--- gitea: none include_toc: true --- # Reverse proxy with nginx Clients connecting from the Internet to our Matrix environment will usually use SSL/TLS to encrypt whatever they want to send. This is one thing that nginx does better than Synapse. Furthermore, granting or denying access to specific endpoints is much easier in nginx. Synapse listens only on localhost, so nginx has to pass connections on from the wild west that is the Internet to our server listening on the inside. # Installing Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is easy: ``` apt install nginx python3-certbot-nginx ``` Get your certificate: ``` certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com ``` Substitute the correct e-mailaddress and FQDN, or course. # Configuration Almost all traffic should be encrypted, so a redirect from http to https seems like a good idea. However, `.well-known/matrix/client` has to be available via http and https, so that should *NOT* be redirected to https. Some clients don't understand the redirect and will therefore not find the server if you redirect everything. # Firewall For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).