1 files changed, 63 insertions, 0 deletions

diff --git a/matrix/files/nginx.j2 b/matrix/files/nginx.j2
new file mode 100644
index 0000000..bce4643
--- /dev/null
+++ b/matrix/files/nginx.j2
@@ -0,0 +1,63 @@
+server {
+        listen 80;
+        server_name {{ federation_server }};
+        access_log /var/log/nginx/{{ federation_server }}/access.log combined;
+        error_log /var/log/nginx/{{ federation_server }}/error.log;
+        root /var/www/{{ federation_server }};
+
+{% if ssl_available %}
+        location / {
+                return 301 https://{{ federation_server }}$request_uri;
+                rewrite ^ https://{{ federation_server }}$request_uri permanent;
+        }
+{% endif %}
+        if ($request_uri ~ " ") {
+                return 444;
+        }
+        if ( $request_uri ~ ^/smoke/(.*)$ ) {
+                return 444;
+        }
+}
+{% if ssl_available %}
+server {
+        listen 443;
+        server_name {{ federation_server }};
+        access_log /var/log/nginx/{{ federation_server }}/access.ssl.log combined;
+        error_log /var/log/nginx/{{ federation_server }}/error.ssl.log;
+        root /var/www/{{ federation_server }};
+
+        if ($request_uri ~ " ") {
+                return 444;
+        }
+        if ( $request_uri ~ ^/smoke/(.*)$ ) {
+                return 444;
+        }
+
+        location / {
+                proxy_pass http://[::1]:8008/;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        gzip_static on;
+        etag on;
+
+        ssl on;
+        ssl_certificate /etc/ssl/certs/{{ federation_server }}.pem;
+        ssl_certificate_key /etc/ssl/private/{{ federation_server }}.key;
+        ssl_session_timeout 5m;
+        ssl_protocols TLSv1.2;
+        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA";
+        ssl_prefer_server_ciphers on;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
+        ssl_ecdh_curve secp384r1;
+        ssl_session_tickets off;
+        ssl_session_cache shared:matrix:2M;
+        add_header X-Frame-Options DENY;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+        resolver 8.8.8.8 8.8.4.4 valid=300s;
+        resolver_timeout 5s;
+}
+{% endif %}