forked from Fediversity/Fediversity
Added Synapse-Admin, and nginx's configuration for it.
This commit is contained in:
parent
ef412ea77a
commit
0bb2093a00
|
|
@ -133,6 +133,65 @@ Again, substitute the correct values. Don't forget to open the relevant ports
|
|||
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
|
||||
|
||||
|
||||
# Synapse-admin {#synapse-admin}
|
||||
|
||||
If you also [install Synapse-Admin](../synapse-admin), you'll want to create
|
||||
another vhost, something like this:
|
||||
|
||||
```
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
ssl_certificate
|
||||
/etc/letsencrypt/live/admin.example.procolix.com/fullchain.pem;
|
||||
ssl_certificate_key
|
||||
/etc/letsencrypt/live/admin.example.procolix.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/ssl/dhparams.pem;
|
||||
|
||||
server_name admin.example.procolix.com;
|
||||
|
||||
root /var/www/synapse-admin;
|
||||
|
||||
access_log /var/log/nginx/admin-example-access.log;
|
||||
error_log /var/log/nginx/admin-example-error.log;
|
||||
}
|
||||
```
|
||||
|
||||
You'll need an SSL certificate for this, of course. But you'll also need to
|
||||
give it access to the `/_synapse/admin` endpoint in Synapse.
|
||||
|
||||
You don't want this endpoint to be available for just anybody on the Internet,
|
||||
so restrict access to the IP-addresses from which you expect to use
|
||||
Synapse-Admin.
|
||||
|
||||
In `/etc/nginx/sites-available/synapse` you want to add this bit:
|
||||
|
||||
```
|
||||
location ~ ^/_synapse/admin {
|
||||
allow 127.0.0.1;
|
||||
allow ::1;
|
||||
allow 185.206.232.60; # this host
|
||||
allow 2a00:51c0:12:1201::2a; # this host
|
||||
allow 45.142.234.216; # kantoor
|
||||
allow 2a10:3781:2bc3::/64; # kantoor
|
||||
deny all;
|
||||
|
||||
proxy_pass http://localhost:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 50M;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
```
|
||||
|
||||
This means access to `/_synapse/admin` is only allowed for the addresses
|
||||
mentioned, but will be forwarded to Synapse in exactly the same way as
|
||||
"normal" requests.
|
||||
|
||||
|
||||
# Firewall
|
||||
|
||||
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
|
||||
|
|
|
|||
33
matrix/synapse-admin/README.md
Normal file
33
matrix/synapse-admin/README.md
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
# Synapse-admin
|
||||
|
||||
This is the webgui for Synapse.
|
||||
|
||||
Installation can be done in 3 ways
|
||||
([see Github](https://github.com/Awesome-Technologies/synapse-admin)), we'll
|
||||
pick the easiest one: using the precompiled tar.
|
||||
|
||||
Unpack it under `/var/www`, link `synapse-admin` to the directory that the
|
||||
archive creates. This is to make sure you can easily unpack a newer version,
|
||||
prepare that, and then change the symlink.
|
||||
|
||||
```
|
||||
# ls -l /var/www
|
||||
total 8
|
||||
drwxr-xr-x 2 root root 4096 Nov 4 18:05 html
|
||||
lrwxrwxrwx 1 root root 20 Nov 18 13:24 synapse-admin -> synapse-admin-0.10.3
|
||||
drwxr-xr-x 5 root root 4096 Nov 18 15:54 synapse-admin-0.10.3
|
||||
```
|
||||
|
||||
We use 0.10.3, but point nginx to '/var/www/synapse-admin'. Configuring nginx
|
||||
is fairly straightforward, [see here](../nginx/README.md#synapse-admin}.
|
||||
|
||||
You should probably restrict Synapse-Admin to your own Synapse-server, instead
|
||||
of letting users fill in whatever they want. Do this by adding this bit to
|
||||
`config.json`. In our config we've moved that file to
|
||||
`/etc/synapse-admin` and link to that from `/var/www/synapse-admin`.
|
||||
|
||||
```
|
||||
{
|
||||
"restrictBaseUrl": "https://vm02199.procolix.com"
|
||||
}
|
||||
```
|
||||
Loading…
Reference in a new issue