hans/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

Added Synapse-Admin, and nginx's configuration for it.

Browse source
This commit is contained in:
Hans van Zijst 2024-11-18 16:21:22 +01:00 committed by Valentin Gagarin
parent ef412ea77a
commit 0bb2093a00
2 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
matrix/nginx/README.md
View file

@ -133,6 +133,65 @@ Again, substitute the correct values. Don't forget to open the relevant ports
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
# Synapse-admin {#synapse-admin}
If you also [install Synapse-Admin](../synapse-admin), you'll want to create
another vhost, something like this:
```
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate
/etc/letsencrypt/live/admin.example.procolix.com/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/admin.example.procolix.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name admin.example.procolix.com;
root /var/www/synapse-admin;
access_log /var/log/nginx/admin-example-access.log;
error_log /var/log/nginx/admin-example-error.log;
}
```
You'll need an SSL certificate for this, of course. But you'll also need to
give it access to the `/_synapse/admin` endpoint in Synapse.
You don't want this endpoint to be available for just anybody on the Internet,
so restrict access to the IP-addresses from which you expect to use
Synapse-Admin.
In `/etc/nginx/sites-available/synapse` you want to add this bit:
```
location ~ ^/_synapse/admin {
allow 127.0.0.1;
allow ::1;
allow 185.206.232.60; # this host
allow 2a00:51c0:12:1201::2a; # this host
allow 45.142.234.216; # kantoor
allow 2a10:3781:2bc3::/64; # kantoor
deny all;
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
```
This means access to `/_synapse/admin` is only allowed for the addresses
mentioned, but will be forwarded to Synapse in exactly the same way as
"normal" requests.
# Firewall
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).

33
matrix/synapse-admin/README.md Normal file
View file

@ -0,0 +1,33 @@
# Synapse-admin
This is the webgui for Synapse.
Installation can be done in 3 ways
([see Github](https://github.com/Awesome-Technologies/synapse-admin)), we'll
pick the easiest one: using the precompiled tar.
Unpack it under `/var/www`, link `synapse-admin` to the directory that the
archive creates. This is to make sure you can easily unpack a newer version,
prepare that, and then change the symlink.
```
# ls -l /var/www
total 8
drwxr-xr-x 2 root root 4096 Nov 4 18:05 html
lrwxrwxrwx 1 root root 20 Nov 18 13:24 synapse-admin -> synapse-admin-0.10.3
drwxr-xr-x 5 root root 4096 Nov 18 15:54 synapse-admin-0.10.3
```
We use 0.10.3, but point nginx to '/var/www/synapse-admin'. Configuring nginx
is fairly straightforward, [see here](../nginx/README.md#synapse-admin}.
You should probably restrict Synapse-Admin to your own Synapse-server, instead
of letting users fill in whatever they want. Do this by adding this bit to
`config.json`. In our config we've moved that file to
`/etc/synapse-admin` and link to that from `/var/www/synapse-admin`.
```
{
"restrictBaseUrl": "https://vm02199.procolix.com"
}
```