forked from Fediversity/Fediversity
Valentin Gagarin
184e89e586
git-subtree-dir: matrix git-subtree-mainline:c1d2cdc7c1
git-subtree-split:0a991a5140
132 lines
3.5 KiB
Markdown
132 lines
3.5 KiB
Markdown
---
|
|
gitea: none
|
|
include_toc: true
|
|
---
|
|
|
|
# Reverse proxy with nginx
|
|
|
|
Clients connecting from the Internet to our Matrix environment will usually
|
|
use SSL/TLS to encrypt whatever they want to send. This is one thing that
|
|
nginx does better than Synapse.
|
|
|
|
Furthermore, granting or denying access to specific endpoints is much easier
|
|
in nginx.
|
|
|
|
Synapse listens only on localhost, so nginx has to pass connections on from
|
|
the wild west that is the Internet to our server listening on the inside.
|
|
|
|
|
|
# Installing
|
|
|
|
Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
|
|
easy:
|
|
|
|
```
|
|
apt install nginx python3-certbot-nginx
|
|
```
|
|
|
|
Get your certificate:
|
|
|
|
```
|
|
certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
|
|
```
|
|
|
|
Substitute the correct e-mailaddress and FQDN, or course.
|
|
|
|
|
|
# Configuration
|
|
|
|
Almost all traffic should be encrypted, so a redirect from http to https seems
|
|
like a good idea.
|
|
|
|
However, `.well-known/matrix/client` has to be available via http and https,
|
|
so that should *NOT* be redirected to https. Some clients don't understand the
|
|
redirect and will therefore not find the server if you redirect everything.
|
|
|
|
Under the `server_name` (the "domain name", the part after the username) you
|
|
will need a configuration like this:
|
|
|
|
```
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/ssl/dhparams.pem;
|
|
|
|
server_name matrixdev.procolix.com;
|
|
|
|
location /.well-known/matrix/client {
|
|
return 200 '{
|
|
"m.homeserver": {"base_url": "https://vm02199.procolix.com"},
|
|
"org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"}
|
|
}';
|
|
default_type application/json;
|
|
}
|
|
|
|
location /.well-known/matrix/server {
|
|
return 200 '{"m.server": "vm02199.procolix.com"}';
|
|
default_type application/json;
|
|
}
|
|
|
|
location / {
|
|
if ($scheme = http) {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
access_log /var/log/nginx/matrixdev-access.log;
|
|
error_log /var/log/nginx/matrixdev-error.log;
|
|
|
|
}
|
|
```
|
|
|
|
This defines a server that listens on both http and https. It hands out two
|
|
.well-known entries over both http and https, and every other request over
|
|
http is forwarded to https.
|
|
|
|
Be sure to substitute the correct values for `server_name`, `base_url` and the
|
|
certificate files.
|
|
|
|
For the actual proxy in front of Synapse, this is what you need:
|
|
|
|
```
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
|
|
# For the federation port
|
|
listen 8448 ssl default_server;
|
|
listen [::]:8448 ssl default_server;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/vm02199.procolix.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/vm02199.procolix.com/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/ssl/dhparams.pem;
|
|
|
|
server_name vm02199.procolix.com;
|
|
|
|
location ~ ^(/_matrix|/_synapse/client) {
|
|
proxy_pass http://localhost:8008;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
client_max_body_size 50M;
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
}
|
|
```
|
|
|
|
Again, substitute the correct values. Don't forget to open the relevant ports
|
|
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
|
|
|
|
|
|
# Firewall
|
|
|
|
For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
|