Put matrix federation behind reverse proxy

2026-04-07 21:32:12 +02:00 · 2026-04-07 21:32:12 +02:00 · fe86c128ed
commit fe86c128ed
parent 44215ecfc9
4 changed files with 30 additions and 7 deletions
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -11,10 +11,17 @@
            addr = "0.0.0.0";
            port = 80;
          }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
+            proxyProtocol = true;
          }
        ];
        locations = {
@ -49,8 +56,6 @@
          };
        };
        extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
@ -64,6 +69,12 @@
            addr = "0.0.0.0";
            port = 80;
          }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
        ];
        locations = {
          "/" = {
@ -79,8 +90,6 @@
          };
        };
        extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
@ -94,6 +103,12 @@
            addr = "0.0.0.0";
            port = 80;
          }
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
        ];
        locations."^~ /livekit/jwt/" = {
          proxyPass = "http://localhost:8082/";
@ -103,8 +118,6 @@
          proxyWebsockets = true;
        };
        extraConfig = ''
-          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-
          set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
          set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
          real_ip_header proxy_protocol;
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@ -7,7 +7,7 @@
    nftables.enable = true;
    firewall = {
      enable = true;
-      allowedTCPPorts = [ 80 443 ];
+      allowedTCPPorts = [ 80 443 8448 ];
      allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
    };
    wireguard = {
--- a/config/hosts/valkyrie/nginx.nix
+++ b/config/hosts/valkyrie/nginx.nix
@ -58,6 +58,11 @@
        ssl_preread on;
        proxy_protocol on;
      }
+      server {
+        listen [::]:8448;
+        proxy_pass 10.202.41.112:8448; # matrix federation port
+        proxy_protocol on;
+      }
    '';
  };
 }
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -38,6 +38,11 @@
          ssl_preread on;
          proxy_protocol on;
        }
+        server {
+          listen 0.0.0.0:8448;
+          proxy_pass 10.202.41.112:8448; # matrix federation port
+          proxy_protocol on;
+        }
      }
    '';