From a47e152b6364d9cf23237c4df6585a64f71d1a2d Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Wed, 27 Nov 2024 18:01:10 +0100 Subject: [PATCH] Added anonymized configuration files for nginx. --- matrix/nginx/call.conf | 34 +++++++++++++++++++++++++ matrix/nginx/elementweb.conf | 29 +++++++++++++++++++++ matrix/nginx/livekit.conf | 37 +++++++++++++++++++++++++++ matrix/nginx/proxy.conf | 45 +++++++++++++++++++++++++++++++++ matrix/nginx/synapse-admin.conf | 16 ++++++++++++ matrix/nginx/synapse.conf | 43 +++++++++++++++++++++++++++++++ 6 files changed, 204 insertions(+) create mode 100644 matrix/nginx/call.conf create mode 100644 matrix/nginx/elementweb.conf create mode 100644 matrix/nginx/livekit.conf create mode 100644 matrix/nginx/proxy.conf create mode 100644 matrix/nginx/synapse-admin.conf create mode 100644 matrix/nginx/synapse.conf diff --git a/matrix/nginx/call.conf b/matrix/nginx/call.conf new file mode 100644 index 0000000..1fdc36c --- /dev/null +++ b/matrix/nginx/call.conf @@ -0,0 +1,34 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/call.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/call.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name call.example.com; + + root /var/www/element-call; + + location /assets { + add_header Cache-Control "public, immutable, max-age=31536000"; + } + + location /apple-app-site-association { + default_type application/json; + } + + location /^config.json$ { + alias public/config.json; + default_type application/json; + } + + location / { + try_files $uri /$uri /index.html; + add_header Cache-Control "public, max-age=30, stale-while-revalidate=30"; + } + + access_log /var/log/nginx/call-access.log; + error_log /var/log/nginx/call-error.log; +} diff --git a/matrix/nginx/elementweb.conf b/matrix/nginx/elementweb.conf new file mode 100644 index 0000000..dded994 --- /dev/null +++ b/matrix/nginx/elementweb.conf @@ -0,0 +1,29 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name element.example.com; + + location / { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + } + + root /usr/share/element-web; + index index.html; + + access_log /var/log/nginx/element-access.log; + error_log /var/log/nginx/element-error.log; +} diff --git a/matrix/nginx/livekit.conf b/matrix/nginx/livekit.conf new file mode 100644 index 0000000..679e3c4 --- /dev/null +++ b/matrix/nginx/livekit.conf @@ -0,0 +1,37 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/livekit.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/livekit.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name livekit.example.com; + + # This is lk-jwt-service + location ~ ^(/sfu/get|/healthz) { + proxy_pass http://[::1]:8080; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location / { + proxy_pass http://[::1]:7880; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + #add_header Access-Control-Allow-Origin "*" always; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log /var/log/nginx/livekit-access.log; + error_log /var/log/nginx/livekit-error.log; +} diff --git a/matrix/nginx/proxy.conf b/matrix/nginx/proxy.conf new file mode 100644 index 0000000..0bf5a9c --- /dev/null +++ b/matrix/nginx/proxy.conf @@ -0,0 +1,45 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name example.com; + + location /.well-known/matrix/client { + return 200 '{ + "m.homeserver": {"base_url": "https://vm02199.example.com"}, + "org.matrix.msc3575.proxy": {"url": "https://vm02199.example.com"}, + "org.matrix.msc4143.rtc_foci":[ + {"type": "livekit", + "livekit_service_url": "https://livekit.example.com"} + ] + }'; + default_type application/json; + add_header 'Access-Control-Allow-Origin' '*'; + } + + location /.well-known/matrix/server { + return 200 '{"m.server": "vm02199.example.com"}'; + default_type application/json; + } + + location /.well-known/element/element.json { + return 200 '{"call": {"widget_url": "https://call.example.com"}}'; + default_type application/json; + } + + location / { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + } + + access_log /var/log/nginx/example-access.log; + error_log /var/log/nginx/example-error.log; +} diff --git a/matrix/nginx/synapse-admin.conf b/matrix/nginx/synapse-admin.conf new file mode 100644 index 0000000..31254f5 --- /dev/null +++ b/matrix/nginx/synapse-admin.conf @@ -0,0 +1,16 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name admin.example.com; + + root /var/www/synapse-admin; + + access_log /var/log/nginx/admin-access.log; + error_log /var/log/nginx/admin-error.log; +} diff --git a/matrix/nginx/synapse.conf b/matrix/nginx/synapse.conf new file mode 100644 index 0000000..0cd1d2a --- /dev/null +++ b/matrix/nginx/synapse.conf @@ -0,0 +1,43 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + # For the federation port + listen 8448 ssl; + listen [::]:8448 ssl; + + ssl_certificate /etc/letsencrypt/live/vm02199.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vm02199.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name vm02199.example.com; + + location ~ ^/_synapse/admin { + allow 127.0.0.1; + allow ::1; + allow 111.222.111.222; + allow dead:beef::/64; + deny all; + + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; + } + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; + } + + access_log /var/log/nginx/vm02199-access.log; + error_log /var/log/nginx/vm02199-error.log; + +}