Matrix-Mirrors/matrix.grapheneos.org
1
0
Fork 0
mirror of https://github.com/GrapheneOS/matrix.grapheneos.org.git synced 2025-12-24 04:10:56 -05:00
Code Issues Projects Releases Packages Wiki Activity

nginx: add matrix socket for synapse admin API

Browse source 
The admin API needs to be used through nginx now in order to direct the
requests to the correct workers.
This commit is contained in:
Daniel Micay 2025-12-23 14:47:05 -05:00
parent 45b8b71bce
commit a340a442da
1 changed files with 38 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

40
nginx/nginx.conf
View file

@ -152,6 +152,7 @@ http {
server {
listen 443 ssl;
listen [::]:443 ssl;
listen unix:/run/nginx/matrix.sock;
http2 on;
server_name matrix.grapheneos.org;
@ -194,7 +195,7 @@ http {
proxy_pass http://synapse-sync;
}
location ~ ^/_matrix/client/(?:api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(?:v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/unstable/im.nheko.summary/summary/.*$|^/_matrix/client/(?:r0|v3|unstable)/account/3pid$|^/_matrix/client/(?:r0|v3|unstable)/account/whoami$|^/_matrix/client/(?:r0|v3|unstable)/account/deactivate$|^/_matrix/client/(?:r0|v3)/delete_devices$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/devices(?:/|$)|^/_matrix/client/versions$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(?:api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(?:api/v1|r0|v3|unstable)/search$|^/_matrix/client/(?:r0|v3|unstable)/user/.*/filter(?:/|$)|^/_matrix/client/(?:api/v1|r0|v3|unstable)/directory/room/.*$|^/_matrix/client/(?:r0|v3|unstable)/capabilities$|^/_matrix/client/(?:r0|v3|unstable)/notifications$|^/_synapse/admin/v1/rooms/[^/]+$|^/_matrix/client/(?:r0|v3|unstable)/keys/query$|^/_matrix/client/(?:r0|v3|unstable)/keys/changes$|^/_matrix/client/(?:r0|v3|unstable)/keys/claim$|^/_matrix/client/(?:r0|v3|unstable)/room_keys/|^/_matrix/client/(?:r0|v3|unstable)/keys/upload|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/device_signing/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/signatures/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/login$|^/_matrix/client/(?:r0|v3|unstable)/register$|^/_matrix/client/(?:r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(?:r0|v3|unstable)/password_policy$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/(?:join|invite|leave|ban|unban|kick)$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/join/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/profile/|^/_matrix/client/(?:r0|v3|unstable)/user_directory/search$|^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(?:/.*/restart)?$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$ {
location ~ ^/_matrix/client/(?:api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(?:v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/unstable/im.nheko.summary/summary/.*$|^/_matrix/client/(?:r0|v3|unstable)/account/3pid$|^/_matrix/client/(?:r0|v3|unstable)/account/whoami$|^/_matrix/client/(?:r0|v3|unstable)/account/deactivate$|^/_matrix/client/(?:r0|v3)/delete_devices$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/devices(?:/|$)|^/_matrix/client/versions$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(?:api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(?:api/v1|r0|v3|unstable)/search$|^/_matrix/client/(?:r0|v3|unstable)/user/.*/filter(?:/|$)|^/_matrix/client/(?:api/v1|r0|v3|unstable)/directory/room/.*$|^/_matrix/client/(?:r0|v3|unstable)/capabilities$|^/_matrix/client/(?:r0|v3|unstable)/notifications$|^/_matrix/client/(?:r0|v3|unstable)/keys/query$|^/_matrix/client/(?:r0|v3|unstable)/keys/changes$|^/_matrix/client/(?:r0|v3|unstable)/keys/claim$|^/_matrix/client/(?:r0|v3|unstable)/room_keys/|^/_matrix/client/(?:r0|v3|unstable)/keys/upload|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/device_signing/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/signatures/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/login$|^/_matrix/client/(?:r0|v3|unstable)/register$|^/_matrix/client/(?:r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(?:r0|v3|unstable)/password_policy$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/(?:join|invite|leave|ban|unban|kick)$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/join/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/profile/|^/_matrix/client/(?:r0|v3|unstable)/user_directory/search$|^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(?:/.*/restart)?$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$ {
proxy_pass http://synapse-client_reader;
}
@ -202,7 +203,7 @@ http {
proxy_pass http://synapse-federation_reader;
}
location ~ ^/_matrix/media/|^/_matrix/client/v1/media/|^/_matrix/federation/v1/media/|^/_synapse/admin/v1/purge_media_cache$|^/_synapse/admin/v1/room/.*/media.*$|^/_synapse/admin/v1/user/.*/media.*$|^/_synapse/admin/v1/media/.*$|^/_synapse/admin/v1/quarantine_media/.*$|^/_synapse/admin/v1/users/.*/media$ {
location ~ ^/_matrix/media/|^/_matrix/client/v1/media/|^/_matrix/federation/v1/media/ {
proxy_pass http://synapse-media_repository;
}
@ -211,6 +212,41 @@ http {
}
}
location /_synapse/admin/ {
allow unix:;
deny all;
# remove security headers that are statically set to the strictest possible values below
proxy_hide_header Referrer-Policy;
proxy_hide_header X-Frame-Options;
include snippets/security-headers.conf;
add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
add_header X-Frame-Options "DENY" always;
add_header X-Robots-Tag "none" always;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_connect_timeout 5s;
proxy_send_timeout 15s;
proxy_read_timeout 600s;
client_max_body_size 100m;
client_body_buffer_size 16k;
proxy_pass http://synapse-main;
location ~ ^/_synapse/admin/v1/rooms/[^/]+$ {
proxy_pass http://synapse-client_reader;
}
location ~ ^/_synapse/admin/v1/purge_media_cache$|^/_synapse/admin/v1/room/.*/media.*$|^/_synapse/admin/v1/user/.*/media.*$|^/_synapse/admin/v1/media/.*$|^/_synapse/admin/v1/quarantine_media/.*$|^/_synapse/admin/v1/users/.*/media$ {
proxy_pass http://synapse-media_repository;
}
}
location / {
return 404;
}