Document the new variables for ngingx SSL config

The new variables created to the nginx reverse proxy are properly added
to the documentation.
This commit is contained in:
Agustin Ferrario 2020-12-16 10:50:08 +01:00
parent 2082242499
commit ff6db5fd3b
2 changed files with 25 additions and 1 deletions

View File

@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 1.1.1.1 - 1.1.1.1
``` ```
## Adjusting SSL in your server
You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS
Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx.
The posible values are:
- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
- "Intermediate" - Recommended configuration for a general-purpose server
- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
- "Custom" - For defining your own protocols an ciphers
The default is set to `"Intermediate"`.
**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the
[Federarion tester](https://federationtester.matrix.org/) won't work.
If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set:
- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols.
- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off".
- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx.
For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file.
## Synapse + OpenID Connect for Single-Sign-On ## Synapse + OpenID Connect for Single-Sign-On

View File

@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n
You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;`
Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example:
```yaml ```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version. # Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_config: "Custom"
matrix_nginx_proxy_ssl_protocols: "TLSv1.2" matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
``` ```