Update configuring-playbook-own-webserver.md with matrix_playbook_reverse_proxy_type awareness

1 year ago · bc4cb7bb6a
parent 73435dfe10
commit bc4cb7bb6a
1 changed files with 26 additions and 63 deletions
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -102,13 +102,7 @@ You can disable such behavior and make the integrated nginx reverse-proxy webser
 You would need some configuration like this:
 ```yaml
-# Do not retrieve SSL certificates. This shall be managed by another webserver or other means.
+matrix_playbook_reverse_proxy_type: other-on-same-host
 matrix_ssl_retrieval_method: none
 # Do not try to serve HTTPS, since we have no SSL certificates.
 # Disabling this also means services will be served on the HTTP port
 # (`matrix_nginx_proxy_container_http_host_bind_port`).
 matrix_nginx_proxy_https_enabled: false
 # Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
 # If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
@ -122,15 +116,9 @@ matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'
 matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
 # Coturn relies on SSL certificates that have already been obtained.
-# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default.
+# Since we don't obtain any certificates in this `other-on-same-host` mode, it won't work by default.
 # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`.
 matrix_coturn_enabled: false
 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
 matrix_nginx_proxy_trust_forwarded_proto: true
 # Trust and use the other reverse proxy's `X-Forwarded-For` header.
 matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
 ```
 With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
@ -142,63 +130,38 @@ The expected domains vary depending on the services you have enabled (`matrix.DO
 ### Sample configuration for running behind Traefik 2.0
-Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy.
+To run behind Traefik, you can:
-```yaml
+- use a [Playbook-managed Traefik installation](#playbook-managed-traefik-installation)
-# Disable generation and retrieval of SSL certs
+- or, use [Your own Traefik server (not managed by the playbook)](#your-own-traefik-server-not-managed-by-the-playbook)
 matrix_ssl_retrieval_method: none
-# Configure Nginx to only use plain HTTP
+#### Playbook-managed Traefik installation
 matrix_nginx_proxy_https_enabled: false
-# Don't bind any HTTP or federation port to the host
+The playbook can install and manage Traefik for you using the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) role.
 # (Traefik will proxy directly into the containers)
 matrix_nginx_proxy_container_http_host_bind_port: ''
 matrix_nginx_proxy_container_federation_host_bind_port: ''
-# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
+It's simplest if you go with this method. You will need the following configuration:
 matrix_nginx_proxy_trust_forwarded_proto: true
-# Trust and use the other reverse proxy's `X-Forwarded-For` header.
+```yaml
-matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
-# Disable Coturn because it needs SSL certs
+devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS
-# (Clients can, though exposing IP address, use Matrix.org TURN)
+```
-matrix_coturn_enabled: false
+
 #### Your own Traefik server (not managed by the playbook)
-# All containers need to be on the same Docker network as Traefik
+If you'd like to run Traefik yourself, you can use configuration like this:
-# (This network should already exist and Traefik should be using this network)
+
-matrix_docker_network: 'traefik'
+```yaml
-
+matrix_playbook_reverse_proxy_type: other-traefik-container
-matrix_nginx_proxy_container_extra_arguments:
+
-  # May be unnecessary depending on Traefik config, but can't hurt
+matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network
  - '--label "traefik.enable=true"'
  # The Nginx proxy container will receive traffic from these subdomains
  - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"'
  # (The 'web-secure' entrypoint must bind to port 443 in Traefik config)
  - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"'
  # (The 'default' certificate resolver must be defined in Traefik config)
  - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"'
  # Traefik requires that we declare which service this router is using
  - '--label "traefik.http.routers.matrix-nginx-proxy.service=matrix-nginx-proxy"'
  # The Nginx proxy container uses port 8080 internally
  - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"'
  # Federation
  - '--label "traefik.http.routers.matrix-nginx-proxy-federation.rule=Host(`{{ matrix_server_fqn_matrix }}`)"'
  # (The 'federation' entrypoint must bind to port 8448 in Traefik config)
  - '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"'
  # (The 'default' certificate resolver must be defined in Traefik config)
  - '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"'
  # Traefik requires that we declare which service this router is using
  - '--label "traefik.http.routers.matrix-nginx-proxy-federation.service=matrix-nginx-proxy-federation"'
  # The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally
  - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"'
  - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"'
 ```
-This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver.
+In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
 By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver.
 Below is some configuration for running Traefik yourself (although we recommend using a [playbook-managed Traefik installation](#playbook-managed-traefik-installation)).
 Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows:
@ -228,7 +191,7 @@ version: "3.3"
 services:
  traefik:
-    image: "traefik:v2.3"
+    image: "docker.io/traefik:v2.9.6"
    restart: always
    container_name: "traefik"
    networks: