From 2e5b97134fe12fcbf1912e61ba49408d99bb2a10 Mon Sep 17 00:00:00 2001 From: Jakub Czajka Date: Sun, 27 Nov 2022 10:17:37 +0100 Subject: [PATCH] [matrix] Proxy communication through `nginx`. This commit configures `nginx` to act as a reverse proxy for matrix. `nginx` receives requests on ports 443 (client) and 8448 (other matrix instances) and forwards them to localhost:8008 for matrix to process. --- matrix/README | 10 ++++++++ matrix/homeserver.yaml | 58 ++++-------------------------------------- nginx/README | 15 +++++++++-- 3 files changed, 28 insertions(+), 55 deletions(-) diff --git a/matrix/README b/matrix/README index ba42061..7e99581 100644 --- a/matrix/README +++ b/matrix/README @@ -5,6 +5,16 @@ Open network for secure federated communication. `synapse` is a server implementing the matrix protocol. Servers connect to each other on port 8448 (federation port). Clients connect to servers on port 443 (client port). +DNS +--- + +matrix. CNAME + +SSL +--- + +Obtain a certificate with `certbot-nginx`. + Files ----- diff --git a/matrix/homeserver.yaml b/matrix/homeserver.yaml index d842ab4..1979e28 100644 --- a/matrix/homeserver.yaml +++ b/matrix/homeserver.yaml @@ -4,16 +4,16 @@ # autogenerates on launch with your own SSL certificate + key pair # if you like. Any required intermediary certificates can be # appended after the primary certificate in hierarchical order. -tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" +#tls_certificate_path: "/etc/matrix-synapse/homeserver.tls.crt" # PEM encoded private key for TLS -tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" +#tls_private_key_path: "/etc/matrix-synapse/homeserver.tls.key" # PEM dh parameters for ephemeral keys -tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" +#tls_dh_params_path: "/etc/matrix-synapse/homeserver.tls.dh" # Don't bind to the https port -no_tls: False +no_tls: True # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -234,65 +234,17 @@ federation_ip_range_blacklist: # webclient: A web client. Requires web_client_location to be set. # listeners: - # Main HTTPS listener - # For when matrix traffic is sent directly to synapse. - - - # The port to listen for HTTPS requests on. - port: 8448 - - # Local addresses to listen on. - # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 - # addresses by default. For most other OSes, this will only listen - # on IPv6. - bind_addresses: - - '::1' - - '127.0.0.1' - # - '::' - # - '0.0.0.0' - - # This is a 'http' listener, allows us to specify 'resources'. - type: http - - tls: true - - # Use the X-Forwarded-For (XFF) header as the client IP and not the - # actual client IP. - x_forwarded: false - - # List of HTTP resources to serve on this listener. - resources: - - - # List of resources to host on this listener. - names: - - client # The client-server APIs, both v1 and v2 - - # Should synapse compress HTTP responses to clients that support it? - # This should be disabled if running synapse behind a load balancer - # that can do automatic compression. - compress: true - - - names: [federation] # Federation APIs - compress: false - - # optional list of additional endpoints which can be loaded via - # dynamic modules - # additional_resources: - # "/_matrix/my/custom/endpoint": - # module: my_module.CustomRequestHandler - # config: {} - # Unsecure HTTP listener, # For when matrix traffic passes through loadbalancer that unwraps TLS. - port: 8008 tls: false bind_addresses: - - '::1' - '127.0.0.1' # - '::' # - '0.0.0.0' type: http - x_forwarded: false + x_forwarded: true resources: - names: [client] diff --git a/nginx/README b/nginx/README index 7817786..3c462c5 100644 --- a/nginx/README +++ b/nginx/README @@ -9,8 +9,9 @@ Files nginx | -|-> nginx.conf -- /etc/nginx/ :: Main configuration. -`-> mime.types -- /etc/nginx/ :: Available mime types. +|-> nginx.conf -- /etc/nginx/ :: Main configuration. +|-> mime.types -- /etc/nginx/ :: Available mime types. +`-> matrix..template -- /etc/nginx/sites-available. SSL --- @@ -33,3 +34,13 @@ Install ``` $ apt install nginx ``` + +Sites +----- + +Substitute `<...>` patterns in `*.template` files. Create symbolic links for +files in /etc/nginx/sites-available. + +``` +$ ln -s /etc/nginx/sites-available/{...} /etc/nginx/sites-enabled +``` -- 2.39.5