server { server_name chat.lpc.events; listen 80 ; listen [::]:80 ; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/chat.lpc.events/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/chat.lpc.events/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # For the federation port listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; location / { try_files $uri $uri/ =404; } location /.well-known/matrix/client { return 200 '{"m.homeserver": {"base_url": "https://chat.lpc.events"}}'; default_type application/json; add_header Access-Control-Allow-Origin *; } location /.well-known/matrix/server { return 200 '{"m.server": "chat.lpc.events:443"}'; default_type application/json; add_header Access-Control-Allow-Origin *; } location ~* ^(\/_matrix|\/_synapse\/client) { proxy_pass http://$matrix_worker_upstream$request_uri; proxy_set_header X-Forwarded-For $remote_addr; proxy_read_timeout 600s; proxy_set_header Host $host; proxy_connect_timeout 90s; proxy_buffering off; client_max_body_size 50M; } # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; # add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options "SAMEORIGIN"; # add_header X-XSS-Protection "1; mode=block"; # add_header X-Robots-Tag noindex; } upstream synapse { server 127.0.0.1:8008; } upstream generic-worker { ip_hash; server 127.0.0.1:8101; server 127.0.0.1:8102; server 127.0.0.1:8203; server 127.0.0.1:8204; server 127.0.0.1:8205; server 127.0.0.1:8206; server 127.0.0.1:8207; server 127.0.0.1:8208; server 127.0.0.1:8209; server 127.0.0.1:8210; server 127.0.0.1:8211; server 127.0.0.1:8212; server 127.0.0.1:8213; server 127.0.0.1:8214; server 127.0.0.1:8215; } upstream media_repository { server 127.0.0.1:8103; } upstream user_dir { server 127.0.0.1:8104; } upstream frontend_proxy { server 127.0.0.1:8105; } map $uri $matrix_worker_upstream { default synapse; ~^/_matrix/client/(v2_alpha|r0)/sync$ generic-worker; ~^/_matrix/client/(api/v1|v2_alpha|r0)/events$ generic-worker; ~^/_matrix/client/(api/v1|r0)/initialSync$ generic-worker; ~^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ generic-worker; ~^/_matrix/federation/v1/event/ generic-worker; ~^/_matrix/federation/v1/state/ generic-worker; ~^/_matrix/federation/v1/state_ids/ generic-worker; ~^/_matrix/federation/v1/backfill/ generic-worker; ~^/_matrix/federation/v1/get_missing_events/ generic-worker; ~^/_matrix/federation/v1/publicRooms generic-worker; ~^/_matrix/federation/v1/query/ generic-worker; ~^/_matrix/federation/v1/make_join/ generic-worker; ~^/_matrix/federation/v1/make_leave/ generic-worker; ~^/_matrix/federation/v1/send_join/ generic-worker; ~^/_matrix/federation/v2/send_join/ generic-worker; ~^/_matrix/federation/v1/send_leave/ generic-worker; ~^/_matrix/federation/v2/send_leave/ generic-worker; ~^/_matrix/federation/v1/invite/ generic-worker; ~^/_matrix/federation/v2/invite/ generic-worker; ~^/_matrix/federation/v1/query_auth/ generic-worker; ~^/_matrix/federation/v1/event_auth/ generic-worker; ~^/_matrix/federation/v1/exchange_third_party_invite/ generic-worker; ~^/_matrix/federation/v1/user/devices/ generic-worker; ~^/_matrix/federation/v1/send/ generic-worker; ~^/_matrix/federation/v1/get_groups_publicised$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/login$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/keys/query$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/keys/changes$ generic-worker; ~^/_matrix/client/versions$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ generic-worker; ~^/_matrix/client/(r0|unstable)/register$ generic-worker; # ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ generic-worker; ~^/_matrix/client/(r0|unstable)/register$ generic-worker; ~^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ generic-worker; # ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/join/ generic-worker; ~^/_matrix/client/(api/v1|r0|unstable)/profile/ generic-worker; ~^/_matrix/key/v2/query generic-worker; ~^/_matrix/media/ media_repository; ~^/_synapse/admin/v1/purge_media_cache$ media_repository; ~^/_synapse/admin/v1/room/.*/media.*$ media_repository; ~^/_synapse/admin/v1/user/.*/media.*$ media_repository; ~^/_synapse/admin/v1/media/.*$ media_repository; ~^/_synapse/admin/v1/quarantine_media/.*$ media_repository; # ~^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ user_dir; ~^/_matrix/client/(api/v1|r0|unstable)/keys/upload frontend_proxy; }