synapse/docker/conf-workers/nginx.conf.j2

# This file contains the base config for the reverse proxy, as part of ../Dockerfile-workers.
# configure_workers_and_start.py uses and amends to this file depending on the workers
# that have been selected.

{{ upstream_directives }}

server {
    # Listen on an unoccupied port number
    listen 8008;
    listen [::]:8008;

    {% if tls_cert_path is not none and tls_key_path is not none %}
        listen 8448 ssl;
        listen [::]:8448 ssl;

        ssl_certificate {{ tls_cert_path }};
        ssl_certificate_key {{ tls_key_path }};

        # Some directives from cipherlist.eu (fka cipherli.st):
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
    {% endif %}

    server_name localhost;

    # Nginx by default only allows file uploads up to 1M in size
    # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
    client_max_body_size 100M;

{{ worker_locations }}

    # Send all other traffic to the main process
    location ~* ^(\\/_matrix|\\/_synapse) {
{% if using_unix_sockets %}
        proxy_pass http://unix:/run/main_public.sock;
{% else %}
        proxy_pass http://localhost:8080;
{% endif %}
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host:$server_port;
    }
}