From d1e2c2db07cb37a85ab5c7705c1d4a96d8a65f91 Mon Sep 17 00:00:00 2001 From: sefidel Date: Sat, 11 Nov 2023 21:19:09 +0900 Subject: feat(modules/matrix-homeserver): harden nginx This commit removes the admin endpoints from reverse proxy, and sets the max body size to match the max file upload size in synapse. --- modules/services/matrix-homeserver.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix index 6089b12..12befb9 100644 --- a/modules/services/matrix-homeserver.nix +++ b/modules/services/matrix-homeserver.nix @@ -147,12 +147,13 @@ in ]; extraConfig = '' proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; - client_max_body_size 50M; + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; - locations."/_matrix".proxyPass = "http://[::1]:${toString httpPort}"; - locations."/_synapse".proxyPass = "http://[::1]:${toString httpPort}"; + + locations."~* ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://[::1]:${toString httpPort}"; }; services.nginx.virtualHosts.${cfg.domain} = -- cgit 1.4.1