commit 09b84b1c92d656bd379099aee27b6c4db653670d Author: deathrow Date: Sun Jan 1 13:04:41 2023 -0500 Initial Matrix NGINX Configuration diff --git a/nginx/Synapse/proxy.conf b/nginx/Synapse/proxy.conf new file mode 100644 index 0000000..99dac72 --- /dev/null +++ b/nginx/Synapse/proxy.conf @@ -0,0 +1,28 @@ +## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf + +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Proxy Connection Settings +proxy_buffers 32 4k; +proxy_connect_timeout 240; +proxy_headers_hash_bucket_size 128; +proxy_headers_hash_max_size 1024; +proxy_http_version 1.1; +proxy_read_timeout 240; +proxy_redirect http:// $scheme://; +proxy_send_timeout 240; + +# Proxy Cache and Cookie Settings +proxy_cache_bypass $cookie_session; +#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps +proxy_no_cache $cookie_session; + +# Proxy Header Settings +proxy_set_header Connection $connection_upgrade; +proxy_set_header Early-Data $ssl_early_data; +proxy_set_header Host $host; +proxy_set_header Proxy ""; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-Ssl on; \ No newline at end of file diff --git a/site-confs/default.conf b/site-confs/default.conf new file mode 100644 index 0000000..7bc988f --- /dev/null +++ b/site-confs/default.conf @@ -0,0 +1,30 @@ +## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default + +#error_page 502 /502.html; + +# redirect all traffic to https +#server { +# listen 80 default_server; +# listen [::]:80 default_server; +# server_name _; +# return 301 https://$host$request_uri; +#} + +# main server block +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name _; + + # enable subfolder method reverse proxy confs + include /config/nginx/proxy-confs/*.subfolder.conf; + + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; +} + +# enable subdomain method reverse proxy confs +include /config/nginx/proxy-confs/*.subdomain.conf; +# enable proxy cache for auth +proxy_cache_path cache/ keys_zone=auth_cache:10m; diff --git a/site-confs/dimension.conf b/site-confs/dimension.conf new file mode 100644 index 0000000..435f275 --- /dev/null +++ b/site-confs/dimension.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name dimension.anonymousland.org; + + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app dimension; + set $upstream_port 8184; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} \ No newline at end of file diff --git a/site-confs/matrix.anonymousland.org.conf b/site-confs/matrix.anonymousland.org.conf new file mode 100644 index 0000000..ff62c79 --- /dev/null +++ b/site-confs/matrix.anonymousland.org.conf @@ -0,0 +1,86 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name matrix.anonymousland.org; + + location / { + return 307 https://$host$request_uri; + } +} + #Workers + include /config/nginx/include.d/upstream_workers.conf; + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.anonymousland.org; + + include /config/nginx/ssl.conf; + client_max_body_size 1024M; + + # Well-Known + location /.well-known/matrix/server { + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.server": "matrix.anonymousland.org:443"}'; + } + + location /.well-known/matrix/client { + default_type application/json; + add_header Access-Control-Allow-Origin *; + + } + + # Mjolnir Reports + include /config/nginx/include.d/mjolnir-reports.conf; + + # Maubot + include /config/nginx/include.d/maubot.conf; + + # Federation_Worker + include /config/nginx/include.d/federation_worker.conf; + + # Encryption_Worker + include /config/nginx/include.d/encryption_worker.conf; + + # Client_Worker + include /config/nginx/include.d/client_worker.conf; + + # Register + include /config/nginx/include.d/register.conf; + + # Additional1_Worker | Typing Device Account + #include /config/nginx/include.d/additional1_worker.conf; + + # Additional2_Worker | Reciept + #include /config/nginx/include.d/additional2_worker.conf; + + # Event_worker + #include /config/nginx/include.d/event_worker.conf; + + # Extra Workers + #include /config/nginx/include.d/extra_worker.conf; + + # Media Repo + #include /config/nginx/include.d/media-repo.conf; + + # /synapse/admin + #include /config/nginx/include.d/synapse-admin.conf; + + # Sync_Worker + #include /config/nginx/include.d/sync_worker.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + include /config/nginx/include.d/synapse-proxy.conf; + set $upstream_app synapse; + set $upstream_port 8008; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} \ No newline at end of file diff --git a/site-confs/maubot.conf b/site-confs/maubot.conf new file mode 100644 index 0000000..79c9c2d --- /dev/null +++ b/site-confs/maubot.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name maubot.anonymousland.org; + + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app maubot; + set $upstream_port 29316; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} \ No newline at end of file diff --git a/site-confs/tor.conf b/site-confs/tor.conf new file mode 100644 index 0000000..11262dc --- /dev/null +++ b/site-confs/tor.conf @@ -0,0 +1,15 @@ + server { + listen 69 ; + server_name 7pdtdadfcjvntnbip764d5sc35d2s7hhdkbbie5hy7njovea4534vxqd.onion; + + location /.well-known/matrix/server { + return 200 '{"m.server": "7pdtdadfcjvntnbip764d5sc35d2s7hhdkbbie5hy7njovea4534vxqd.onion:80"}'; + } + + location / { + set $upstream_app tor-synapse; + set $upstream_port 8008; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } + } \ No newline at end of file diff --git a/ssl.conf b/ssl.conf new file mode 100644 index 0000000..0a34481 --- /dev/null +++ b/ssl.conf @@ -0,0 +1,38 @@ +## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample + +### Mozilla Recommendations +# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 + +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /config/nginx/dhparams.pem; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DH> +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /config/keys/cert.crt; + +# Optional additional headers +add_header Referrer-Policy "same-origin" always; +add_header X-Content-Type-Options "nosniff" always; +#add_header X-UA-Compatible "IE=Edge" always; +add_header X-XSS-Protection "0" always; +add_header Cross-Origin-Resource-Policy cross-origin; +add_header Cross-Origin-Opener-Policy same-origin; +add_header X-Frame-Options SAMEORIGIN; \ No newline at end of file