hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Cleaned up example configs for nginx.

Browse source
This commit is contained in:
Hans van Zijst 2024-11-27 18:45:12 +01:00 committed by Valentin Gagarin
parent 8d34516c93
commit 438682dabf
1 changed files with 92 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
matrix/nginx/README.md
View file

@ -140,22 +140,20 @@ another vhost, something like this:
``` ```
server { server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
ssl_certificate ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
/etc/letsencrypt/live/admin.example.procolix.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;
ssl_certificate_key include /etc/letsencrypt/options-ssl-nginx.conf;
/etc/letsencrypt/live/admin.example.procolix.com/privkey.pem; ssl_dhparam /etc/ssl/dhparams.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem; server_name admin.example.com;
server_name admin.example.procolix.com; root /var/www/synapse-admin;
root /var/www/synapse-admin; access_log /var/log/nginx/admin-access.log;
error_log /var/log/nginx/admin-error.log;
access_log /var/log/nginx/admin-example-access.log;
error_log /var/log/nginx/admin-example-error.log;
} }
``` ```
@ -170,20 +168,18 @@ In `/etc/nginx/sites-available/synapse` you want to add this bit:
``` ```
location ~ ^/_synapse/admin { location ~ ^/_synapse/admin {
allow 127.0.0.1; allow 127.0.0.1;
allow ::1; allow ::1;
allow 185.206.232.60; # this host allow 111.222.111.222;
allow 2a00:51c0:12:1201::2a; # this host allow dead:beef::/64;
allow 45.142.234.216; # kantoor deny all;
allow 2a10:3781:2bc3::/64; # kantoor
deny all; proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 50M;
proxy_set_header Host $host; proxy_http_version 1.1;
client_max_body_size 50M;
proxy_http_version 1.1;
} }
``` ```
@ -200,30 +196,42 @@ Then create a virtual host much like this:
``` ```
server { server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/livekit.matrixdev.example.com/fullchain.pem; ssl_certificate /etc/letsencrypt/live/livekit.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/livekit.matrixdev.example.com/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/livekit.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem; ssl_dhparam /etc/ssl/dhparams.pem;
server_name livekit.matrixdev.example.com; server_name livekit.example.com;
# This is lk-jwt-service # This is lk-jwt-service
location ~ ^(/sfu/get|/healthz) { location ~ ^(/sfu/get|/healthz) {
proxy_pass http://[::1]:8080; proxy_pass http://[::1]:8080;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
access_log /var/log/nginx/livekit.matrixdev-access.log; location / {
error_log /var/log/nginx/livekit.matrixdev-error.log; proxy_pass http://[::1]:7880;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
#add_header Access-Control-Allow-Origin "*" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/livekit-access.log;
error_log /var/log/nginx/livekit-error.log;
} }
``` ```
@ -234,24 +242,38 @@ should be the configuration to publish that:
``` ```
server { server {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
ssl_certificate ssl_certificate /etc/letsencrypt/live/call.example.com/fullchain.pem;
/etc/letsencrypt/live/call.matrixdev.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/call.example.com/privkey.pem;
ssl_certificate_key include /etc/letsencrypt/options-ssl-nginx.conf;
/etc/letsencrypt/live/call.matrixdev.example.com/privkey.pem; ssl_dhparam /etc/ssl/dhparams.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem; server_name call.example.com;
server_name call.matrixdev.example.com; root /var/www/element-call;
root /var/www/element-call; location /assets {
add_header Cache-Control "public, immutable, max-age=31536000";
}
location /apple-app-site-association {
default_type application/json;
}
location /^config.json$ {
alias public/config.json;
default_type application/json;
}
location / {
try_files $uri /$uri /index.html; try_files $uri /$uri /index.html;
add_header Cache-Control "public, max-age=30, stale-while-revalidate=30";
}
access_log /var/log/nginx/call-access.log;
error_log /var/log/nginx/call-error.log; access_log /var/log/nginx/call-access.log;
error_log /var/log/nginx/call-error.log;
} }
``` ```