Added anonymized configuration files for nginx.

2024-11-27 18:01:10 +01:00 · 2024-11-27 18:01:10 +01:00 · a47e152b63
commit a47e152b63
parent 1f7b75a9cd
6 changed files with 204 additions and 0 deletions
--- a/matrix/nginx/call.conf
+++ b/matrix/nginx/call.conf
@ -0,0 +1,34 @@
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	ssl_certificate /etc/letsencrypt/live/call.example.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/call.example.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name call.example.com;
+
+        root /var/www/element-call;
+
+	location /assets {
+		add_header Cache-Control "public, immutable, max-age=31536000";
+	}
+
+	location /apple-app-site-association {
+		default_type application/json;
+	}
+
+	location /^config.json$ {
+		alias public/config.json;
+		default_type application/json;
+	}
+
+	location / {
+        	try_files $uri /$uri /index.html;
+		add_header Cache-Control "public, max-age=30, stale-while-revalidate=30";
+	}
+
+        access_log /var/log/nginx/call-access.log;
+        error_log /var/log/nginx/call-error.log;
+}
--- a/matrix/nginx/elementweb.conf
+++ b/matrix/nginx/elementweb.conf
@ -0,0 +1,29 @@
+server {
+        listen 80;
+        listen [::]:80;
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name element.example.com;
+
+        location / {
+		if ($scheme = http) {
+                	return 301 https://$host$request_uri;
+		}
+		add_header X-Frame-Options SAMEORIGIN;
+		add_header X-Content-Type-Options nosniff;
+		add_header X-XSS-Protection "1; mode=block";
+		add_header Content-Security-Policy "frame-ancestors 'self'";
+        }
+
+        root /usr/share/element-web;
+        index index.html;
+
+        access_log /var/log/nginx/element-access.log;
+        error_log /var/log/nginx/element-error.log;
+}
--- a/matrix/nginx/livekit.conf
+++ b/matrix/nginx/livekit.conf
@ -0,0 +1,37 @@
+server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+
+        ssl_certificate /etc/letsencrypt/live/livekit.example.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/livekit.example.com/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name livekit.example.com;
+
+	# This is lk-jwt-service
+    	location ~ ^(/sfu/get|/healthz) {
+	        proxy_pass http://[::1]:8080;
+	        proxy_set_header Host $host;
+	        proxy_set_header X-Forwarded-Server $host;
+	        proxy_set_header X-Real-IP $remote_addr;
+	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	        proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	location / {
+		proxy_pass http://[::1]:7880;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header Upgrade $http_upgrade;
+		#add_header Access-Control-Allow-Origin "*" always;
+		
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-Server $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	access_log /var/log/nginx/livekit-access.log;
+        error_log /var/log/nginx/livekit-error.log;
+}
--- a/matrix/nginx/proxy.conf
+++ b/matrix/nginx/proxy.conf
@ -0,0 +1,45 @@
+server {
+        listen 80;
+        listen [::]:80;
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name example.com;
+
+        location /.well-known/matrix/client {
+                return 200 '{
+                        "m.homeserver": {"base_url": "https://vm02199.example.com"},
+                        "org.matrix.msc3575.proxy": {"url": "https://vm02199.example.com"},
+			"org.matrix.msc4143.rtc_foci":[
+ 				{"type": "livekit",
+  				"livekit_service_url": "https://livekit.example.com"}
+			]
+                }';
+                default_type application/json;
+                add_header 'Access-Control-Allow-Origin' '*';
+        }
+
+        location /.well-known/matrix/server {
+                return 200 '{"m.server": "vm02199.example.com"}';
+                default_type application/json;
+        }
+
+        location /.well-known/element/element.json {
+		return 200 '{"call": {"widget_url": "https://call.example.com"}}';
+                default_type application/json;
+	}
+
+        location / {
+		if ($scheme = http) {
+                	return 301 https://$host$request_uri;
+		}
+        }
+
+        access_log /var/log/nginx/example-access.log;
+        error_log /var/log/nginx/example-error.log;
+}
--- a/matrix/nginx/synapse-admin.conf
+++ b/matrix/nginx/synapse-admin.conf
@ -0,0 +1,16 @@
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name admin.example.com;
+
+	root /var/www/synapse-admin;
+
+        access_log /var/log/nginx/admin-access.log;
+        error_log /var/log/nginx/admin-error.log;
+}
--- a/matrix/nginx/synapse.conf
+++ b/matrix/nginx/synapse.conf
@ -0,0 +1,43 @@
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	# For the federation port
+	listen 8448 ssl;
+	listen [::]:8448 ssl;
+
+	ssl_certificate /etc/letsencrypt/live/vm02199.example.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/vm02199.example.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+	server_name vm02199.example.com;
+
+	location ~ ^/_synapse/admin {
+		allow 127.0.0.1;
+		allow ::1;
+		allow 111.222.111.222;
+		allow dead:beef::/64;
+		deny all;
+
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+
+	location ~ ^(/_matrix|/_synapse/client) {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+
+	access_log /var/log/nginx/vm02199-access.log;
+	error_log /var/log/nginx/vm02199-error.log;
+
+}