matrix-docker-ansible-deploy
matrix-docker-ansible-deploy copied to clipboard
spantaleev
Nginx Proxy Manager fronting example is not compatible with current NGM features
Problem description
An example file to have NGM (Nginx Proxy Manager) is currenlty available here : https://github.com/spantaleev/matrix-docker-ansible-deploy/tree/master/examples/reverse-proxies/nginx-proxy-manager
This file describes a setup that cannot be donne with the current (v2.12.1) version of NGM.
Steps to reproduce
The 2nd part of the example, to setup the port for federation, shows to setup a proxy host with a specific port. This feature is not currently functioning. Here is a screenshot showing the error message that hostname cannot have port specifications
To reproduce, use a domain name with a ":" inside of it to have the match pattern show the error.
Trying to add a 2nd proxy host without the source port to add the advanced section (listen 8448 ssl http2;) is also impossible since there is already a proxy host for the domain.
Possible avenues to fix
There is a new streams section in NGM that can redirect TCP and UDP traffic. The possible problem is that this doesn't help with SSL certificates which are handled by NGM on port 80 and 443 for HTTP and HTTPS. I am not knowledgeable enough to know if federation needs the certificates or how to have NGM make this work since I believe federation uses HTTPS.
Also, there is a section to add configs to nginx descibed here: https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations A possible alternative would be to add the config manually for the federation port though I am unsure how you could link it with the SSL certificates generation.
I was the last one to update that example. I will find some time to look into this and the possible solutions provided, thank you!
Is there any movement on this? I know it's not really the fault of synapse or this deployment tool, but it kinda stopped me in my tracks and I'm unsure how to proceed. Any other reverse proxies that are recommended?
I figured traefik is mostly for docker hosts so I don't want it to be the first point of contact in my network.
Is there any movement on this? I know it's not really the fault of synapse or this deployment tool, but it kinda stopped me in my tracks and I'm unsure how to proceed. Any other reverse proxies that are recommended?
I figured traefik is mostly for docker hosts so I don't want it to be the first point of contact in my network.
#3986
I used this approach to solve the issue. I’m not a networking expert, but it works for me. Traefik is used just for redirection (as described in the documentation), not for handling SSL. In front of that, I’m using Nginx Proxy Manager.
Let me know what you think — maybe we can come up with a solid long-term solution together. Right now, everything works, including the new Element Call features (Element X app, etc.).
However, I’m not hosting a website on the root domain (e.g. example.com). If you want to run a website on the root domain — especially on a different external IP than your Matrix server — we’ll probably need to do a bit more work to make that setup functional.
Is there any movement on this? I know it's not really the fault of synapse or this deployment tool, but it kinda stopped me in my tracks and I'm unsure how to proceed. Any other reverse proxies that are recommended? I figured traefik is mostly for docker hosts so I don't want it to be the first point of contact in my network.
I used this approach to solve the issue. I’m not a networking expert, but it works for me. Traefik is used just for redirection (as described in the documentation), not for handling SSL. In front of that, I’m using Nginx Proxy Manager.
Let me know what you think — maybe we can come up with a solid long-term solution together. Right now, everything works, including the new Element Call features (Element X app, etc.).
However, I’m not hosting a website on the root domain (e.g. example.com). If you want to run a website on the root domain — especially on a different external IP than your Matrix server — we’ll probably need to do a bit more work to make that setup functional.
You're writing that you have a proxy host on matrix.example.org. Is that http or https? And does it serve with ssl certificate? Could you share your whole vars.yml (without keys) so I have an idea what I might be missing?
I don't even seem to get through to the host, but I am unsure what to expect from the host at this moment.
Sadly I am also unsure if I should be able to at least access the webinterface through it's local ip, which should bring me to traefik and from there directly to the services. But it doesn't and I get very little info on what could be wrong.
My vars.yaml
matrix_domain: example.com
matrix_homeserver_implementation: synapse
matrix_homeserver_generic_secret_key: 'wtT2lJtg8qfaaaaaaaaaaaaaaaaacNpOPtGwo08jvs'
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
matrix_playbook_ssl_enabled: true
traefik_config_certificatesResolvers_acme_email: '[email protected]'
postgres_connection_password: 'pKzcrMNRDuyWZMrCrT6aaaaaaaaaaaaa8aBKXBnN85lEtVimg'
matrix_coturn_turn_external_ip_address: "PUBLIC-IP or ddns"
traefik_config_entrypoint_web_secure_enabled: false
traefik_container_web_host_bind_port: '0.0.0.0:81'
# Trust `X-Forwarded-*` headers only from the Nginx proxy (192.168.10.10).
traefik_config_entrypoint_web_forwardedHeaders_insecure: false
traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['192.168.10.10']
# Bind Traefik’s federation entrypoint to an internal port (8449).
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '0.0.0.0:8449'
# Disable HTTP/3 for the federation entrypoint, as Nginx will handle external traffic.
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false
# Configure Traefik to trust headers only from your Nginx reverse proxy.
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
forwardedHeaders:
insecure: true
trustedIPs: ['192.168.10.10']
#devture_playbook_state_preserver_commit_hash_preservation_enabled: false
matrix_synapse_admin_enabled: true
matrix_ma1sd_enabled: true
matrix_static_files_container_labels_base_domain_enabled: true
matrix_element_call_enabled: true```
192.168.10.10 is my nginx reverse proxy and 192.168.20.50 is my Matrix-Server-VM
Inside nginx proxy manager i use for the proxy hosts http:IP-Address:81 and use force SSL etc. If you need more details, let me know.
This issue is still exists.
Edit: I solved it my using "Stream Hosts" instead of "Proxy Hosts".
