From cd332d9b4e9c2323cbc0a028eaecf1d1391a85e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 1 Feb 2019 11:47:43 +0200 Subject: [PATCH] Add TLS v1.3 support to matrix-nginx-proxy This was mentioned in #27 (Github Pull Request), but it's just now that the nginx Docker image actually supports TLS v1.3 and we can enable it. --- CHANGELOG.md | 15 +++++++++++++++ docs/configuring-playbook-own-webserver.md | 6 +++++- roles/matrix-nginx-proxy/defaults/main.yml | 4 +--- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed7d655d2..72bd2c53a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +# 2019-02-01 + +## TLS v1.3 support + +Now that the [nginx Docker image](https://hub.docker.com/_/nginx) has [added support for TLS v1.3](https://github.com/nginxinc/docker-nginx/issues/190), we have enabled that protocol by default. + +When using: + +- the **integrated nginx server**: TLS v1.3 support might not kick in immediately, because the nginx version hasn't been bumped and you may have an older build of the nginx Docker image (currently `nginx:1.15.8-alpine`). Typically, we do not re-pull images that you already have. When the nginx version gets bumped in the future, everyone will get the update. Until then, you could manually force-pull the rebuilt Docker image by running this on the server: `docker pull nginx:1.15.8-alpine`. + +- **your own external nginx server**: if your external nginx server is too old, the new configuration we generate for you in `/matrix/nginx-proxy/conf.d/` might not work anymore, because it mentions `TLSv1.3` and your nginx version might not support that. You can adjust the SSL protocol list by overriding the `matrix_nginx_proxy_ssl_protocols` variable. Learn more in the documentation page for [Using your own webserver, instead of this playbook's nginx proxy](docs/configuring-playbook-own-webserver.md) + +- **another web server**: you don't need to do anything to accommodate this change + + # 2019-01-31 ## IRC bridging support diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index a85719baf..9e3391c3e 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -14,11 +14,15 @@ All it takes is: ```yaml matrix_nginx_proxy_enabled: false + +# If you use an external nginx, we'll generate some configuration for you in `/matrix/nginx-proxy/conf.d/`. +# You might need to tweak the protocol list (removing `TLSv1.3`) to suit your nginx version. +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" ``` **Note**: even if you do this, in order [to install](installing.md), this playbook still expects port 80 to be available. **Please manually stop your other webserver while installing**. You can start it back again afterwards. -**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` +**If your own webserver is nginx**, you can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`. Please note that if your nginx version is old, it might not like our default SSL protocols (particularly the fact that `TLSv1.3` is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. **If your own webserver is not nginx**, you can still take a look at the sample files in `/matrix/nginx-proxy/conf.d`, and: diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 94a86adc4..9171470bd 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -57,9 +57,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse -# Note TLSv1.3 is not yet available in dockerized nginx -# See: https://github.com/nginxinc/docker-nginx/issues/190 -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" +matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt.