From 5d355c0ff908517cd9551a5b03afea3f9b5acafd Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Wed, 4 Dec 2024 12:07:59 +0100 Subject: [PATCH] Updated and added some nginx configuration. --- matrix/coturn/README.md | 4 +-- matrix/element-call/README.md | 3 +- matrix/element-web/README.md | 3 +- matrix/nginx/README.md | 30 ++++++++++++++------ matrix/nginx/{proxy.conf => domain.conf} | 6 ++-- matrix/nginx/{synapse.conf => revproxy.conf} | 19 +++++++------ matrix/synapse-admin/README.md | 2 +- 7 files changed, 43 insertions(+), 24 deletions(-) rename matrix/nginx/{proxy.conf => domain.conf} (89%) rename matrix/nginx/{synapse.conf => revproxy.conf} (79%) diff --git a/matrix/coturn/README.md b/matrix/coturn/README.md index d1d81f3..bedb882 100644 --- a/matrix/coturn/README.md +++ b/matrix/coturn/README.md @@ -12,8 +12,8 @@ to use TURN over IPv6, we'll stick to a strict IPv4-only configuration. Also, because VoIP traffic is only UDP, we won't do TCP. IMPORTANT! TURN can also be offered by [LiveKit](../element-call#livekit), in -which case you should not run coturn (unless you don't use LiveKit's built-in -TURN server). +which case you should probably not run coturn (unless you don't use LiveKit's +built-in TURN server, or want to run both to support legacy calls too). # Installation diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md index f032b78..0dbd793 100644 --- a/matrix/element-call/README.md +++ b/matrix/element-call/README.md @@ -22,7 +22,8 @@ https://sspaeth.de/2024/11/sfu/ # Install prerequisites Define an entry in DNS for Livekit and Call, e.g. `livekit.example.com` -and `call.example.com`. Get certificates for them. +and `call.example.com`. Get certificates for them and make sure to +[automatically renew them](../nginx/README.md#certrenew). Expand `.well-known/matrix/client` to contain the pointer to the SFU: diff --git a/matrix/element-web/README.md b/matrix/element-web/README.md index b91f8c5..f3dbfee 100644 --- a/matrix/element-web/README.md +++ b/matrix/element-web/README.md @@ -12,7 +12,8 @@ on Github. You should never run Element-web on the same FQDN as your Synapse-server, because of XSS problems. So start by defining a new FQDN for where you will -publish Element-web, and get a certificate for that. +publish Element-web, and get a certificate for that (don't forget to +[automatically reload nginx after the certificate renewal](../nginx/README.md#certrenew)). We'll use `element.example.com` here. diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md index 6eda13e..399a6bd 100644 --- a/matrix/nginx/README.md +++ b/matrix/nginx/README.md @@ -63,7 +63,10 @@ renew_hook = systemctl try-reload-or-restart nginx ``` -# Configuration +# Configuration of domain name {#configdomain} + +Let's start with the configuration on the webserver that runs on the domain +name itself, in this case `example.com`. Almost all traffic should be encrypted, so a redirect from http to https seems like a good idea. @@ -91,13 +94,13 @@ server { location /.well-known/matrix/client { return 200 '{ - "m.homeserver": {"base_url": "https://matrix.examples.com"}, + "m.homeserver": {"base_url": "https://matrix.example.com"}, }'; default_type application/json; } location /.well-known/matrix/server { - return 200 '{"m.server": "matrix.examples.com"}'; + return 200 '{"m.server": "matrix.example.com"}'; default_type application/json; } @@ -118,9 +121,16 @@ This defines a server that listens on both http and https. It hands out two http is forwarded to https. Be sure to substitute the correct values for `server_name`, `base_url` and the -certificate files. +certificate files (and [renew the certificate](#renewcert)). -For the actual proxy in front of Synapse, this is what you need: +See this [full configuration example](domain.conf) with some extra stuff. + + +# Configuration of the reverse proxy + +For the actual proxy in front of Synapse, this is what you need: forward ports +443 and 8448 to Synapse, listening on localhost, and add a few headers so +Synapse know's who's on the other side of the line. ``` server { @@ -131,12 +141,12 @@ server { listen 8448 ssl default_server; listen [::]:8448 ssl default_server; - ssl_certificate /etc/letsencrypt/live/matrix.procolix.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/matrix.procolix.com/privkey.pem; + ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/ssl/dhparams.pem; - server_name matrix.procolix.com; + server_name matrix.example.com; location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; @@ -153,6 +163,10 @@ server { Again, substitute the correct values. Don't forget to open the relevant ports in the firewall. Ports 80 and 443 may already be open, 8448 is probably not. +This is a very, very basic configuration; just enough to give us a working +service. See this [complete example](revproxy.conf) which also includes +[Draupnir](../draupnir) and a protected admin endpoint. + # Synapse-admin {#synapse-admin} diff --git a/matrix/nginx/proxy.conf b/matrix/nginx/domain.conf similarity index 89% rename from matrix/nginx/proxy.conf rename to matrix/nginx/domain.conf index 105e40c..264c3b3 100644 --- a/matrix/nginx/proxy.conf +++ b/matrix/nginx/domain.conf @@ -13,8 +13,8 @@ server { location /.well-known/matrix/client { return 200 '{ - "m.homeserver": {"base_url": "https://vm02199.example.com"}, - "org.matrix.msc3575.proxy": {"url": "https://vm02199.example.com"}, + "m.homeserver": {"base_url": "https://matrix.example.com"}, + "org.matrix.msc3575.proxy": {"url": "https://matrix.example.com"}, "org.matrix.msc4143.rtc_foci":[ {"type": "livekit", "livekit_service_url": "https://livekit.example.com"} @@ -25,7 +25,7 @@ server { } location /.well-known/matrix/server { - return 200 '{"m.server": "vm02199.example.com"}'; + return 200 '{"m.server": "matrix.example.com"}'; default_type application/json; } diff --git a/matrix/nginx/synapse.conf b/matrix/nginx/revproxy.conf similarity index 79% rename from matrix/nginx/synapse.conf rename to matrix/nginx/revproxy.conf index fd94204..14a8e2c 100644 --- a/matrix/nginx/synapse.conf +++ b/matrix/nginx/revproxy.conf @@ -6,12 +6,12 @@ server { listen 8448 ssl; listen [::]:8448 ssl; - ssl_certificate /etc/letsencrypt/live/vm02199.example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/vm02199.example.com/privkey.pem; + ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/ssl/dhparams.pem; - server_name vm02199.example.com; + server_name matrix.example.com; # Abuse reports get forwarded to Draupnir, listening on port 8082 location ~ ^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$ { @@ -24,7 +24,7 @@ server { proxy_pass http://[::1]:8082/api/1/report/$room_id/$event_id; } - # Reports that need to reach Synapse (not sure...) + # Reports that need to reach Synapse (not really sure it this is used) location /_synapse/admin/v1/event_reports { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; @@ -33,14 +33,17 @@ server { client_max_body_size 50M; proxy_http_version 1.1; } - location ~ ^/_synapse/admin/v1/rooms/[^/]*/context/(.*)$ { - proxy_pass http://localhost:8008; + location ~ ^/_synapse/admin/v1/rooms/([^/]*)/context/(.*)$ { + set $room_id $2; + set $event_id $3; + proxy_pass http://localhost:8008/_synapse/admin/v1/rooms/$room_id/context/$evend_id; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; client_max_body_size 50M; proxy_http_version 1.1; } + # If you want the server version to be public: location ~ ^/_synapse/admin/v1/server_version$ { proxy_pass http://localhost:8008; @@ -76,7 +79,7 @@ server { proxy_http_version 1.1; } - access_log /var/log/nginx/vm02199-access.log; - error_log /var/log/nginx/vm02199-error.log; + access_log /var/log/nginx/matrix-access.log; + error_log /var/log/nginx/matrix-error.log; } diff --git a/matrix/synapse-admin/README.md b/matrix/synapse-admin/README.md index 3a9794b..7a636e7 100644 --- a/matrix/synapse-admin/README.md +++ b/matrix/synapse-admin/README.md @@ -28,6 +28,6 @@ of letting users fill in whatever they want. Do this by adding this bit to ``` { - "restrictBaseUrl": "https://vm02199.procolix.com" + "restrictBaseUrl": "https://matrix.example.com" } ```