51 lines
1.3 KiB
Markdown
51 lines
1.3 KiB
Markdown
---
|
|
gitea: none
|
|
include_toc: true
|
|
---
|
|
|
|
# Reverse proxy with nginx
|
|
|
|
Clients connecting from the Internet to our Matrix environment will usually
|
|
use SSL/TLS to encrypt whatever they want to send. This is one thing that
|
|
nginx does better than Synapse.
|
|
|
|
Furthermore, granting or denying access to specific endpoints is much easier
|
|
in nginx.
|
|
|
|
Synapse listens only on localhost, so nginx has to pass connections on from
|
|
the wild west that is the Internet to our server listening on the inside.
|
|
|
|
|
|
# Installing
|
|
|
|
Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
|
|
easy:
|
|
|
|
```
|
|
apt install nginx python3-certbot-nginx
|
|
```
|
|
|
|
Get your certificate:
|
|
|
|
```
|
|
certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
|
|
```
|
|
|
|
Substitute the correct e-mailaddress and FQDN, or course.
|
|
|
|
|
|
# Configuration
|
|
|
|
Almost all traffic should be encrypted, so a redirect from http to https seems
|
|
like a good idea.
|
|
|
|
However, `.well-known/matrix/client` has to be available via http and https,
|
|
so that should *NOT* be redirected to https. Some clients don't understand the
|
|
redirect and will therefore not find the server if you redirect everything.
|
|
|
|
|
|
|
|
# Firewall
|
|
|
|
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
|