Updated and added some nginx configuration.

matrix/coturn/README.md

@@ -12,8 +12,8 @@ to use TURN over IPv6, we'll stick to a strict IPv4-only configuration.
 Also, because VoIP traffic is only UDP, we won't do TCP.
 
 IMPORTANT! TURN can also be offered by [LiveKit](../element-call#livekit), in
-which case you should not run coturn (unless you don't use LiveKit's built-in
+which case you should probably not run coturn (unless you don't use LiveKit's
-TURN server).
+built-in TURN server, or want to run both to support legacy calls too).
 
 
 # Installation

matrix/element-call/README.md

@@ -22,7 +22,8 @@ https://sspaeth.de/2024/11/sfu/
 # Install prerequisites
 
 Define an entry in DNS for Livekit and Call, e.g. `livekit.example.com`
-and `call.example.com`. Get certificates for them.
+and `call.example.com`. Get certificates for them and make sure to
+[automatically renew them](../nginx/README.md#certrenew).
 
 Expand `.well-known/matrix/client` to contain the pointer to the SFU:
 

matrix/element-web/README.md

@@ -12,7 +12,8 @@ on Github.
 
 You should never run Element-web on the same FQDN as your Synapse-server,
 because of XSS problems. So start by defining a new FQDN for where you will
-publish Element-web, and get a certificate for that.
+publish Element-web, and get a certificate for that (don't forget to
+[automatically reload nginx after the certificate renewal](../nginx/README.md#certrenew)).
 
 We'll use `element.example.com` here.
 

matrix/nginx/README.md

@@ -63,7 +63,10 @@ renew_hook = systemctl try-reload-or-restart nginx
 ```
 
 
-# Configuration
+# Configuration of domain name {#configdomain}
+
+Let's start with the configuration on the webserver that runs on the domain
+name itself, in this case `example.com`.
 
 Almost all traffic should be encrypted, so a redirect from http to https seems
 like a good idea.
@@ -91,13 +94,13 @@ server {
 
     location /.well-known/matrix/client {
        return 200 '{
-          "m.homeserver": {"base_url": "https://matrix.examples.com"},
+          "m.homeserver": {"base_url": "https://matrix.example.com"},
        }';
        default_type application/json;
     }
 
     location /.well-known/matrix/server {
-       return 200 '{"m.server": "matrix.examples.com"}';
+       return 200 '{"m.server": "matrix.example.com"}';
        default_type application/json;
     }
 
@@ -118,9 +121,16 @@ This defines a server that listens on both http and https. It hands out two
 http is forwarded to https.
 
 Be sure to substitute the correct values for `server_name`, `base_url` and the
-certificate files.
+certificate files (and [renew the certificate](#renewcert)).
 
-For the actual proxy in front of Synapse, this is what you need:
+See this [full configuration example](domain.conf) with some extra stuff.
+
+
+# Configuration of the reverse proxy
+
+For the actual proxy in front of Synapse, this is what you need: forward ports
+443 and 8448 to Synapse, listening on localhost, and add a few headers so
+Synapse know's who's on the other side of the line.
 
 ```
 server {
@@ -131,12 +141,12 @@ server {
 	listen 8448 ssl default_server;
 	listen [::]:8448 ssl default_server;
 
-	ssl_certificate /etc/letsencrypt/live/matrix.procolix.com/fullchain.pem;
+	ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/matrix.procolix.com/privkey.pem;
+	ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
 	ssl_dhparam /etc/ssl/dhparams.pem;
 
-	server_name matrix.procolix.com;
+	server_name matrix.example.com;
 
 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
@@ -153,6 +163,10 @@ server {
 Again, substitute the correct values. Don't forget to open the relevant ports
 in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
 
+This is a very, very basic configuration; just enough to give us a working
+service. See this [complete example](revproxy.conf) which also includes
+[Draupnir](../draupnir) and a protected admin endpoint.
+
 
 # Synapse-admin {#synapse-admin}
 

matrix/nginx/domain.conf

@@ -13,8 +13,8 @@ server {
     
     location /.well-known/matrix/client {
         return 200 '{
-            "m.homeserver": {"base_url": "https://vm02199.example.com"},
+            "m.homeserver": {"base_url": "https://matrix.example.com"},
-            "org.matrix.msc3575.proxy": {"url": "https://vm02199.example.com"},
+            "org.matrix.msc3575.proxy": {"url": "https://matrix.example.com"},
             "org.matrix.msc4143.rtc_foci":[
             	{"type": "livekit",
             	"livekit_service_url": "https://livekit.example.com"}
@@ -25,7 +25,7 @@ server {
     }
     
     location /.well-known/matrix/server {
-        return 200 '{"m.server": "vm02199.example.com"}';
+        return 200 '{"m.server": "matrix.example.com"}';
         default_type application/json;
     }
 

matrix/nginx/revproxy.conf

@@ -6,12 +6,12 @@ server {
 	listen 8448 ssl;
 	listen [::]:8448 ssl;
 
-	ssl_certificate /etc/letsencrypt/live/vm02199.example.com/fullchain.pem;
+	ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/vm02199.example.com/privkey.pem;
+	ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem;
 	include /etc/letsencrypt/options-ssl-nginx.conf;
 	ssl_dhparam /etc/ssl/dhparams.pem;
 
-	server_name vm02199.example.com;
+	server_name matrix.example.com;
 
 	# Abuse reports get forwarded to Draupnir, listening on port 8082
 	location ~ ^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$ {
@@ -24,7 +24,7 @@ server {
 		proxy_pass http://[::1]:8082/api/1/report/$room_id/$event_id;
 	}
 
-	# Reports that need to reach Synapse (not sure...)
+	# Reports that need to reach Synapse (not really sure it this is used)
 	location /_synapse/admin/v1/event_reports {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
@@ -33,14 +33,17 @@ server {
 		client_max_body_size 50M;
 		proxy_http_version 1.1;
 	}
-	location ~ ^/_synapse/admin/v1/rooms/[^/]*/context/(.*)$ {
+	location ~ ^/_synapse/admin/v1/rooms/([^/]*)/context/(.*)$ {
-		proxy_pass http://localhost:8008;
+		set $room_id $2;
+		set $event_id $3;
+		proxy_pass http://localhost:8008/_synapse/admin/v1/rooms/$room_id/context/$evend_id;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Host $host;
 		client_max_body_size 50M;
 		proxy_http_version 1.1;
 	}
+
 	# If you want the server version to be public:
 	location ~ ^/_synapse/admin/v1/server_version$ {
 		proxy_pass http://localhost:8008;
@@ -76,7 +79,7 @@ server {
 		proxy_http_version 1.1;
 	}
 
-	access_log /var/log/nginx/vm02199-access.log;
+	access_log /var/log/nginx/matrix-access.log;
-	error_log /var/log/nginx/vm02199-error.log;
+	error_log /var/log/nginx/matrix-error.log;
 }
 

matrix/synapse-admin/README.md

@@ -28,6 +28,6 @@ of letting users fill in whatever they want. Do this by adding this bit to
 
 ```
 {
-  "restrictBaseUrl": "https://vm02199.procolix.com"
+  "restrictBaseUrl": "https://matrix.example.com"
 }
 ```