Initial Matrix NGINX Configuration

2024-06-29 01:22:06 +00:00 · 2023-01-01 13:04:41 -05:00 · 2023-01-01 13:04:41 -05:00 · 09b84b1c92
commit 09b84b1c92
7 changed files with 231 additions and 0 deletions
--- a/nginx/Synapse/proxy.conf
+++ b/nginx/Synapse/proxy.conf
@ -0,0 +1,28 @@
+## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+
+# Timeout if the real server is dead
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+# Proxy Connection Settings
+proxy_buffers 32 4k;
+proxy_connect_timeout 240;
+proxy_headers_hash_bucket_size 128;
+proxy_headers_hash_max_size 1024;
+proxy_http_version 1.1;
+proxy_read_timeout 240;
+proxy_redirect  http://  $scheme://;
+proxy_send_timeout 240;
+
+# Proxy Cache and Cookie Settings
+proxy_cache_bypass $cookie_session;
+#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
+proxy_no_cache $cookie_session;
+
+# Proxy Header Settings
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Early-Data $ssl_early_data;
+proxy_set_header Host $host;
+proxy_set_header Proxy "";
+proxy_set_header Upgrade $http_upgrade;   
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-Ssl on;
--- a/site-confs/default.conf
+++ b/site-confs/default.conf
@ -0,0 +1,30 @@
+## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
+
+#error_page 502 /502.html;
+
+# redirect all traffic to https
+#server {
+#    listen 80 default_server;
+#    listen [::]:80 default_server;
+#    server_name _;
+#    return 301 https://$host$request_uri;
+#}
+
+# main server block
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    server_name _;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    # all ssl related config moved to ssl.conf
+    include /config/nginx/ssl.conf;
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
--- a/site-confs/dimension.conf
+++ b/site-confs/dimension.conf
@ -0,0 +1,17 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name dimension.anonymousland.org;
+
+    include /config/nginx/ssl.conf;
+
+    location / {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app dimension;
+        set $upstream_port 8184;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
+}
--- a/site-confs/matrix.anonymousland.org.conf
+++ b/site-confs/matrix.anonymousland.org.conf
@ -0,0 +1,86 @@
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name matrix.anonymousland.org;
+
+        location / {
+                return 307 https://$host$request_uri;
+        }
+}
+   #Workers
+   include /config/nginx/include.d/upstream_workers.conf;
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    listen 8448 ssl http2 default_server;
+    listen [::]:8448 ssl http2 default_server;
+
+    server_name matrix.anonymousland.org;
+
+    include /config/nginx/ssl.conf;
+    client_max_body_size 1024M;
+
+    # Well-Known
+    location /.well-known/matrix/server {
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '{"m.server": "matrix.anonymousland.org:443"}';
+  }
+
+    location /.well-known/matrix/client {
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+
+  }
+
+    # Mjolnir Reports
+    include /config/nginx/include.d/mjolnir-reports.conf;
+
+    # Maubot
+    include /config/nginx/include.d/maubot.conf;
+
+    # Federation_Worker
+    include /config/nginx/include.d/federation_worker.conf;
+
+    # Encryption_Worker
+    include /config/nginx/include.d/encryption_worker.conf;
+
+    # Client_Worker
+    include /config/nginx/include.d/client_worker.conf;
+
+    # Register
+    include /config/nginx/include.d/register.conf;
+
+    # Additional1_Worker | Typing Device Account
+    #include /config/nginx/include.d/additional1_worker.conf;
+
+    # Additional2_Worker | Reciept
+    #include /config/nginx/include.d/additional2_worker.conf;
+
+    # Event_worker
+    #include /config/nginx/include.d/event_worker.conf;
+
+    # Extra Workers
+    #include /config/nginx/include.d/extra_worker.conf;
+
+    # Media Repo
+    #include /config/nginx/include.d/media-repo.conf;
+
+    # /synapse/admin
+    #include /config/nginx/include.d/synapse-admin.conf;
+
+    # Sync_Worker
+    #include /config/nginx/include.d/sync_worker.conf;
+
+    location / {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        include /config/nginx/include.d/synapse-proxy.conf;
+        set $upstream_app synapse;
+        set $upstream_port 8008;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
+}
--- a/site-confs/maubot.conf
+++ b/site-confs/maubot.conf
@ -0,0 +1,17 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name maubot.anonymousland.org;
+
+    include /config/nginx/ssl.conf;
+
+    location / {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app maubot;
+        set $upstream_port 29316;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+    }
+}
--- a/site-confs/tor.conf
+++ b/site-confs/tor.conf
@ -0,0 +1,15 @@
+       server {
+        listen 69 ;
+        server_name 7pdtdadfcjvntnbip764d5sc35d2s7hhdkbbie5hy7njovea4534vxqd.onion;
+
+           location /.well-known/matrix/server {
+    return 200 '{"m.server": "7pdtdadfcjvntnbip764d5sc35d2s7hhdkbbie5hy7njovea4534vxqd.onion:80"}';
+  }
+
+        location / {
+        set $upstream_app tor-synapse;
+        set $upstream_port 8008;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+       }
+  }
--- a/ssl.conf
+++ b/ssl.conf
@ -0,0 +1,38 @@
+## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
+
+### Mozilla Recommendations
+# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DH>
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /config/keys/cert.crt;
+
+# Optional additional headers
+add_header Referrer-Policy "same-origin" always;
+add_header X-Content-Type-Options "nosniff" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+add_header X-XSS-Protection "0" always;
+add_header Cross-Origin-Resource-Policy cross-origin;
+add_header Cross-Origin-Opener-Policy same-origin;
+add_header X-Frame-Options SAMEORIGIN;