Basic reverse proxy (nginx) documentation added.
This commit is contained in:
parent
417acb59b4
commit
f2c9761bb9
GPG key ID:
43DBCC37BFDEFD72
41
nginx/README.md
Normal file
41
nginx/README.md
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
gitea: none
|
||||
include_toc: true
|
||||
---
|
||||
|
||||
# Reverse proxy with nginx
|
||||
|
||||
Clients connecting from the Internet to our Matrix environment will usually
|
||||
use SSL/TLS to encrypt whatever they want to send. This is one thing that
|
||||
nginx does better than Synapse.
|
||||
|
||||
Furthermore, granting or denying access to specific endpoints is much easier
|
||||
in nginx.
|
||||
|
||||
Synapse listens only on localhost, so nginx has to pass connections on from
|
||||
the wild west that is the Internet to our server listening on the inside.
|
||||
|
||||
|
||||
# Installing
|
||||
|
||||
Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
|
||||
easy:
|
||||
|
||||
```
|
||||
apt install nginx python3-certbot-nginx
|
||||
```
|
||||
|
||||
# Configuration
|
||||
|
||||
Almost all traffic should be encrypted, so a redirect from http to https seems
|
||||
like a good idea.
|
||||
|
||||
However, `.well-known/matrix/client` has to be available via http and https,
|
||||
so that should *NOT* be redirected to https. Some clients don't understand the
|
||||
redirect and will therefore not find the server if you redirect everything.
|
||||
|
||||
|
||||
|
||||
# Firewall
|
||||
|
||||
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
|
||||
Reference in a new issue