matrix-docker-ansible-deploy/docs/configuring-playbook-nginx.md

# Configure Nginx (optional, advanced)

By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.
If that's alright, you can skip this.


## Using Nginx status

This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)

```yaml
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true
```

This will serve the status page under the following addresses:
- `http://matrix.DOMAIN/nginx_status` (using HTTP)
- `https://matrix.DOMAIN/nginx_status` (using HTTPS)

By default, if ```matrix_nginx_proxy_nginx_status_enabled``` is enabled, access to the status page would be allowed from the local IP address of the server. If you wish to allow access from other IP addresses, you can provide them as a list:

```yaml
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 8.8.8.8
- 1.1.1.1
```

## Adjusting SSL in your server

You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS
Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
Possible values are:

- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server
- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8

**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities.

Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables:

- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`.
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.

For more information about these variables, check the `roles/custom/matrix-nginx-proxy/defaults/main.yml` file.

## Synapse + OpenID Connect for Single-Sign-On

If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:

```yaml
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
```

## Disable Nginx access logs

This will disable the access logging for nginx.

```yaml
matrix_nginx_proxy_access_log_enabled: false
```

## Additional configuration

This playbook also allows for additional configuration to be applied to the nginx server.

If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable (as mentioned in the [Obtaining SSL certificates for additional domains](configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains) documentation as well). Make sure that you have set the DNS configuration for the domains you want to include to point at your server.

```yaml
matrix_ssl_additional_domains_to_obtain_certificates_for:
  - domain.one.example
  - domain.two.example
```

You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable.

```yaml
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks:
  - |
    # These lines will be included in the nginx configuration.
    # This is at the top level of the file, so you will need to define all of the `server { ... }` blocks.
  - |
    # For advanced use, have a look at the template files in `roles/custom/matrix-nginx-proxy/templates/nginx/conf.d`
```
Fix spelling ngnix -> nginx 2019-10-04 08:07:37 +00:00			`# Configure Nginx (optional, advanced)`
add ngnix-status to config add doc 2019-04-17 11:42:09 +00:00
			`By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.`
			`If that's alright, you can skip this.`


Fix spelling ngnix -> nginx 2019-10-04 08:07:37 +00:00			`## Using Nginx status`
add ngnix-status to config add doc 2019-04-17 11:42:09 +00:00
			`This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)`

			```yaml
serve status page for matrix.DOMAIN only 2019-08-07 08:54:14 +00:00			`matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true`
add ngnix-status to config add doc 2019-04-17 11:42:09 +00:00			```
add suggested change; correct indent 2019-04-23 07:44:02 +00:00
Serve nginx status page over HTTPS as well Continuation of #234 (Github Pull Request). I had unintentionally updated the documentation for the feature, saying the page is available at `https://matrix.DOMAIN/nginx_status`. Looks like it wasn't the case, going against my expectations. I'm correcting this with this patch. The status page is being made available on both HTTP and HTTPS. Serving over HTTP is likely necessary for services like Longview (https://www.linode.com/docs/platform/longview/longview-app-for-nginx/) 2019-08-07 09:53:53 +00:00			`This will serve the status page under the following addresses:`
			- `http://matrix.DOMAIN/nginx_status` (using HTTP)
			- `https://matrix.DOMAIN/nginx_status` (using HTTPS)
serve status page for matrix.DOMAIN only 2019-08-07 08:54:14 +00:00
Update configuring-playbook-ngnix.md 2019-08-07 09:35:48 +00:00			By default, if ```matrix_nginx_proxy_nginx_status_enabled``` is enabled, access to the status page would be allowed from the local IP address of the server. If you wish to allow access from other IP addresses, you can provide them as a list:
add suggested change; correct indent 2019-04-23 07:44:02 +00:00
			```yaml
serve status page for matrix.DOMAIN only 2019-08-07 08:54:14 +00:00			`matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:`
add suggested change; correct indent 2019-04-23 07:44:02 +00:00			`- 8.8.8.8`
			`- 1.1.1.1`
			```
Add support for reverse-proxying /_synapse/oidc This broke in 63a49bb2dc7780e023b28. Proxying the OpenID Connect endpoints is now possible, but needs to be enabled explicitly now. Supersedes #702 (Github Pull Request). This patch builds up on the idea from that Pull Request, but does things in a cleaner way. 2020-11-02 09:10:03 +00:00
Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. 2020-12-16 09:50:08 +00:00			`## Adjusting SSL in your server`

Fix typos and improve wording 2021-01-08 19:13:01 +00:00			You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS
			Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
			`Possible values are:`
Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. 2020-12-16 09:50:08 +00:00
Fix typos and improve wording 2021-01-08 19:13:01 +00:00			- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility
			- `"intermediate"` (default) - Recommended configuration for a general-purpose server
			- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. 2020-12-16 09:50:08 +00:00
Remove note about federation tester not working with TLS 1.3 2021-02-03 15:50:58 +00:00			Be really carefull when setting it to `"modern"`. This could break comunication with other Matrix servers, limiting your federation posibilities.
Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. 2020-12-16 09:50:08 +00:00
Fix typos and improve wording 2021-01-08 19:13:01 +00:00			Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables:
Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. 2020-12-16 09:50:08 +00:00
			- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
Fix typos and improve wording 2021-01-08 19:13:01 +00:00			- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`.
Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. 2020-12-16 09:50:08 +00:00			- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.

Move roles/matrix* to roles/custom/matrix* This paves the way for installing other roles into `roles/galaxy` using `ansible-galaxy`, similar to how it's done in: - https://github.com/spantaleev/gitea-docker-ansible-deploy - https://github.com/spantaleev/nextcloud-docker-ansible-deploy In the near future, we'll be removing a lot of the shared role code from here and using upstream roles for it. Some of the core `matrix-*` roles have already been extracted out into other reusable roles: - https://github.com/devture/com.devture.ansible.role.postgres - https://github.com/devture/com.devture.ansible.role.systemd_docker_base - https://github.com/devture/com.devture.ansible.role.timesync - https://github.com/devture/com.devture.ansible.role.vars_preserver - https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages - https://github.com/devture/com.devture.ansible.role.playbook_help We just need to migrate to those. 2022-11-03 07:11:29 +00:00			For more information about these variables, check the `roles/custom/matrix-nginx-proxy/defaults/main.yml` file.
Add support for reverse-proxying /_synapse/oidc This broke in 63a49bb2dc7780e023b28. Proxying the OpenID Connect endpoints is now possible, but needs to be enabled explicitly now. Supersedes #702 (Github Pull Request). This patch builds up on the idea from that Pull Request, but does things in a cleaner way. 2020-11-02 09:10:03 +00:00
			`## Synapse + OpenID Connect for Single-Sign-On`

			If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:

			```yaml
			`matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true`
			```
add option to disable nginx access log 2020-12-20 16:30:28 +00:00
			`## Disable Nginx access logs`

			`This will disable the access logging for nginx.`

			```yaml
			`matrix_nginx_proxy_access_log_enabled: false`
			```
Add documentation for new variable 2021-02-06 07:31:24 +00:00
			`## Additional configuration`

Add more documentation 2021-02-07 03:09:20 +00:00			`This playbook also allows for additional configuration to be applied to the nginx server.`
Add documentation for new variable 2021-02-06 07:31:24 +00:00
Touch up documentation a bit 2021-02-14 09:05:05 +00:00			If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable (as mentioned in the [Obtaining SSL certificates for additional domains](configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains) documentation as well). Make sure that you have set the DNS configuration for the domains you want to include to point at your server.
Add documentation for new variable 2021-02-06 07:31:24 +00:00
			```yaml
			`matrix_ssl_additional_domains_to_obtain_certificates_for:`
			`- domain.one.example`
			`- domain.two.example`
			```
Add more documentation 2021-02-07 03:09:20 +00:00
Touch up documentation a bit 2021-02-14 09:05:05 +00:00			You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable.
Add more documentation 2021-02-07 03:09:20 +00:00
			```yaml
			`matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks:`
			`- \|`
			`# These lines will be included in the nginx configuration.`
			# This is at the top level of the file, so you will need to define all of the `server { ... }` blocks.
			`- \|`
Move roles/matrix* to roles/custom/matrix* This paves the way for installing other roles into `roles/galaxy` using `ansible-galaxy`, similar to how it's done in: - https://github.com/spantaleev/gitea-docker-ansible-deploy - https://github.com/spantaleev/nextcloud-docker-ansible-deploy In the near future, we'll be removing a lot of the shared role code from here and using upstream roles for it. Some of the core `matrix-*` roles have already been extracted out into other reusable roles: - https://github.com/devture/com.devture.ansible.role.postgres - https://github.com/devture/com.devture.ansible.role.systemd_docker_base - https://github.com/devture/com.devture.ansible.role.timesync - https://github.com/devture/com.devture.ansible.role.vars_preserver - https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages - https://github.com/devture/com.devture.ansible.role.playbook_help We just need to migrate to those. 2022-11-03 07:11:29 +00:00			# For advanced use, have a look at the template files in `roles/custom/matrix-nginx-proxy/templates/nginx/conf.d`
Add more documentation 2021-02-07 03:09:20 +00:00			```