diff --git a/matrix/coturn/README.md b/matrix/coturn/README.md
index d1d81f3f..bedb8821 100644
--- a/matrix/coturn/README.md
+++ b/matrix/coturn/README.md
@@ -12,8 +12,8 @@ to use TURN over IPv6, we'll stick to a strict IPv4-only configuration.
Also, because VoIP traffic is only UDP, we won't do TCP.
IMPORTANT! TURN can also be offered by [LiveKit](../element-call#livekit), in
-which case you should not run coturn (unless you don't use LiveKit's built-in
-TURN server).
+which case you should probably not run coturn (unless you don't use LiveKit's
+built-in TURN server, or want to run both to support legacy calls too).
# Installation
diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md
index f032b78d..0dbd793e 100644
--- a/matrix/element-call/README.md
+++ b/matrix/element-call/README.md
@@ -22,7 +22,8 @@ https://sspaeth.de/2024/11/sfu/
# Install prerequisites
Define an entry in DNS for Livekit and Call, e.g. `livekit.example.com`
-and `call.example.com`. Get certificates for them.
+and `call.example.com`. Get certificates for them and make sure to
+[automatically renew them](../nginx/README.md#certrenew).
Expand `.well-known/matrix/client` to contain the pointer to the SFU:
diff --git a/matrix/element-web/README.md b/matrix/element-web/README.md
index b91f8c5d..f3dbfeed 100644
--- a/matrix/element-web/README.md
+++ b/matrix/element-web/README.md
@@ -12,7 +12,8 @@ on Github.
You should never run Element-web on the same FQDN as your Synapse-server,
because of XSS problems. So start by defining a new FQDN for where you will
-publish Element-web, and get a certificate for that.
+publish Element-web, and get a certificate for that (don't forget to
+[automatically reload nginx after the certificate renewal](../nginx/README.md#certrenew)).
We'll use `element.example.com` here.
diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md
index 6eda13eb..399a6bd7 100644
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@@ -63,7 +63,10 @@ renew_hook = systemctl try-reload-or-restart nginx
```
-# Configuration
+# Configuration of domain name {#configdomain}
+
+Let's start with the configuration on the webserver that runs on the domain
+name itself, in this case `example.com`.
Almost all traffic should be encrypted, so a redirect from http to https seems
like a good idea.
@@ -91,13 +94,13 @@ server {
location /.well-known/matrix/client {
return 200 '{
- "m.homeserver": {"base_url": "https://matrix.examples.com"},
+ "m.homeserver": {"base_url": "https://matrix.example.com"},
}';
default_type application/json;
}
location /.well-known/matrix/server {
- return 200 '{"m.server": "matrix.examples.com"}';
+ return 200 '{"m.server": "matrix.example.com"}';
default_type application/json;
}
@@ -118,9 +121,16 @@ This defines a server that listens on both http and https. It hands out two
http is forwarded to https.
Be sure to substitute the correct values for `server_name`, `base_url` and the
-certificate files.
+certificate files (and [renew the certificate](#renewcert)).
-For the actual proxy in front of Synapse, this is what you need:
+See this [full configuration example](domain.conf) with some extra stuff.
+
+
+# Configuration of the reverse proxy
+
+For the actual proxy in front of Synapse, this is what you need: forward ports
+443 and 8448 to Synapse, listening on localhost, and add a few headers so
+Synapse know's who's on the other side of the line.
```
server {
@@ -131,12 +141,12 @@ server {
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
- ssl_certificate /etc/letsencrypt/live/matrix.procolix.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/matrix.procolix.com/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
- server_name matrix.procolix.com;
+ server_name matrix.example.com;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008;
@@ -153,6 +163,10 @@ server {
Again, substitute the correct values. Don't forget to open the relevant ports
in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
+This is a very, very basic configuration; just enough to give us a working
+service. See this [complete example](revproxy.conf) which also includes
+[Draupnir](../draupnir) and a protected admin endpoint.
+
# Synapse-admin {#synapse-admin}
diff --git a/matrix/nginx/proxy.conf b/matrix/nginx/domain.conf
similarity index 89%
rename from matrix/nginx/proxy.conf
rename to matrix/nginx/domain.conf
index 105e40c1..264c3b38 100644
--- a/matrix/nginx/proxy.conf
+++ b/matrix/nginx/domain.conf
@@ -13,8 +13,8 @@ server {
location /.well-known/matrix/client {
return 200 '{
- "m.homeserver": {"base_url": "https://vm02199.example.com"},
- "org.matrix.msc3575.proxy": {"url": "https://vm02199.example.com"},
+ "m.homeserver": {"base_url": "https://matrix.example.com"},
+ "org.matrix.msc3575.proxy": {"url": "https://matrix.example.com"},
"org.matrix.msc4143.rtc_foci":[
{"type": "livekit",
"livekit_service_url": "https://livekit.example.com"}
@@ -25,7 +25,7 @@ server {
}
location /.well-known/matrix/server {
- return 200 '{"m.server": "vm02199.example.com"}';
+ return 200 '{"m.server": "matrix.example.com"}';
default_type application/json;
}
diff --git a/matrix/nginx/synapse.conf b/matrix/nginx/revproxy.conf
similarity index 79%
rename from matrix/nginx/synapse.conf
rename to matrix/nginx/revproxy.conf
index fd942040..14a8e2c0 100644
--- a/matrix/nginx/synapse.conf
+++ b/matrix/nginx/revproxy.conf
@@ -6,12 +6,12 @@ server {
listen 8448 ssl;
listen [::]:8448 ssl;
- ssl_certificate /etc/letsencrypt/live/vm02199.example.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/vm02199.example.com/privkey.pem;
+ ssl_certificate /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/matrix.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/dhparams.pem;
- server_name vm02199.example.com;
+ server_name matrix.example.com;
# Abuse reports get forwarded to Draupnir, listening on port 8082
location ~ ^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$ {
@@ -24,7 +24,7 @@ server {
proxy_pass http://[::1]:8082/api/1/report/$room_id/$event_id;
}
- # Reports that need to reach Synapse (not sure...)
+ # Reports that need to reach Synapse (not really sure it this is used)
location /_synapse/admin/v1/event_reports {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
@@ -33,14 +33,17 @@ server {
client_max_body_size 50M;
proxy_http_version 1.1;
}
- location ~ ^/_synapse/admin/v1/rooms/[^/]*/context/(.*)$ {
- proxy_pass http://localhost:8008;
+ location ~ ^/_synapse/admin/v1/rooms/([^/]*)/context/(.*)$ {
+ set $room_id $2;
+ set $event_id $3;
+ proxy_pass http://localhost:8008/_synapse/admin/v1/rooms/$room_id/context/$evend_id;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 50M;
proxy_http_version 1.1;
}
+
# If you want the server version to be public:
location ~ ^/_synapse/admin/v1/server_version$ {
proxy_pass http://localhost:8008;
@@ -76,7 +79,7 @@ server {
proxy_http_version 1.1;
}
- access_log /var/log/nginx/vm02199-access.log;
- error_log /var/log/nginx/vm02199-error.log;
+ access_log /var/log/nginx/matrix-access.log;
+ error_log /var/log/nginx/matrix-error.log;
}
diff --git a/matrix/synapse-admin/README.md b/matrix/synapse-admin/README.md
index 3a9794b6..7a636e72 100644
--- a/matrix/synapse-admin/README.md
+++ b/matrix/synapse-admin/README.md
@@ -28,6 +28,6 @@ of letting users fill in whatever they want. Do this by adding this bit to
```
{
- "restrictBaseUrl": "https://vm02199.procolix.com"
+ "restrictBaseUrl": "https://matrix.example.com"
}
```