mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-25 01:23:24 +00:00 
			
		
		
		
	Not sure if it breaks with them or not, but no other directive uses quotes and the nginx docs show examples without quotes, so we're being consistent with all of that.
		
			
				
	
	
		
			270 lines
		
	
	
		
			9.2 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
			
		
		
	
	
			270 lines
		
	
	
		
			9.2 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
| #jinja2: lstrip_blocks: "True"
 | |
| {% macro render_nginx_status_location_block(addresses) %}
 | |
| 	{# Empty first line to make indentation prettier. #}
 | |
| 
 | |
| 	location /nginx_status {
 | |
| 		stub_status on;
 | |
| 		access_log off;
 | |
| 		{% for address in addresses %}
 | |
| 		allow {{ address }};
 | |
| 		{% endfor %}
 | |
| 		deny all;
 | |
| 	}
 | |
| {% endmacro %}
 | |
| 
 | |
| 
 | |
| {% macro render_vhost_directives() %}
 | |
| 	gzip on;
 | |
| 	gzip_types text/plain application/json;
 | |
| 
 | |
| 	location /.well-known/matrix {
 | |
| 		root {{ matrix_static_files_base_path }};
 | |
| 		{#
 | |
| 			A somewhat long expires value is used to prevent outages
 | |
| 			in case this is unreachable due to network failure or
 | |
| 			due to the base domain's server completely dying.
 | |
| 		#}
 | |
| 		expires 4h;
 | |
| 		default_type application/json;
 | |
| 		add_header Access-Control-Allow-Origin *;
 | |
| 	}
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
 | |
| 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
 | |
| 	location ^~ /_matrix/corporal {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 	}
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
 | |
| 	location ^~ /_matrix/identity {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 	}
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
 | |
| 	location ^~ /_matrix/client/r0/user_directory/search {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 	}
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
 | |
| 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 	}
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
 | |
| 		{{- configuration_block }}
 | |
| 	{% endfor %}
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_proxy_synapse_metrics %}
 | |
| 	location /_synapse/metrics {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 
 | |
| 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
 | |
| 			auth_basic "protected";
 | |
| 			auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
 | |
| 		{% endif %}
 | |
| 	}
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{#
 | |
| 		This handles the Matrix Client API only.
 | |
| 		The Matrix Federation API is handled by a separate vhost.
 | |
| 	#}
 | |
| 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 
 | |
| 		client_body_buffer_size 25M;
 | |
| 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
 | |
| 		proxy_max_temp_file_size 0;
 | |
| 	}
 | |
| 
 | |
| 	location / {
 | |
| 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
 | |
| 			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
 | |
| 		{% else %}
 | |
| 			rewrite ^/$ /_matrix/static/ last;
 | |
| 		{% endif %}
 | |
| 	}
 | |
| {% endmacro %}
 | |
| 
 | |
| server {
 | |
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 | |
| 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
 | |
| 
 | |
| 	server_tokens off;
 | |
| 	root /dev/null;
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_https_enabled %}
 | |
| 		location /.well-known/acme-challenge {
 | |
| 			{% if matrix_nginx_proxy_enabled %}
 | |
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 				resolver 127.0.0.11 valid=5s;
 | |
| 				set $backend "matrix-certbot:8080";
 | |
| 				proxy_pass http://$backend;
 | |
| 			{% else %}
 | |
| 				{# Generic configuration for use outside of our container setup #}
 | |
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
 | |
| 			{% endif %}
 | |
| 		}
 | |
| 
 | |
| 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
 | |
| 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
 | |
| 		{% endif %}
 | |
| 
 | |
| 		location / {
 | |
| 			return 301 https://$http_host$request_uri;
 | |
| 		}
 | |
| 	{% else %}
 | |
| 		{{ render_vhost_directives() }}
 | |
| 	{% endif %}
 | |
| }
 | |
| 
 | |
| {% if matrix_nginx_proxy_https_enabled %}
 | |
| server {
 | |
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 | |
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 | |
| 
 | |
| 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
 | |
| 
 | |
| 	server_tokens off;
 | |
| 	root /dev/null;
 | |
| 
 | |
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
 | |
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
 | |
| 
 | |
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 | |
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
 | |
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 | |
| 	{% endif %}
 | |
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 | |
| 
 | |
| 	{{ render_vhost_directives() }}
 | |
| }
 | |
| {% endif %}
 | |
| 
 | |
| {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}
 | |
| {#
 | |
| 	This federation vhost is a little special.
 | |
| 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.
 | |
| #}
 | |
| server {
 | |
| 	{% if matrix_nginx_proxy_https_enabled %}
 | |
| 		listen 8448 ssl http2;
 | |
| 		listen [::]:8448 ssl http2;
 | |
| 	{% else %}
 | |
| 		listen 8448;
 | |
| 	{% endif %}
 | |
| 
 | |
| 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
 | |
| 	server_tokens off;
 | |
| 
 | |
| 	root /dev/null;
 | |
| 
 | |
| 	gzip on;
 | |
| 	gzip_types text/plain application/json;
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_https_enabled %}
 | |
| 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};
 | |
| 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};
 | |
| 
 | |
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 | |
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
 | |
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 | |
| 	{% endif %}
 | |
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 | |
| 
 | |
| 	{% endif %}
 | |
| 
 | |
| 	location / {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 
 | |
| 		client_body_buffer_size 25M;
 | |
| 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
 | |
| 		proxy_max_temp_file_size 0;
 | |
| 	}
 | |
| }
 | |
| {% endif %}
 |