I would like to create a Signal Proxy at one of my Yunohost domains. Signal provides a Docker image for this. However, it is just a nginx configuration with certificate management so it seems like running Docker would be overkill, especially since Yunohost already handles the certificates. Is it possible to instead merge the existing Yunohost generated nginx conf with the Signal configuration to accomplish the same thing? If so, how could I do that in a non-breaking way?
Default nginx conf for a particular domain:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name subdomain.example.com;
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/acme-challenge.conf.inc;
location ^~ '/.well-known/ynh-diagnosis/' {
alias /var/www/.well-known/ynh-diagnosis/;
}
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/subdomain.example.com/autoconfig/mail/;
}
location / {
return 301 https://$host$request_uri;
}
include /etc/nginx/conf.d/yunohost_http_errors.conf.inc;
access_log /var/log/nginx/subdomain.example.com-access.log;
error_log /var/log/nginx/subdomain.example.com-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name subdomain.example.com;
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/subdomain.example.com/crt.pem;
ssl_certificate_key /etc/yunohost/certs/subdomain.example.com/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
Signal nginx conf from here:
user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
stream {
map $ssl_preread_server_name $name {
chat.signal.org signal-service;
ud-chat.signal.org signal-service;
storage.signal.org storage-service;
cdn.signal.org signal-cdn;
cdn2.signal.org signal-cdn2;
cdn3.signal.org signal-cdn3;
cdsi.signal.org cdsi;
contentproxy.signal.org content-proxy;
sfu.voip.signal.org sfu;
svr2.signal.org svr2;
updates.signal.org updates;
updates2.signal.org updates2;
default deny;
}
upstream signal-service {
server chat.signal.org:443;
}
upstream storage-service {
server storage.signal.org:443;
}
upstream signal-cdn {
server cdn.signal.org:443;
}
upstream signal-cdn2 {
server cdn2.signal.org:443;
}
upstream signal-cdn3 {
server cdn3.signal.org:443;
}
upstream cdsi {
server cdsi.signal.org:443;
}
upstream content-proxy {
server contentproxy.signal.org:443;
}
upstream sfu {
server sfu.voip.signal.org:443;
}
upstream svr2 {
server svr2.signal.org:443;
}
upstream updates {
server updates.signal.org:443;
}
upstream updates2 {
server updates2.signal.org:443;
}
upstream deny {
server 127.0.0.1:9;
}
server {
listen 4433;
proxy_pass $name;
ssl_preread on;
error_log /dev/null;
access_log off;
}
}
EDIT: Adding a link here to a page which describes one way to do this. Though it appears that this method would necessitate editing the configuration files for any domain on the Yunohost install to remove listening on 443 and instead listen on 80. I’m not sure that this would be compatible with Yunohost’s certificate management.