Cleaned up stuff that isn't necessary.

2024-12-02 17:55:49 +01:00 · 2024-12-02 17:55:49 +01:00 · 017e368035
parent f2da1e8ed1
commit 017e368035
3 changed files with 63 additions and 13 deletions
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@ -28,7 +28,7 @@ apt install nginx python3-certbot-nginx
 Get your certificate:

 ```
-certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
+certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d matrixdev.example.com
 ```

 Substitute the correct e-mailaddress and FQDN, or course.
@ -53,27 +53,22 @@ server {
    listen 443 ssl;
    listen [::]:443 ssl;

-    ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/matrixdev.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrixdev.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/ssl/dhparams.pem;

-    server_name matrixdev.procolix.com;
+    server_name matrixdev.example.com;

    location /.well-known/matrix/client {
       return 200 '{
-          "m.homeserver": {"base_url": "https://vm02199.procolix.com"},
-          "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"}
+          "m.homeserver": {"base_url": "https://vm02199.examples.com"},
       }';
       default_type application/json;
-
-       add_header 'Access-Control-Allow-Origin' '*';
-       add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
-       add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Content-Type, Authorization';
    }

    location /.well-known/matrix/server {
-       return 200 '{"m.server": "vm02199.procolix.com"}';
+       return 200 '{"m.server": "vm02199.examples.com"}';
       default_type application/json;
    }

--- a/matrix/nginx/proxy.conf
+++ b/matrix/nginx/proxy.conf
@ -29,6 +29,22 @@ server {
        default_type application/json;
    }

+    location /.well-known/matrix/support {
+        return 200 '{ "contacts":
+            [
+                { "email_address": "admin@example.com",
+                "matrix_id": "@admin:example.com",
+                "role": "m.role.admin" },
+                { "email_address": "security@example.com",
+                "matrix_id": "@john:example.com",
+                "role": "m.role.security" }
+            ],
+                "support_page": "https://www.example.com/matrix-support"
+        }';
+        default_type application/json;
+    }
+
+    
    location /.well-known/element/element.json {
        return 200 '{"call": {"widget_url": "https://call.example.com"}}';
        default_type application/json;
--- a/matrix/nginx/synapse.conf
+++ b/matrix/nginx/synapse.conf
@ -13,11 +13,50 @@ server {

 	server_name vm02199.example.com;

+	# Abuse reports get forwarded to Draupnir, listening on port 8082
+	location ~ ^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$ {
+		# The r0 endpoint is deprecated but still used by many clients.
+		# As of this writing, the v3 endpoint is the up-to-date version.
+		
+		# Alias the regexps, to ensure that they're not rewritten.
+		set $room_id $2;
+		set $event_id $3;
+		proxy_pass http://[::1]:8082/api/1/report/$room_id/$event_id;
+	}
+
+	# Reports that need to reach Synapse (not sure...)
+	location /_synapse/admin/v1/event_reports {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+	location ~ ^/_synapse/admin/v1/rooms/[^/]*/context/(.*)$ {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+	# If you want the server version to be public:
+	location ~ ^/_synapse/admin/v1/server_version$ {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+		
+	# The rest of the admin endpoint shouldn't be public
 	location ~ ^/_synapse/admin {
 		allow 127.0.0.1;
 		allow ::1;
 		allow 111.222.111.222;
-		allow dead:beef::/64;
+		allow dead:beef::/48;
 		deny all;

 		proxy_pass http://localhost:8008;
@ -39,5 +78,5 @@ server {

 	access_log /var/log/nginx/vm02199-access.log;
 	error_log /var/log/nginx/vm02199-error.log;
-
 }
+