nginx.conf.j2 1.5 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
  1. # This file contains the base config for the reverse proxy, as part of ../Dockerfile-workers.
  2. # configure_workers_and_start.py uses and amends to this file depending on the workers
  3. # that have been selected.
  4. {{ upstream_directives }}
  5. server {
  6. # Listen on an unoccupied port number
  7. listen 8008;
  8. listen [::]:8008;
  9. {% if tls_cert_path is not none and tls_key_path is not none %}
  10. listen 8448 ssl;
  11. listen [::]:8448 ssl;
  12. ssl_certificate {{ tls_cert_path }};
  13. ssl_certificate_key {{ tls_key_path }};
  14. # Some directives from cipherlist.eu (fka cipherli.st):
  15. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  16. ssl_prefer_server_ciphers on;
  17. ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  18. ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  19. ssl_session_cache shared:SSL:10m;
  20. ssl_session_tickets off; # Requires nginx >= 1.5.9
  21. {% endif %}
  22. server_name localhost;
  23. # Nginx by default only allows file uploads up to 1M in size
  24. # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
  25. client_max_body_size 100M;
  26. {{ worker_locations }}
  27. # Send all other traffic to the main process
  28. location ~* ^(\\/_matrix|\\/_synapse) {
  29. {% if using_unix_sockets %}
  30. proxy_pass http://unix:/run/main_public.sock;
  31. {% else %}
  32. proxy_pass http://localhost:8080;
  33. {% endif %}
  34. proxy_set_header X-Forwarded-For $remote_addr;
  35. proxy_set_header X-Forwarded-Proto $scheme;
  36. proxy_set_header Host $host;
  37. }
  38. }