Fediversity/matrix/nginx/README.md

318 lines
9.1 KiB
Markdown
Raw Permalink Normal View History

---
gitea: none
include_toc: true
---
# Reverse proxy with nginx
Clients connecting from the Internet to our Matrix environment will usually
use SSL/TLS to encrypt whatever they want to send. This is one thing that
nginx does better than Synapse.
Furthermore, granting or denying access to specific endpoints is much easier
in nginx.
Synapse listens only on localhost, so nginx has to pass connections on from
the wild west that is the Internet to our server listening on the inside.
# Installing
Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
easy:
```
apt install nginx python3-certbot-nginx
```
2024-12-04 10:13:58 +01:00
Get your certificate for the base domain (which is probably not the machine on which
we're going to run Synapse):
2024-11-12 15:38:05 +01:00
```
2024-12-04 10:13:58 +01:00
certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d example.com
```
Get one for the machine on which we are going to run Synapse too:
```
certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d matrix.example.com
2024-11-12 15:38:05 +01:00
```
Substitute the correct e-mailaddress and FQDN, or course.
2024-12-04 11:29:34 +01:00
## Automatic renewal {#certrenew}
Certificates have a limited lifetime, and need to be updated every once in a
while. This should be done automatically by Certbot, see if `systemctl
list-timers` lists `certbot.timer`.
However, renewing the certificate means you'll have to restart the software
that's using it. We have 2 or 3 pieces of software that use certificates:
[coturn](../cotorun) and/or [LiveKit](../livekit), and [nginx](../nginx).
Coturn/LiveKit are special with regards to the certificate, see their
respective pages. For nginx it's pretty easy: tell Letsencrypt to restart it
after a renewal.
2024-12-04 11:31:43 +01:00
You do this by adding this line to the `[renewalparams]` in
`/etc/letsencrypt/renewal/<certificate name>.conf`:
2024-12-04 11:29:34 +01:00
```
renew_hook = systemctl try-reload-or-restart nginx
```
# Configuration of domain name {#configdomain}
Let's start with the configuration on the webserver that runs on the domain
name itself, in this case `example.com`.
Almost all traffic should be encrypted, so a redirect from http to https seems
like a good idea.
However, `.well-known/matrix/client` has to be available via http and https,
so that should *NOT* be redirected to https. Some clients don't understand the
redirect and will therefore not find the server if you redirect everything.
2024-11-12 15:56:33 +01:00
Under the `server_name` (the "domain name", the part after the username) you
will need a configuration like this:
```
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
2024-12-04 10:13:58 +01:00
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
2024-11-12 15:56:33 +01:00
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
2024-12-04 10:13:58 +01:00
server_name example.com;
2024-11-12 15:57:32 +01:00
location /.well-known/matrix/client {
return 200 '{
"m.homeserver": {"base_url": "https://matrix.example.com"},
2024-11-12 15:57:32 +01:00
}';
default_type application/json;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.example.com"}';
2024-11-12 15:57:32 +01:00
default_type application/json;
}
location / {
if ($scheme = http) {
return 301 https://$host$request_uri;
2024-11-12 15:56:33 +01:00
}
2024-11-12 15:57:32 +01:00
}
2024-11-12 15:56:33 +01:00
2024-12-04 10:13:58 +01:00
access_log /var/log/nginx/example_com-access.log;
error_log /var/log/nginx/example_com-error.log;
2024-11-12 17:02:29 +01:00
2024-11-12 15:56:33 +01:00
}
```
This defines a server that listens on both http and https. It hands out two
.well-known entries over both http and https, and every other request over
http is forwarded to https.
Be sure to substitute the correct values for `server_name`, `base_url` and the
certificate files (and [renew the certificate](#renewcert)).
See this [full configuration example](domain.conf) with some extra stuff.
# Configuration of the reverse proxy
For the actual proxy in front of Synapse, this is what you need: forward ports
443 and 8448 to Synapse, listening on localhost, and add a few headers so
Synapse know's who's on the other side of the line.
2024-11-12 17:02:29 +01:00
```
server {
listen 443 ssl;
listen [::]:443 ssl;
# For the federation port
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem;
2024-11-12 17:02:29 +01:00
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name matrix.example.com;
2024-11-12 17:02:29 +01:00
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
}
```
Again, substitute the correct values. Don't forget to open the relevant ports
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
This is a very, very basic configuration; just enough to give us a working
service. See this [complete example](revproxy.conf) which also includes
[Draupnir](../draupnir) and a protected admin endpoint.
# Synapse-admin {#synapse-admin}
If you also [install Synapse-Admin](../synapse-admin), you'll want to create
another vhost, something like this:
```
server {
2024-11-27 18:45:12 +01:00
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name admin.example.com;
root /var/www/synapse-admin;
access_log /var/log/nginx/admin-access.log;
error_log /var/log/nginx/admin-error.log;
}
```
You'll need an SSL certificate for this, of course. But you'll also need to
give it access to the `/_synapse/admin` endpoint in Synapse.
You don't want this endpoint to be available for just anybody on the Internet,
so restrict access to the IP-addresses from which you expect to use
Synapse-Admin.
In `/etc/nginx/sites-available/synapse` you want to add this bit:
```
location ~ ^/_synapse/admin {
2024-11-27 18:45:12 +01:00
allow 127.0.0.1;
allow ::1;
allow 111.222.111.222;
allow dead:beef::/64;
deny all;
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
```
This means access to `/_synapse/admin` is only allowed for the addresses
mentioned, but will be forwarded to Synapse in exactly the same way as
"normal" requests.
2024-11-18 18:36:24 +01:00
# LiveKit {#livekit}
If you run an SFU for Element Call, you need a virtual host for LiveKit. Make
sure you install, configure and run [Element Call LiveKit](../element-call#livekit).
Then create a virtual host much like this:
```
server {
2024-11-27 18:45:12 +01:00
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/livekit.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/livekit.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name livekit.example.com;
# This is lk-jwt-service
location ~ ^(/sfu/get|/healthz) {
proxy_pass http://[::1]:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://[::1]:7880;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/livekit-access.log;
error_log /var/log/nginx/livekit-error.log;
2024-11-18 18:36:24 +01:00
}
```
# Element Call widget {#callwidget}
If you self-host the [Element Call widget](../element-call#widget), this
should be the configuration to publish that:
```
server {
2024-11-27 18:45:12 +01:00
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/call.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/call.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name call.example.com;
root /var/www/element-call;
location /assets {
add_header Cache-Control "public, immutable, max-age=31536000";
}
location /apple-app-site-association {
default_type application/json;
}
location /^config.json$ {
alias public/config.json;
default_type application/json;
}
location / {
try_files $uri /$uri /index.html;
2024-11-27 18:45:12 +01:00
add_header Cache-Control "public, max-age=30, stale-while-revalidate=30";
}
access_log /var/log/nginx/call-access.log;
error_log /var/log/nginx/call-error.log;
}
```
# Firewall
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).