164 lines
4.7 KiB
Django/Jinja
164 lines
4.7 KiB
Django/Jinja
server {
|
|
listen 443 ssl;
|
|
|
|
# On newer nginx versions:
|
|
#http2 off;
|
|
|
|
{% if inventory_hostname in wg_clients -%}
|
|
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
|
|
{% endif -%}
|
|
|
|
## For the federation port (not needed according to logs)
|
|
# listen 8448 ssl http2 default_server;
|
|
|
|
# ipv6
|
|
#listen [::]:443 ssl http2;
|
|
#listen [::]:8448 ssl http2 default_server;
|
|
|
|
include sec.conf;
|
|
include listen-proxy-protocol.conf;
|
|
server_name {{ matrix_url }};
|
|
|
|
root {{ systemuserlist.matrix.home }}/html/;
|
|
|
|
client_body_buffer_size 1024m;
|
|
proxy_max_temp_file_size 0;
|
|
|
|
include /etc/nginx/well-known.conf;
|
|
include /etc/nginx/sudo-known.conf;
|
|
|
|
location /favicon.png {
|
|
return 302 https://www.{{ domain }}$request_uri;
|
|
}
|
|
|
|
location = /_health {
|
|
proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }}/health;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
}
|
|
location ~* ^(/_matrix|/_synapse/client) {
|
|
# working around this issue that seems to still be hapening
|
|
# https://github.com/matrix-org/synapse/issues/2748
|
|
#
|
|
# Disabled: 2024-09-24
|
|
#if ($args ~ (^|.*&)height=0(.*)) {
|
|
# set $args $1height=400$2;
|
|
#}
|
|
#if ($args ~ (^|.*&)width=0(.*)) {
|
|
# set $args $1width=400$2;
|
|
#}
|
|
|
|
# no trailing / to `proxy_pass`, otherwise nginx with canonicalise the URI and cause
|
|
# signature verification errors
|
|
proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }};
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined
|
|
# in homeserver.yaml
|
|
client_max_body_size {{ matrix_upload_size }};
|
|
}
|
|
|
|
{% if matrix_registration_enabled -%}
|
|
location ~ ^/(static|register) {
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_pass http://{{ bridgewithdns.matrix_reg }}:{{ matrix_registration_port }};
|
|
}
|
|
{% endif %}
|
|
|
|
{% if matrix_webhook_enabled -%}
|
|
location /_webhook {
|
|
proxy_pass http://10.102.47.128:3033/_webhook;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if matrix_hydrogen_enabled -%}
|
|
location /hydrogen {
|
|
alias /usr/local/share/hydrogen-web/;
|
|
charset utf-8;
|
|
index index.html;
|
|
autoindex off;
|
|
}
|
|
{% endif %}
|
|
|
|
include /etc/nginx/authelia_internal.conf;
|
|
location /_synapse/admin {
|
|
include /etc/nginx/require_auth.conf;
|
|
|
|
proxy_pass http://{{ bridgewithdns.matrix }}:{{ matrix_synapse_port }};
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
{% if matrix_admin_enabled -%}
|
|
# to work around authelia not matching /_a/ requests, with this error:
|
|
#
|
|
# No matching rule for subject https://{{ matrix_url }}/_a/... Applying default policy.
|
|
|
|
location = /_a {
|
|
return 302 https://{{ matrix_url }}/_a/index.html;
|
|
}
|
|
|
|
location /_a/ {
|
|
include /etc/nginx/require_auth.conf;
|
|
|
|
alias /usr/local/share/synapse-admin/;
|
|
charset utf-8;
|
|
index index.html;
|
|
autoindex off;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if matrix_fed_tester_enabled -%}
|
|
location /federationtester {
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
rewrite ^/federationtester(/?)$ /api/report break;
|
|
proxy_pass http://{{ bridgewithdns.matrix_fed_tester }}:{{ matrix_fed_tester_port }}/;
|
|
}
|
|
{% endif %}
|
|
|
|
{% if matrix_bridges_enabled -%}
|
|
location /_telegram/public {
|
|
proxy_pass http://{{ bridgewithdns.matrix_telegram }}:{{ matrix_telegram_port }};
|
|
}
|
|
{% endif %}
|
|
|
|
rewrite ^/myip$ https://www.{{ domain }}/myip permanent;
|
|
|
|
ssl_certificate /usr/local/etc/certs/{{ matrix_url }}/fullchain.pem;
|
|
ssl_certificate_key /usr/local/etc/certs/{{ matrix_url }}/privkey.pem;
|
|
|
|
access_log /var/log/nginx/access_{{ matrix_url }}.log main;
|
|
error_log /var/log/nginx/error_{{ matrix_url }}.log warn;
|
|
|
|
}
|
|
|
|
{# server {
|
|
# listen 443 ssl http2;
|
|
#
|
|
# server_name {{ matrix_maubot_url }};
|
|
#
|
|
# location /_matrix/maubot/v1/logs {
|
|
# proxy_pass http://{{ bridgewithdns.matrix_maubot }}:29316;
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Upgrade $http_upgrade;
|
|
# proxy_set_header Connection "Upgrade";
|
|
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
# }
|
|
#
|
|
# location /_matrix/maubot {
|
|
# proxy_pass http://{{ bridgewithdns.matrix_maubot }}:29316;
|
|
# proxy_set_header X-Forwarded-For $remote_addr;
|
|
# }
|
|
# } #}
|