cqrenet/matrix-docker-ansible-deploy
3
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-10-25 17:43:23 +00:00
Code Issues Wiki Activity
3,040 Commits 6 Branches 0 Tags
2e30802b87428b4da7afe282a202efa9c0af7691
Commit Graph

120 Commits

Author SHA1 Message Date
Michael Collins
2e30802b87 use group variables instead 2021-08-11 15:21:09 +08:00
Michael Collins
8238d65e5f simplify template conditional 2021-08-11 14:19:19 +08:00
Michael Collins
bfb61e776e GMH v0.5.7... maybe! 2021-08-10 12:58:10 +08:00
Slavi Pantaleev
4105ba854b Merge pull request #1147 from datenkollektiv-net/allow-custom-federation-fqn 
Make federation domain customizable
 2021-07-20 09:12:16 +03:00
JokerGermany
9345d840be root path for the base domain is wrong (#1189) 
* root path for the base domain

* Fix path when running in a container

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
 2021-07-20 08:48:11 +03:00
Slavi Pantaleev
6294e58304 Fix Content-Security-Policy for Element 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1154

According to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy,
having both a header and the `<meta>`-tag provided by Element itself is
not a problem. The 2 CSP policies get combined.
 2021-07-01 12:41:05 +03:00
oxmie
5df4d68829 Make federation domain customizable 2021-06-30 23:02:27 +02:00
sakkiii
0217644b48 Content-Security-Policy For Element Web 
https://github.com/vector-im/element-web#configuration-best-practices
 2021-06-18 23:27:23 +05:30
Slavi Pantaleev
4880dcceb0 Fix OCSP-stapling-related errors due to missing resolver 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
 2021-05-28 11:14:33 +03:00
Slavi Pantaleev
1ed0857019 Fix syntax error 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1024
 2021-05-25 11:45:17 +03:00
sakkiii
4a4a7f136e changes added to hydrogen client 2021-05-25 11:42:51 +05:30
sakkiii
25e67b51d1 Merge branch 'spantaleev:master' into master 2021-05-25 11:40:56 +05:30
sakkiii
3436f9c10a rename to matrix_nginx_proxy_hsts_preload_enabled 2021-05-25 00:56:59 +05:30
sakkiii
df2d91970d matrix_nginx_proxy_xss_protection 2021-05-24 17:02:47 +05:30
Slavi Pantaleev
6f80292745 Add OCSP stapling support and other SSL optimizations to Hydrogen vhost 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
 2021-05-21 13:40:37 +03:00
Aaron Raimist
04548f8df2 Merge branch 'master' into hydrogen 2021-05-21 04:09:18 -05:00
Aaron Raimist
9437f78c9e Build using custom config.json, add CSP, update to 0.1.53 2021-05-21 03:45:21 -05:00
sakkiii
e9b878b9e9 Optimize SSL session 2021-05-18 19:39:43 +05:30
Slavi Pantaleev
e6afa05f7b Enable OCSP stapling for the federation port 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Not sure if this is beneficial though.
 2021-05-18 08:15:42 +03:00
Slavi Pantaleev
57a6a98a50 Fix incorrect SSL certificate path 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
 2021-05-18 07:58:47 +03:00
Slavi Pantaleev
b9c4e8ce16 Merge pull request #1057 from sakkiii/ssl_staple 
Enable OCSP Stapling
 2021-05-18 07:50:35 +03:00
sakkiii
d31b55b2a7 SSL-enabled block only 2021-05-18 03:24:06 +05:30
Slavi Pantaleev
e4dd933cf0 Make missing /_synapse/admin correctly return 404 responses 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.

For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
 2021-05-17 11:45:35 +03:00
sakkiii
c05021640d Enable OCSP Stapling 2021-05-15 15:57:05 +05:30
Aaron Raimist
ca361af616 Add Hydrogen 2021-05-15 04:23:36 -05:00
sakkiii
29cf6a0087 Merge branch 'spantaleev:master' into master 2021-05-10 15:10:18 +05:30
sakkiii
bb0810302d Merge branch 'spantaleev:master' into master 2021-05-07 23:03:55 +05:30
Béla Becker
b10655ebb1 Jitsi XMPP Websocket support 
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
 2021-05-05 19:10:58 +02:00
sakkiii
40fe6bd5c1 variable matrix_nginx_proxy_hsts_preload_enable added 2021-04-24 20:04:20 +05:30
Slavi Pantaleev
389dc26615 Fix Synapse generic worker balancing 
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
 2021-04-24 11:52:45 +03:00
sakkiii
5b4fdf9b87 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-24 12:15:34 +05:30
sakkiii
0ccf0fbf1c HSTS preload + X-XSS enables 
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
 2021-04-24 12:12:34 +05:30
sakkiii
3564635f0f Merge branch 'master' into master 2021-04-24 11:46:52 +05:30
sakkiii
29bba5161b Element More security headers 
More Production ready nginx headers for Matrix client element.
 2021-04-24 11:10:40 +05:30
Slavi Pantaleev
e00ef04b57 Add opt-out-of-FLoC headers by default 2021-04-21 13:58:24 +03:00
Slavi Pantaleev
4a1739f604 Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version 
Don't expose nginx version with each response
 2021-04-18 21:33:11 +03:00
teutat3s
2bf7c26cfa Don't expose nginx version with each response 2021-04-18 16:24:13 +02:00
sakkiii
1958d0792d Update matrix-client-element.conf.j2 2021-04-17 21:33:07 +05:30
sakkiii
b6d45c5fd8 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-17 21:03:26 +05:30
sakkiii
05042f5ff1 Improve security grafana 
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
 2021-04-17 21:03:05 +05:30
sakkiii
5dc642ace1 Nginx element web: XSS protection & nosniff header 
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
 2021-04-16 14:45:04 +05:30
Christoph Johannes Kleine
fcd66b2889 rename variables 2021-03-30 16:41:32 +02:00
Christoph Johannes Kleine
3a772f2f65 matrix-nginx-proxy: add custom nginx options to nginx.conf.j2 2021-03-30 14:11:20 +02:00
Slavi Pantaleev
9a0222fa47 Add Sygnal support 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
 2021-03-20 13:32:22 +02:00
Aaron Raimist
32b3650c12 Set X-Forwarded-Proto on federation requests 2021-03-17 18:51:10 -05:00
Yannick Goossens
51e2547484 Added support for the Go-NEB bot 2021-03-11 19:23:01 +01:00
Slavi Pantaleev
9b72384df7 Upgrade Synapse (1.28.0 -> 1.29.0) 2021-03-08 17:24:09 +02:00
Slavi Pantaleev
f0698ee641 Do not overwrite X-Forwarded-For when reverse-proxying to Synapse 
We have a flow like this:
1. matrix.DOMAIN vhost (matrix-domain.conf)
2. matrix-synapse vhost (matrix-synapse.conf); or matrix-corporal container, if enabled
3. (optional) matrix-synapse vhost (matrix-synapse.conf), if matrix-corporal enabled
4. matrix-synapse container

We are setting `X-Forwarded-For` correctly in step #1, but were
overwriting it in step #2 with something inaccurate.

Not doing anything in step #2 is better than doing the wrong thing.
It's probably best if we append another reverse-proxy address there
though, although what we're doing now (with this patch) seems to yield
the correct result (when matrix-corporal is not enabled).

When matrix-corporal is enabled, we still seem to do the wrong thing for
some reason. It's something to be fixed later on.
 2021-03-08 17:24:09 +02:00
SierraKiloBravo
0de0716527 Added nginx proxy worker configuration to template and defaults 2021-03-02 11:30:09 +01:00
Slavi Pantaleev
a25b8135b8 Fix point overlap between matrix-domain and Jitsi 
Mostly affects people who disable the integrated `matrix-nginx-proxy`.

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456
and more specifically 4d62a75f6f.
 2021-03-01 20:27:45 +02:00