-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnginx_example.conf
More file actions
181 lines (147 loc) · 6.01 KB
/
nginx_example.conf
File metadata and controls
181 lines (147 loc) · 6.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# -------------------------------------------------------
# Concord — Matrix-native Nginx Configuration
# Proxies: Synapse, Application Service, MinIO, LiveKit, Element Call
# -------------------------------------------------------
# -------------------------------------------------------
# Matrix Well-Known + Synapse Client/Federation API
# -------------------------------------------------------
server {
listen 443 ssl;
server_name concord.xyz.cc;
ssl_certificate /etc/letsencrypt/live/concord.xyz.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/concord.xyz.cc/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
client_max_body_size 100M;
# --- Matrix Well-Known discovery (Federation) ---
location /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "concord.xyz.cc:443"}';
}
location /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin "*" always;
return 200 '{"m.homeserver": {"base_url": "https://concord.xyz.cc"}}';
}
# --- Synapse Client-Server + Federation API ---
location /_matrix/ {
proxy_pass http://127.0.0.1:8008;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
}
# --- Synapse Sync endpoint (long-polling, needs long timeout) ---
location /_matrix/client/v3/sync {
proxy_pass http://127.0.0.1:8008;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
# --- Synapse Media API ---
location /_matrix/media/ {
proxy_pass http://127.0.0.1:8008;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
}
# --- Concord Application Service API (invite codes, LiveKit tokens) ---
location /api/ {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# --- Element Call (web-based group calls) ---
location /call/ {
proxy_pass http://127.0.0.1:8090/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# -------------------------------------------------------
# Matrix Federation port (8448) — required for server-to-server
# -------------------------------------------------------
server {
listen 8448 ssl;
server_name concord.xyz.cc;
ssl_certificate /etc/letsencrypt/live/concord.xyz.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/concord.xyz.cc/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
server_tokens off;
location / {
proxy_pass http://127.0.0.1:8008;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# -------------------------------------------------------
# LiveKit signaling (WebSocket over TLS)
# -------------------------------------------------------
server {
listen 443 ssl;
server_name livekit.xyz.cc;
ssl_certificate /etc/letsencrypt/live/livekit.xyz.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/livekit.xyz.cc/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
server_tokens off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
proxy_pass http://127.0.0.1:7880;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
}
# -------------------------------------------------------
# (Optional) MinIO Console — restrict to trusted IPs
# -------------------------------------------------------
server {
listen 443 ssl;
server_name minio.xyz.cc;
ssl_certificate /etc/letsencrypt/live/minio.xyz.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/minio.xyz.cc/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
server_tokens off;
location / {
allow 10.10.0.0/24;
deny all;
proxy_pass http://127.0.0.1:9001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}