2082242499
A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable.
312 lines
18 KiB
YAML
312 lines
18 KiB
YAML
matrix_nginx_proxy_enabled: true
|
||
|
||
# We use an official nginx image, which we fix-up to run unprivileged.
|
||
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
||
# that is frequently out of date.
|
||
matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.5-alpine"
|
||
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
||
|
||
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
||
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
||
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
||
|
||
# List of systemd services that matrix-nginx-proxy.service depends on
|
||
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
||
|
||
# List of systemd services that matrix-nginx-proxy.service wants
|
||
matrix_nginx_proxy_systemd_wanted_services_list: []
|
||
|
||
# A list of additional "volumes" to mount in the container.
|
||
# This list gets populated dynamically at runtime. You can provide a different default value,
|
||
# if you wish to mount your own files into the container.
|
||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||
matrix_nginx_proxy_container_additional_volumes: []
|
||
|
||
# A list of extra arguments to pass to the container
|
||
matrix_nginx_proxy_container_extra_arguments: []
|
||
|
||
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
|
||
#
|
||
# If enabled:
|
||
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
|
||
# - the HTTP vhost would be made a redirect to the HTTPS vhost
|
||
#
|
||
# If not enabled:
|
||
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
|
||
# - naturally, there's no HTTPS vhost
|
||
# - services are served directly from the HTTP vhost
|
||
matrix_nginx_proxy_https_enabled: true
|
||
|
||
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
||
#
|
||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
||
matrix_nginx_proxy_container_http_host_bind_port: '80'
|
||
|
||
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
|
||
#
|
||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
|
||
#
|
||
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
|
||
# Otherwise, there are no HTTPS vhosts to expose.
|
||
matrix_nginx_proxy_container_https_host_bind_port: '443'
|
||
|
||
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
|
||
#
|
||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
|
||
#
|
||
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
|
||
# Otherwise, there is no Matrix Federation port to expose.
|
||
#
|
||
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
|
||
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
|
||
matrix_nginx_proxy_container_federation_host_bind_port: '8448'
|
||
|
||
# Controls whether matrix-nginx-proxy should serve the base domain.
|
||
#
|
||
# This is useful for when you only have your Matrix server, but you need to serve
|
||
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
||
# Server-Discovery (Federation) and for Client-Discovery.
|
||
#
|
||
# Besides serving these Matrix files, a homepage would be served with content
|
||
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
||
# You can also put additional files to use for this webpage
|
||
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
||
matrix_nginx_proxy_base_domain_serving_enabled: false
|
||
|
||
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
||
|
||
# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file
|
||
# in the `/matrix/nginx-proxy/data/matrix-domain` directory.
|
||
#
|
||
# If you would instead like to serve a static website by yourself, you can disable this.
|
||
# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually
|
||
# and can expect that the playbook won't intefere with the `index.html` file.
|
||
matrix_nginx_proxy_base_domain_homepage_enabled: true
|
||
|
||
matrix_nginx_proxy_base_domain_homepage_template: |-
|
||
<!doctype html>
|
||
<meta charset="utf-8" />
|
||
<html>
|
||
<body>
|
||
Hello from {{ matrix_domain }}!
|
||
</body>
|
||
</html>
|
||
|
||
|
||
# Controls whether proxying the riot domain should be done.
|
||
matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false
|
||
matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"
|
||
|
||
# Controls whether proxying the Element domain should be done.
|
||
matrix_nginx_proxy_proxy_element_enabled: false
|
||
matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
||
|
||
# Controls whether proxying the matrix domain should be done.
|
||
matrix_nginx_proxy_proxy_matrix_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
||
|
||
# Controls whether proxying the dimension domain should be done.
|
||
matrix_nginx_proxy_proxy_dimension_enabled: false
|
||
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
||
|
||
# Controls whether proxying the jitsi domain should be done.
|
||
matrix_nginx_proxy_proxy_jitsi_enabled: false
|
||
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
||
|
||
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
||
|
||
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
||
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
|
||
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090"
|
||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
||
|
||
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
||
# This allows another service to control registrations involving 3PIDs.
|
||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
||
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090"
|
||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
|
||
|
||
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
||
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
|
||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
||
|
||
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
||
matrix_nginx_proxy_proxy_synapse_metrics: false
|
||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
||
|
||
# The addresses where the Matrix Client API is.
|
||
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
|
||
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
|
||
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
||
|
||
|
||
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
||
|
||
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
||
# Enable this if you need OpenID Connect authentication support.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
||
|
||
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
||
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
||
|
||
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
||
# the location prefixes that get forwarded to the Matrix Client API server.
|
||
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||
{{
|
||
(['/_matrix'])
|
||
+
|
||
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
||
+
|
||
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
||
+
|
||
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||
}}
|
||
|
||
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
||
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
||
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
||
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
||
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
|
||
|
||
# Controls whether proxying for the Matrix Federation API should be done.
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
||
|
||
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
||
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
||
|
||
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration.
|
||
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration.
|
||
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Riot's server configuration.
|
||
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Element's server configuration.
|
||
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Dimension's server configuration.
|
||
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration.
|
||
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to the base domain server configuration.
|
||
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||
|
||
# Specifies when to reload the matrix-nginx-proxy service so that
|
||
# a new SSL certificate could go into effect.
|
||
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||
|
||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||
#
|
||
# The posible values are:
|
||
# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||
# - "Intermediate" - Recommended configuration for a general-purpose server
|
||
# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||
# - "Custom" - For defining your own protocols an ciphers
|
||
#
|
||
# For more information visit:
|
||
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||
# - https://ssl-config.mozilla.org/#server=nginx
|
||
matrix_nginx_proxy_ssl_config: "Intermediate"
|
||
|
||
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||
# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config"
|
||
matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
|
||
|
||
# Specifies whether to prefer *the client’s choice or the server’s choice* when
|
||
# negociating the chipher to serve all the various vhost
|
||
# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config"
|
||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "on"
|
||
|
||
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||
# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config"
|
||
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||
# Remember to use '' and "" if you are specified a list of ciphers
|
||
matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"'
|
||
|
||
# Controls whether the self-check feature should validate SSL certificates.
|
||
matrix_nginx_proxy_self_check_validate_certificates: true
|
||
|
||
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
|
||
#
|
||
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
|
||
# so we default to not following redirects as well.
|
||
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
||
|
||
# By default, this playbook automatically retrieves and auto-renews
|
||
# free SSL certificates from Let's Encrypt.
|
||
#
|
||
# The following retrieval methods are supported:
|
||
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
||
# - "self-signed" - the playbook generates and self-signs certificates
|
||
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
||
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
||
#
|
||
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
||
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
||
# obeying the following hierarchy:
|
||
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
||
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
||
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).
|
||
#
|
||
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
||
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
||
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
||
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
|
||
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
|
||
matrix_ssl_retrieval_method: "lets-encrypt"
|
||
|
||
matrix_ssl_architecture: "amd64"
|
||
|
||
# The list of domains that this role will obtain certificates for.
|
||
matrix_ssl_domains_to_obtain_certificates_for: []
|
||
|
||
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
||
matrix_ssl_lets_encrypt_staging: false
|
||
matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.10.1"
|
||
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
||
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
||
matrix_ssl_lets_encrypt_support_email: ~
|
||
|
||
# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to
|
||
# when it tries to obtain initial certificates in standalone mode.
|
||
#
|
||
# This should normally be a public interface and port.
|
||
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
|
||
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
|
||
|
||
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
||
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
||
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
||
|
||
# If you'd like to start some service before a certificate is obtained, specify it here.
|
||
# This could be something like `matrix-dynamic-dns`, etc.
|
||
matrix_ssl_pre_obtaining_required_service_name: ~
|
||
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||
|
||
# nginx status page configurations.
|
||
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
|