mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-26 18:13:23 +00:00 
			
		
		
		
	We do this by creating one more layer of indirection. First we reach some generic vhost handling matrix.DOMAIN. A bunch of override rules are added there (capturing traffic to send to ma1sd, etc). nginx-status and similar generic things also live there. We then proxy to the homeserver on some other vhost (only Synapse being available right now, but repointing this to Dendrite or other will be possible in the future). Then that homeserver-specific vhost does its thing to proxy to the homeserver. It may or may not use workers, etc. Without matrix-corporal, the flow is now: 1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf) 2. matrix-nginx-proxy/matrix-synapse.conf 3. matrix-synapse With matrix-corporal enabled, it becomes: 1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf) 2. matrix-corporal 3. matrix-nginx-proxy/matrix-synapse.conf 4. matrix-synapse (matrix-corporal gets injected at step 2).
		
			
				
	
	
		
			71 lines
		
	
	
		
			2.2 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
			
		
		
	
	
			71 lines
		
	
	
		
			2.2 KiB
		
	
	
	
		
			Django/Jinja
		
	
	
	
	
	
| #jinja2: lstrip_blocks: "True"
 | |
| 
 | |
| {% macro render_vhost_directives() %}
 | |
| 	root /nginx-data/matrix-domain;
 | |
| 
 | |
| 	gzip on;
 | |
| 	gzip_types text/plain application/json;
 | |
| 	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
 | |
| 		{{- configuration_block }}
 | |
| 	{% endfor %}
 | |
| 
 | |
| 	location /.well-known/matrix {
 | |
| 		root {{ matrix_static_files_base_path }};
 | |
| 		{#
 | |
| 			A somewhat long expires value is used to prevent outages
 | |
| 			in case this is unreachable due to network failure.
 | |
| 		#}
 | |
| 		expires 4h;
 | |
| 		default_type application/json;
 | |
| 		add_header Access-Control-Allow-Origin *;
 | |
| 	}
 | |
| {% endmacro %}
 | |
| 
 | |
| server {
 | |
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 | |
| 
 | |
| 	server_name {{ matrix_nginx_proxy_base_domain_hostname }};
 | |
| 	server_tokens off;
 | |
| 
 | |
| 	{% if matrix_nginx_proxy_https_enabled %}
 | |
| 		location /.well-known/acme-challenge {
 | |
| 			{% if matrix_nginx_proxy_enabled %}
 | |
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 | |
| 				resolver 127.0.0.11 valid=5s;
 | |
| 				set $backend "matrix-certbot:8080";
 | |
| 				proxy_pass http://$backend;
 | |
| 			{% else %}
 | |
| 				{# Generic configuration for use outside of our container setup #}
 | |
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
 | |
| 			{% endif %}
 | |
| 		}
 | |
| 
 | |
| 		location / {
 | |
| 			return 301 https://$http_host$request_uri;
 | |
| 		}
 | |
| 	{% else %}
 | |
| 		{{ render_vhost_directives() }}
 | |
| 	{% endif %}
 | |
| }
 | |
| 
 | |
| {% if matrix_nginx_proxy_https_enabled %}
 | |
| server {
 | |
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 | |
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 | |
| 
 | |
| 	server_name {{ matrix_nginx_proxy_base_domain_hostname }};
 | |
| 	server_tokens off;
 | |
| 
 | |
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem;
 | |
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem;
 | |
| 
 | |
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 | |
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
 | |
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 | |
| 	{% endif %}
 | |
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 | |
| 
 | |
| 	{{ render_vhost_directives() }}
 | |
| }
 | |
| {% endif %}
 |