diff options
author | sefidel <contact@sefidel.net> | 2023-11-11 21:19:09 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2023-11-12 17:12:53 +0900 |
commit | d1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91 (patch) | |
tree | 31dcc3435b06a445f5f13f54117872f00bcaf87a /modules/services | |
parent | dc94b6cd1d99bf20d66c6fbc55ff4c2024cfbda3 (diff) | |
download | infra-d1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91.tar.gz infra-d1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91.zip |
feat(modules/matrix-homeserver): harden nginx
This commit removes the admin endpoints from reverse proxy, and sets the max body size to match the max file upload size in synapse.
Diffstat (limited to 'modules/services')
-rw-r--r-- | modules/services/matrix-homeserver.nix | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix index 6089b12..12befb9 100644 --- a/modules/services/matrix-homeserver.nix +++ b/modules/services/matrix-homeserver.nix @@ -147,12 +147,13 @@ in ]; extraConfig = '' proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; - client_max_body_size 50M; + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; - locations."/_matrix".proxyPass = "http://[::1]:${toString httpPort}"; - locations."/_synapse".proxyPass = "http://[::1]:${toString httpPort}"; + + locations."~* ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://[::1]:${toString httpPort}"; }; services.nginx.virtualHosts.${cfg.domain} = |