hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Added Synapse-Admin, and nginx's configuration for it.

Browse source
This commit is contained in:
Hans van Zijst 2024-11-18 16:21:22 +01:00 committed by Valentin Gagarin
parent ef412ea77a
commit 0bb2093a00
2 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
matrix/nginx/README.md
View file

@ -133,6 +133,65 @@ Again, substitute the correct values. Don't forget to open the relevant ports
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not. in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
# Synapse-admin {#synapse-admin}
If you also [install Synapse-Admin](../synapse-admin), you'll want to create
another vhost, something like this:
```
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate
/etc/letsencrypt/live/admin.example.procolix.com/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/admin.example.procolix.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
server_name admin.example.procolix.com;
root /var/www/synapse-admin;
access_log /var/log/nginx/admin-example-access.log;
error_log /var/log/nginx/admin-example-error.log;
}
```
You'll need an SSL certificate for this, of course. But you'll also need to
give it access to the `/_synapse/admin` endpoint in Synapse.
You don't want this endpoint to be available for just anybody on the Internet,
so restrict access to the IP-addresses from which you expect to use
Synapse-Admin.
In `/etc/nginx/sites-available/synapse` you want to add this bit:
```
location ~ ^/_synapse/admin {
allow 127.0.0.1;
allow ::1;
allow 185.206.232.60; # this host
allow 2a00:51c0:12:1201::2a; # this host
allow 45.142.234.216; # kantoor
allow 2a10:3781:2bc3::/64; # kantoor
deny all;
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
```
This means access to `/_synapse/admin` is only allowed for the addresses
mentioned, but will be forwarded to Synapse in exactly the same way as
"normal" requests.
# Firewall # Firewall
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall). For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).

33
matrix/synapse-admin/README.md Normal file
View file

@ -0,0 +1,33 @@
# Synapse-admin
This is the webgui for Synapse.
Installation can be done in 3 ways
([see Github](https://github.com/Awesome-Technologies/synapse-admin)), we'll
pick the easiest one: using the precompiled tar.
Unpack it under `/var/www`, link `synapse-admin` to the directory that the
archive creates. This is to make sure you can easily unpack a newer version,
prepare that, and then change the symlink.
```
# ls -l /var/www
total 8
drwxr-xr-x 2 root root 4096 Nov 4 18:05 html
lrwxrwxrwx 1 root root 20 Nov 18 13:24 synapse-admin -> synapse-admin-0.10.3
drwxr-xr-x 5 root root 4096 Nov 18 15:54 synapse-admin-0.10.3
```
We use 0.10.3, but point nginx to '/var/www/synapse-admin'. Configuring nginx
is fairly straightforward, [see here](../nginx/README.md#synapse-admin}.
You should probably restrict Synapse-Admin to your own Synapse-server, instead
of letting users fill in whatever they want. Do this by adding this bit to
`config.json`. In our config we've moved that file to
`/etc/synapse-admin` and link to that from `/var/www/synapse-admin`.
```
{
"restrictBaseUrl": "https://vm02199.procolix.com"
}
```