mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-25 09:33:25 +00:00 
			
		
		
		
	A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable.
		
			
				
	
	
		
			95 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
			
		
		
	
	
			95 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
| #jinja2: lstrip_blocks: "True"
 | |
| 
 | |
| {% macro render_vhost_directives() %}
 | |
| 	gzip on;
 | |
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
 | |
| 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 | |
| 	add_header X-Content-Type-Options nosniff;
 | |
| 	add_header X-Frame-Options SAMEORIGIN;
 | |
| 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
 | |
| 		{{- configuration_block }}
 | |
| 	{% endfor %}
 | |
| 
 | |
| 	location / {
 | |
| 		{% if matrix_nginx_proxy_enabled %}
 | |
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 			resolver 127.0.0.11 valid=5s;
 | |
| 			set $backend "matrix-client-element:8080";
 | |
| 			proxy_pass http://$backend;
 | |
| 		{% else %}
 | |
| 			{# Generic configuration for use outside of our container setup #}
 | |
| 			proxy_pass http://127.0.0.1:8765;
 | |
| 		{% endif %}
 | |
| 
 | |
| 		proxy_set_header Host $host;
 | |
| 		proxy_set_header X-Forwarded-For $remote_addr;
 | |
| 	}
 | |
| {% endmacro %}
 | |
| 
 | |
| server {
 | |
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 | |
| 
 | |
| 	server_name {{ matrix_nginx_proxy_proxy_element_hostname }};
 | |
| 
 | |
| 	server_tokens off;
 | |
| 	root /dev/null;
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_https_enabled %}
 | |
| 		location /.well-known/acme-challenge {
 | |
| 			{% if matrix_nginx_proxy_enabled %}
 | |
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 				resolver 127.0.0.11 valid=5s;
 | |
| 				set $backend "matrix-certbot:8080";
 | |
| 				proxy_pass http://$backend;
 | |
| 			{% else %}
 | |
| 				{# Generic configuration for use outside of our container setup #}
 | |
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
 | |
| 			{% endif %}
 | |
| 		}
 | |
| 
 | |
| 		location / {
 | |
| 			return 301 https://$http_host$request_uri;
 | |
| 		}
 | |
| 	{% else %}
 | |
| 		{{ render_vhost_directives() }}
 | |
| 	{% endif %}
 | |
| }
 | |
| 
 | |
| {% if matrix_nginx_proxy_https_enabled %}
 | |
| server {
 | |
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 | |
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 | |
| 
 | |
| 	server_name {{ matrix_nginx_proxy_proxy_element_hostname }};
 | |
| 
 | |
| 	server_tokens off;
 | |
| 	root /dev/null;
 | |
| 
 | |
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem;
 | |
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem;
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_ssl_config == "Modern" %}
 | |
| 	ssl_protocols TLSv1.3;
 | |
|     ssl_prefer_server_ciphers off;
 | |
| 
 | |
| 	{% elif matrix_nginx_proxy_ssl_config == "Intermediate" %}
 | |
| 	ssl_protocols TLSv1.2 TLSv1.3;
 | |
|     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 | |
|     ssl_prefer_server_ciphers off;
 | |
| 
 | |
| 	{% elif matrix_nginx_proxy_ssl_config == "Old" %}
 | |
| 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 | |
|     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
 | |
|     ssl_prefer_server_ciphers on;
 | |
| 
 | |
| 	{% elif matrix_nginx_proxy_ssl_config == "Custom" %}
 | |
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 | |
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 | |
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 | |
| 
 | |
| 	{% endif %}
 | |
| 
 | |
| 	{{ render_vhost_directives() }}
 | |
| }
 | |
| {% endif %}
 |