97 lines
3.0 KiB
Cheetah
97 lines
3.0 KiB
Cheetah
user www-data;
|
|
|
|
events {
|
|
worker_connections 768;
|
|
}
|
|
|
|
http {
|
|
|
|
resolver 127.0.0.11 valid=30s ipv6=off;
|
|
resolver_timeout 5s;
|
|
|
|
upstream matrix_upstream {
|
|
zone matrix_upstream 64k;
|
|
server {{ env "STACK_NAME"}}_app:8008 resolve;
|
|
keepalive 16;
|
|
}
|
|
|
|
{{ if eq (env "MAS_ENABLED") "1" }}
|
|
upstream mas_upstream {
|
|
zone mas_upstream 64k;
|
|
server {{ env "STACK_NAME"}}_mas:8080 resolve;
|
|
keepalive 8;
|
|
}
|
|
{{ end }}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
|
|
error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
|
|
|
|
server_name {{ env "DOMAIN" }};
|
|
|
|
location = / {
|
|
proxy_pass http://matrix_upstream;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header Host $host;
|
|
client_max_body_size 50M;
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
{{ if eq (env "MAS_ENABLED") "1" }}
|
|
# MAS on same Host as Synapse (public_base = https://$DOMAIN/): browser/OIDC paths live at repo root, not only under /_matrix/
|
|
# Router reference: element-hq/matrix-authentication-service crates/router/src/endpoints.rs
|
|
# https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html
|
|
location ~ ^/(complete-compat-sso/|oauth2/|\.well-known/(openid-configuration|webfinger|change-password)|authorize|login|logout|register(/|$)|account/|upstream/|consent/|link(\?|/|$)|device/|recover(/|$)|assets/|graphql(/|$)|api/) {
|
|
proxy_pass http://mas_upstream;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
client_max_body_size 50M;
|
|
}
|
|
# Matrix CS API compat (login / logout / refresh and subpaths, e.g. …/login/sso/redirect) — before generic /_matrix
|
|
location ~ ^/_matrix/client/[^/]+/(login|logout|refresh)(/.*)?$ {
|
|
proxy_pass http://mas_upstream;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
client_max_body_size 50M;
|
|
}
|
|
{{ end }}
|
|
|
|
location ~* ^(\/_matrix|\/_synapse\/client|\/_synapse\/mas) {
|
|
proxy_pass http://matrix_upstream;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header Host $host;
|
|
client_max_body_size 50M;
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /.well-known/matrix/ {
|
|
root /var/www/;
|
|
default_type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
}
|
|
|
|
{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
|
|
location ^~ /_synapse/admin {
|
|
if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
|
|
return 403;
|
|
}
|
|
proxy_pass http://matrix_upstream;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header Host $host;
|
|
client_max_body_size 50M;
|
|
proxy_http_version 1.1;
|
|
}
|
|
{{ end }}
|
|
|
|
}
|
|
}
|