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain

  217. #        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld

  218. #

  219. #        # Disable some features

  220. #        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"

  221. #

  222. #        # Referer

  223. #        Referrer-Policy "no-referrer"

  224. #

  225. #        # X-Robots-Tag

  226. #        X-Robots-Tag "none"

  227. #

  228. #        # Remove Server header

  229. #        -Server

  230. #  }

  231. #

  232. #  handle {

  233. #        encode zstd gzip

  234. #

  235. #        reverse_proxy 127.0.0.1:13080 {

  236. #               header_up X-Forwarded-Port {http.request.port}

  237. #               header_up X-Forwarded-Proto {http.request.scheme}

  238. #               header_up X-Forwarded-TlsProto {tls_protocol}

  239. #               header_up X-Forwarded-TlsCipher {tls_cipher}

  240. #               header_up X-Forwarded-HttpsProto {proto}

  241. #        }

  242. #  }

  243. #}

  244. #DOMAIN.com {

  245. # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server

  246. #    @wellknown {

  247. #        path /.well-known/matrix/*

  248. #    }

  249. #

  250. #    handle @wellknown {

  251. #        reverse_proxy https://matrix.DOMAIN.com {

  252. #            header_up Host {http.reverse_proxy.upstream.hostport}

  253. #        }

  254. #    }

  255. #    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain

  256. #      # handle /.well-known/* {

  257. #	#	encode zstd gzip

  258. #	#	header Cache-Control max-age=14400

  259. #	#	header Content-Type application/json

  260. #	#	header Access-Control-Allow-Origin *

  261. #	#}

  262. #

  263. #    # Configration for the base domain goes here

  264. #   # handle {

  265. #   #    header -Server

  266. #   #     encode zstd gzip

  267. #   #    reverse_proxy localhost:4020

  268. #   # }

  269. #}