From a4b401c4da53ada67f25dd131144bce880ac5593 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Mar 2023 12:31:46 +0200 Subject: [PATCH] Upgrade com.devture.ansible.role.traefik and improve front-Traefik-with-another-proxy docs Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2532 --- docs/configuring-playbook-own-webserver.md | 19 +++++++++++++++++-- requirements.yml | 2 +- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 12c969d25..affb565fb 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -134,17 +134,32 @@ matrix_playbook_ssl_enabled: true # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval devture_traefik_config_entrypoint_web_secure_enabled: false +# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81` devture_traefik_container_web_host_bind_port: '127.0.0.1:81' +# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from +# a reverse-proxy running on the local machine is safe enough. +devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true + +# Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces: +# - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above +# - uncomment and adjust the line below +# devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] + +# Likewise (to `devture_traefik_container_web_host_bind_port` above), +# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below. devture_traefik_additional_entrypoints_auto: - name: matrix-federation port: 8449 host_bind_port: '127.0.0.1:8449' config: {} + # If your reverse-proxy runs on another machine, remove the config above and use this config instead: + # config: + # forwardedHeaders: + # insecure: true + # # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY'] ``` -If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface. - For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md). diff --git a/requirements.yml b/requirements.yml index fc39323a0..1c3b8e76e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v7.0.9-0 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: acc49a8059206743f1921f94891ebc177bf79bd2 + version: ed9f59753468556b363f90798be23c600d16ef5f - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: abeecc09f6fd165eff3cef5d6dd7696b9ca4ec27