diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md index 1c2e466..18b5538 100644 --- a/matrix/nginx/README.md +++ b/matrix/nginx/README.md @@ -167,6 +167,54 @@ This is a very, very basic configuration; just enough to give us a working service. See this [complete example](revproxy.conf) which also includes [Draupnir](../draupnir) and a protected admin endpoint. +# Element Web + +You can host the webclient on a different machine, but we'll run it on the +same one in this documentation. You do need a different FQDN however, you +can't host it under the same name as Synapse, such as: +``` +https://matrix.example.com/element-web +``` +So you'll need to create an entry in DNS and get a TLS-certificate for it (as +mentioned in the [checklist](../checklist.md)). + +Other than that, configuration is quite simple. We'll listen on both http and +https, and redirect http to https: + +``` +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/ssl/dhparams.pem; + + server_name element.example.com; + + location / { + if ($scheme = http) { + return 301 https://$host$request_uri; + } + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + } + + root /usr/share/element-web; + index index.html; + + access_log /var/log/nginx/elementweb-access.log; + error_log /var/log/nginx/elementweb-error.log; +} +``` + +This assumes Element Web is installed under `/usr/share/element-web`, as done +by the Debian package provided by Element.io. # Synapse-admin {#synapse-admin} diff --git a/matrix/nginx/conf/elementweb.conf b/matrix/nginx/conf/elementweb.conf index 79181e3..9784ffe 100644 --- a/matrix/nginx/conf/elementweb.conf +++ b/matrix/nginx/conf/elementweb.conf @@ -1,8 +1,8 @@ server { listen 80; listen [::]:80; - listen 443 ssl; - listen [::]:443 ssl; + listen 443 ssl http2; + listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem; @@ -14,9 +14,9 @@ server { location / { if ($scheme = http) { return 301 https://$host$request_uri; - } + } add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; + add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "frame-ancestors 'self'"; } @@ -24,6 +24,6 @@ server { root /usr/share/element-web; index index.html; - access_log /var/log/nginx/element-access.log; - error_log /var/log/nginx/element-error.log; + access_log /var/log/nginx/elementweb-access.log; + error_log /var/log/nginx/elementweb-error.log; }