2.6 KiB
Table of Contents
Reverse proxy with nginx
Clients connecting from the Internet to our Matrix environment will usually use SSL/TLS to encrypt whatever they want to send. This is one thing that nginx does better than Synapse.
Furthermore, granting or denying access to specific endpoints is much easier in nginx.
Synapse listens only on localhost, so nginx has to pass connections on from the wild west that is the Internet to our server listening on the inside.
Installing
Installing nginx and the Let's Encrypt plugin is easy:
apt install nginx python3-certbot-nginx
Get your certificate:
certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
Substitute the correct e-mailaddress and FQDN, or course.
Configuration
Almost all traffic should be encrypted, so a redirect from http to https seems like a good idea.
However, .well-known/matrix/client
has to be available via http and https,
so that should NOT be redirected to https. Some clients don't understand the
redirect and will therefore not find the server if you redirect everything.
Under the server_name
(the "domain name", the part after the username) you
will need a configuration like this:
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name matrixdev.procolix.com;
location /.well-known/matrix/client {
return 200 '{
"m.homeserver": {"base_url": "https://vm02199.procolix.com"},
"org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"}
}';
default_type application/json;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "vm02199.procolix.com"}';
default_type application/json;
}
location / {
if ($scheme = http) {
return 301 https://$host$request_uri;
}
}
access_log /var/log/nginx/matrixdev-access.log;
error_log /var/log/nginx/matrixdev-error.log;
}
This defines a server that listens on both http and https. It hands out two .well-known entries over both http and https, and every other request over http is forwarded to https.
Be sure to substitute the correct values for server_name
, base_url
and the
certificate files.
Firewall
For normal use, at least ports 80 and 443 must be openend, see Firewall.