forked from Fediversity/Fediversity
42 lines
1.1 KiB
Markdown
42 lines
1.1 KiB
Markdown
|
---
|
||
|
gitea: none
|
||
|
include_toc: true
|
||
|
---
|
||
|
|
||
|
# Reverse proxy with nginx
|
||
|
|
||
|
Clients connecting from the Internet to our Matrix environment will usually
|
||
|
use SSL/TLS to encrypt whatever they want to send. This is one thing that
|
||
|
nginx does better than Synapse.
|
||
|
|
||
|
Furthermore, granting or denying access to specific endpoints is much easier
|
||
|
in nginx.
|
||
|
|
||
|
Synapse listens only on localhost, so nginx has to pass connections on from
|
||
|
the wild west that is the Internet to our server listening on the inside.
|
||
|
|
||
|
|
||
|
# Installing
|
||
|
|
||
|
Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
|
||
|
easy:
|
||
|
|
||
|
```
|
||
|
apt install nginx python3-certbot-nginx
|
||
|
```
|
||
|
|
||
|
# Configuration
|
||
|
|
||
|
Almost all traffic should be encrypted, so a redirect from http to https seems
|
||
|
like a good idea.
|
||
|
|
||
|
However, `.well-known/matrix/client` has to be available via http and https,
|
||
|
so that should *NOT* be redirected to https. Some clients don't understand the
|
||
|
redirect and will therefore not find the server if you redirect everything.
|
||
|
|
||
|
|
||
|
|
||
|
# Firewall
|
||
|
|
||
|
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
|