about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-11-11 21:19:09 +0900
committersefidel <contact@sefidel.net>2023-11-12 17:12:53 +0900
commitd1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91 (patch)
tree31dcc3435b06a445f5f13f54117872f00bcaf87a
parentdc94b6cd1d99bf20d66c6fbc55ff4c2024cfbda3 (diff)
downloadinfra-d1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91.tar.gz
infra-d1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91.zip
feat(modules/matrix-homeserver): harden nginx
This commit removes the admin endpoints from reverse proxy, and sets the
max body size to match the max file upload size in synapse.
-rw-r--r--modules/services/matrix-homeserver.nix9
1 files changed, 5 insertions, 4 deletions
diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix
index 6089b12..12befb9 100644
--- a/modules/services/matrix-homeserver.nix
+++ b/modules/services/matrix-homeserver.nix
@@ -147,12 +147,13 @@ in
       ];
       extraConfig = ''
         proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
         proxy_read_timeout 600;
-        client_max_body_size 50M;
+        client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
       '';
-      locations."/_matrix".proxyPass = "http://[::1]:${toString httpPort}";
-      locations."/_synapse".proxyPass = "http://[::1]:${toString httpPort}";
+
+      locations."~* ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://[::1]:${toString httpPort}";
     };
 
     services.nginx.virtualHosts.${cfg.domain} =