Move ACME docs from INSTALL.md to ACME.md
parent
d75e15edce
commit
0af50020fd
79
INSTALL.md
79
INSTALL.md
|
@ -355,90 +355,13 @@ configured without TLS; it should be behind a reverse proxy for TLS/SSL
|
||||||
termination on port 443 which in turn should be used for clients. Port 8448
|
termination on port 443 which in turn should be used for clients. Port 8448
|
||||||
is configured to use TLS for Federation with a self-signed or verified
|
is configured to use TLS for Federation with a self-signed or verified
|
||||||
certificate, but please be aware that a valid certificate will be required in
|
certificate, but please be aware that a valid certificate will be required in
|
||||||
Synapse v1.0.
|
Synapse v1.0. Instructions for having Synapse automatically provision and renew federation certificates through ACME can be found at [ACME.md](docs/ACME.md).
|
||||||
|
|
||||||
If you would like to use your own certificates, you can do so by changing
|
If you would like to use your own certificates, you can do so by changing
|
||||||
`tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
|
`tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
|
||||||
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
|
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
|
||||||
both ports are the same in the default configuration.
|
both ports are the same in the default configuration.
|
||||||
|
|
||||||
### ACME setup
|
|
||||||
|
|
||||||
Synapse v1.0 will require valid TLS certificates for communication between servers
|
|
||||||
(port `8448` by default) in addition to those that are client-facing (port
|
|
||||||
`443`). In the case that your `server_name` config variable is the same as
|
|
||||||
the hostname that the client connects to, then the same certificate can be
|
|
||||||
used between client and federation ports without issue. Synapse v0.99.0+
|
|
||||||
**will provision server-to-server certificates automatically for you for
|
|
||||||
free** through [Let's Encrypt](https://letsencrypt.org/) if you tell it to.
|
|
||||||
|
|
||||||
In order for Synapse to complete the ACME challenge to provision a
|
|
||||||
certificate, it needs access to port 80. Typically listening on port 80 is
|
|
||||||
only granted to applications running as root. There are thus two solutions to
|
|
||||||
this problem.
|
|
||||||
|
|
||||||
#### Using a reverse proxy
|
|
||||||
|
|
||||||
A reverse proxy such as Apache or nginx allows a single process (the web
|
|
||||||
server) to listen on port 80 and proxy traffic to the appropriate program
|
|
||||||
running on your server. It is the recommended method for setting up ACME as
|
|
||||||
it allows you to use your existing webserver while also allowing Synapse to
|
|
||||||
provision certificates as needed.
|
|
||||||
|
|
||||||
For nginx users, add the following line to your existing `server` block:
|
|
||||||
|
|
||||||
```
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
proxy_pass http://localhost:8009/;
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
For Apache, add the following to your existing webserver config::
|
|
||||||
|
|
||||||
```
|
|
||||||
ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
|
|
||||||
```
|
|
||||||
|
|
||||||
Make sure to restart/reload your webserver after making changes.
|
|
||||||
|
|
||||||
|
|
||||||
#### Authbind
|
|
||||||
|
|
||||||
`authbind` allows a program which does not run as root to bind to
|
|
||||||
low-numbered ports in a controlled way. The setup is simpler, but requires a
|
|
||||||
webserver not to already be running on port 80. **This includes every time
|
|
||||||
Synapse renews a certificate**, which may be cumbersome if you usually run a
|
|
||||||
web server on port 80. Nevertheless, if you're sure port 80 is not being used
|
|
||||||
for any other purpose then all that is necessary is the following:
|
|
||||||
|
|
||||||
Install `authbind`. For example, on Debian/Ubuntu:
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo apt-get install authbind
|
|
||||||
```
|
|
||||||
|
|
||||||
Allow `authbind` to bind port 80:
|
|
||||||
|
|
||||||
```
|
|
||||||
sudo touch /etc/authbind/byport/80
|
|
||||||
sudo chmod 777 /etc/authbind/byport/80
|
|
||||||
```
|
|
||||||
|
|
||||||
When Synapse is started, use the following syntax::
|
|
||||||
|
|
||||||
```
|
|
||||||
authbind --deep <synapse start command>
|
|
||||||
```
|
|
||||||
|
|
||||||
Finally, once Synapse is able to listen on port 80 for ACME challenge
|
|
||||||
requests, it must be told to perform ACME provisioning by setting `enabled`
|
|
||||||
to true under the `acme` section in `homeserver.yaml`:
|
|
||||||
|
|
||||||
```
|
|
||||||
acme:
|
|
||||||
enabled: true
|
|
||||||
```
|
|
||||||
|
|
||||||
## Registering a user
|
## Registering a user
|
||||||
|
|
||||||
You will need at least one user on your server in order to use a Matrix
|
You will need at least one user on your server in order to use a Matrix
|
||||||
|
|
Loading…
Reference in New Issue