diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md index 4c11fb2..2a7b878 100644 --- a/matrix/nginx/README.md +++ b/matrix/nginx/README.md @@ -133,6 +133,65 @@ Again, substitute the correct values. Don't forget to open the relevant ports in the firewall. Ports 80 and 443 may already be open, 8448 is probably not. +# Synapse-admin {#synapse-admin} + +If you also [install Synapse-Admin](../synapse-admin), you'll want to create +another vhost, something like this: + +``` +server { + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate +/etc/letsencrypt/live/admin.example.procolix.com/fullchain.pem; + ssl_certificate_key +/etc/letsencrypt/live/admin.example.procolix.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name admin.example.procolix.com; + + root /var/www/synapse-admin; + + access_log /var/log/nginx/admin-example-access.log; + error_log /var/log/nginx/admin-example-error.log; +} +``` + +You'll need an SSL certificate for this, of course. But you'll also need to +give it access to the `/_synapse/admin` endpoint in Synapse. + +You don't want this endpoint to be available for just anybody on the Internet, +so restrict access to the IP-addresses from which you expect to use +Synapse-Admin. + +In `/etc/nginx/sites-available/synapse` you want to add this bit: + +``` +location ~ ^/_synapse/admin { + allow 127.0.0.1; + allow ::1; + allow 185.206.232.60; # this host + allow 2a00:51c0:12:1201::2a; # this host + allow 45.142.234.216; # kantoor + allow 2a10:3781:2bc3::/64; # kantoor + deny all; + + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; +} +``` + +This means access to `/_synapse/admin` is only allowed for the addresses +mentioned, but will be forwarded to Synapse in exactly the same way as +"normal" requests. + + # Firewall For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall). diff --git a/matrix/synapse-admin/README.md b/matrix/synapse-admin/README.md new file mode 100644 index 0000000..31e6dd3 --- /dev/null +++ b/matrix/synapse-admin/README.md @@ -0,0 +1,33 @@ +# Synapse-admin + +This is the webgui for Synapse. + +Installation can be done in 3 ways +([see Github](https://github.com/Awesome-Technologies/synapse-admin)), we'll +pick the easiest one: using the precompiled tar. + +Unpack it under `/var/www`, link `synapse-admin` to the directory that the +archive creates. This is to make sure you can easily unpack a newer version, +prepare that, and then change the symlink. + +``` +# ls -l /var/www +total 8 +drwxr-xr-x 2 root root 4096 Nov 4 18:05 html +lrwxrwxrwx 1 root root 20 Nov 18 13:24 synapse-admin -> synapse-admin-0.10.3 +drwxr-xr-x 5 root root 4096 Nov 18 15:54 synapse-admin-0.10.3 +``` + +We use 0.10.3, but point nginx to '/var/www/synapse-admin'. Configuring nginx +is fairly straightforward, [see here](../nginx/README.md#synapse-admin}. + +You should probably restrict Synapse-Admin to your own Synapse-server, instead +of letting users fill in whatever they want. Do this by adding this bit to +`config.json`. In our config we've moved that file to +`/etc/synapse-admin` and link to that from `/var/www/synapse-admin`. + +``` +{ + "restrictBaseUrl": "https://vm02199.procolix.com" +} +```