From 94e11a362ab835ff43bd10bed399a2e72eddf447 Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@procolix.com>
Date: Wed, 8 Jan 2025 19:31:34 +0100
Subject: [PATCH] Added nginx configuration for Element Web.

---
 matrix/nginx/README.md            | 48 +++++++++++++++++++++++++++++++
 matrix/nginx/conf/elementweb.conf | 12 ++++----
 2 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md
index 1c2e466..18b5538 100644
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@@ -167,6 +167,54 @@ This is a very, very basic configuration; just enough to give us a working
 service. See this [complete example](revproxy.conf) which also includes
 [Draupnir](../draupnir) and a protected admin endpoint.
 
+# Element Web
+
+You can host the webclient on a different machine, but we'll run it on the
+same one in this documentation. You do need a different FQDN however, you
+can't host it under the same name as Synapse, such as:
+```
+https://matrix.example.com/element-web
+```
+So you'll need to create an entry in DNS and get a TLS-certificate for it (as
+mentioned in the [checklist](../checklist.md)).
+
+Other than that, configuration is quite simple. We'll listen on both http and
+https, and redirect http to https:
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    
+    ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/ssl/dhparams.pem;
+    
+    server_name element.example.com;
+    
+    location / {
+        if ($scheme = http) {
+            return 301 https://$host$request_uri;
+        }
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'self'";
+    }
+    
+    root /usr/share/element-web;
+    index index.html;
+    
+    access_log /var/log/nginx/elementweb-access.log;
+    error_log /var/log/nginx/elementweb-error.log;
+}
+```
+
+This assumes Element Web is installed under `/usr/share/element-web`, as done
+by the Debian package provided by Element.io.
 
 # Synapse-admin {#synapse-admin}
 
diff --git a/matrix/nginx/conf/elementweb.conf b/matrix/nginx/conf/elementweb.conf
index 79181e3..9784ffe 100644
--- a/matrix/nginx/conf/elementweb.conf
+++ b/matrix/nginx/conf/elementweb.conf
@@ -1,8 +1,8 @@
 server {
     listen 80;
     listen [::]:80;
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     
     ssl_certificate /etc/letsencrypt/live/element.example.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/element.example.com/privkey.pem;
@@ -14,9 +14,9 @@ server {
     location / {
         if ($scheme = http) {
             return 301 https://$host$request_uri;
-    	}
+        }
         add_header X-Frame-Options SAMEORIGIN;
-        add_header X-Content-Type-Options nosniff;
+        add_header X-Content-Type-Options nosniff; 
         add_header X-XSS-Protection "1; mode=block";
         add_header Content-Security-Policy "frame-ancestors 'self'";
     }
@@ -24,6 +24,6 @@ server {
     root /usr/share/element-web;
     index index.html;
     
-    access_log /var/log/nginx/element-access.log;
-    error_log /var/log/nginx/element-error.log;
+    access_log /var/log/nginx/elementweb-access.log;
+    error_log /var/log/nginx/elementweb-error.log;
 }