Clarifications for reverse proxy docs (#4607)
Factor out the reverse proxy info to a separate file, add some more info on reverse-proxying the federation port.pull/4614/head
parent
6e2a5aa050
commit
c475275926
|
@ -359,8 +359,9 @@ Synapse v1.0. Instructions for having Synapse automatically provision and renew
|
||||||
|
|
||||||
If you would like to use your own certificates, you can do so by changing
|
If you would like to use your own certificates, you can do so by changing
|
||||||
`tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
|
`tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
|
||||||
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
|
alternatively, you can use a reverse proxy. See
|
||||||
both ports are the same in the default configuration.
|
[docs/reverse_proxy.rst](docs/reverse_proxy.rst) for information on configuring
|
||||||
|
a reverse proxy.
|
||||||
|
|
||||||
## Registering a user
|
## Registering a user
|
||||||
|
|
||||||
|
|
52
README.rst
52
README.rst
|
@ -263,6 +263,8 @@ So, things to check are:
|
||||||
(it should be ``_matrix._tcp.<server_name>``), and that the port and hostname
|
(it should be ``_matrix._tcp.<server_name>``), and that the port and hostname
|
||||||
it specifies are reachable from outside your network.
|
it specifies are reachable from outside your network.
|
||||||
|
|
||||||
|
.. TODO: add a note about forgetting ``nocanon`` on a reverse-proxy config
|
||||||
|
|
||||||
Running a Demo Federation of Synapses
|
Running a Demo Federation of Synapses
|
||||||
-------------------------------------
|
-------------------------------------
|
||||||
|
|
||||||
|
@ -290,7 +292,6 @@ The advantages of Postgres include:
|
||||||
For information on how to install and use PostgreSQL, please see
|
For information on how to install and use PostgreSQL, please see
|
||||||
`docs/postgres.rst <docs/postgres.rst>`_.
|
`docs/postgres.rst <docs/postgres.rst>`_.
|
||||||
|
|
||||||
|
|
||||||
.. _reverse-proxy:
|
.. _reverse-proxy:
|
||||||
|
|
||||||
Using a reverse proxy with Synapse
|
Using a reverse proxy with Synapse
|
||||||
|
@ -304,54 +305,7 @@ It is recommended to put a reverse proxy such as
|
||||||
doing so is that it means that you can expose the default https port (443) to
|
doing so is that it means that you can expose the default https port (443) to
|
||||||
Matrix clients without needing to run Synapse with root privileges.
|
Matrix clients without needing to run Synapse with root privileges.
|
||||||
|
|
||||||
The most important thing to know here is that Matrix clients and other Matrix
|
For information on configuring one, see `<docs/reverse_proxy.rst>`_.
|
||||||
servers do not necessarily need to connect to your server via the same
|
|
||||||
port. Indeed, clients will use port 443 by default, whereas servers default to
|
|
||||||
port 8448. Where these are different, we refer to the 'client port' and the
|
|
||||||
'federation port'.
|
|
||||||
|
|
||||||
All Matrix endpoints begin with ``/_matrix``, so an example nginx
|
|
||||||
configuration for forwarding client connections to Synapse might look like::
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
server_name matrix.example.com;
|
|
||||||
|
|
||||||
location /_matrix {
|
|
||||||
proxy_pass http://localhost:8008;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
an example Caddy configuration might look like::
|
|
||||||
|
|
||||||
matrix.example.com {
|
|
||||||
proxy /_matrix http://localhost:8008 {
|
|
||||||
transparent
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
and an example Apache configuration might look like::
|
|
||||||
|
|
||||||
<VirtualHost *:443>
|
|
||||||
SSLEngine on
|
|
||||||
ServerName matrix.example.com;
|
|
||||||
|
|
||||||
<Location /_matrix>
|
|
||||||
ProxyPass http://127.0.0.1:8008/_matrix nocanon
|
|
||||||
ProxyPassReverse http://127.0.0.1:8008/_matrix
|
|
||||||
</Location>
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
||||||
You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
|
|
||||||
for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
|
|
||||||
recorded correctly.
|
|
||||||
|
|
||||||
Having done so, you can then use ``https://matrix.example.com`` (instead of
|
|
||||||
``https://matrix.example.com:8448``) as the "Custom server" when `Connecting to
|
|
||||||
Synapse from a client`_.
|
|
||||||
|
|
||||||
|
|
||||||
Identity Servers
|
Identity Servers
|
||||||
================
|
================
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Clarifications for reverse proxy docs
|
|
@ -42,9 +42,9 @@ imminent Matrix 1.0 release, you can also see our
|
||||||
* It used to work just fine, why are you breaking everything?
|
* It used to work just fine, why are you breaking everything?
|
||||||
* Can I manage my own certificates rather than having Synapse renew
|
* Can I manage my own certificates rather than having Synapse renew
|
||||||
certificates itself?
|
certificates itself?
|
||||||
* Do you still recommend against using a reverse-proxy on the federation port?
|
* Do you still recommend against using a reverse proxy on the federation port?
|
||||||
* Do I still need to give my TLS certificates to Synapse if I am using a
|
* Do I still need to give my TLS certificates to Synapse if I am using a
|
||||||
reverse-proxy?
|
reverse proxy?
|
||||||
* Do I need the same certificate for the client and federation port?
|
* Do I need the same certificate for the client and federation port?
|
||||||
* How do I tell Synapse to reload my keys/certificates after I replace them?
|
* How do I tell Synapse to reload my keys/certificates after I replace them?
|
||||||
|
|
||||||
|
@ -132,6 +132,9 @@ your domain, you can simply route all traffic through the reverse proxy by
|
||||||
updating the SRV record appropriately (or removing it, if the proxy listens on
|
updating the SRV record appropriately (or removing it, if the proxy listens on
|
||||||
8448).
|
8448).
|
||||||
|
|
||||||
|
See [reverse_proxy.rst](reverse_proxy.rst) for information on setting up a
|
||||||
|
reverse proxy.
|
||||||
|
|
||||||
#### Option 3: add a .well-known file to delegate your matrix traffic
|
#### Option 3: add a .well-known file to delegate your matrix traffic
|
||||||
|
|
||||||
This will allow you to keep Synapse on a separate domain, without having to
|
This will allow you to keep Synapse on a separate domain, without having to
|
||||||
|
@ -297,17 +300,20 @@ attempt to obtain certificates from Let's Encrypt if you configure it to do
|
||||||
so.The only requirement is that there is a valid TLS cert present for
|
so.The only requirement is that there is a valid TLS cert present for
|
||||||
federation end points.
|
federation end points.
|
||||||
|
|
||||||
### Do you still recommend against using a reverse-proxy on the federation port?
|
### Do you still recommend against using a reverse proxy on the federation port?
|
||||||
|
|
||||||
We no longer actively recommend against using a reverse proxy. Many admins will
|
We no longer actively recommend against using a reverse proxy. Many admins will
|
||||||
find it easier to direct federation traffic to a reverse-proxy and manage their
|
find it easier to direct federation traffic to a reverse proxy and manage their
|
||||||
own TLS certificates, and this is a supported configuration.
|
own TLS certificates, and this is a supported configuration.
|
||||||
|
|
||||||
|
See [reverse_proxy.rst](reverse_proxy.rst) for information on setting up a
|
||||||
|
reverse proxy.
|
||||||
|
|
||||||
### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
|
### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
|
||||||
|
|
||||||
Practically speaking, this is no longer necessary.
|
Practically speaking, this is no longer necessary.
|
||||||
|
|
||||||
If you are using a reverse-proxy for all of your TLS traffic, then you can set
|
If you are using a reverse proxy for all of your TLS traffic, then you can set
|
||||||
`no_tls: True`. In that case, the only reason Synapse needs the certificate is
|
`no_tls: True`. In that case, the only reason Synapse needs the certificate is
|
||||||
to populate a legacy 'tls_fingerprints' field in the federation API. This is
|
to populate a legacy 'tls_fingerprints' field in the federation API. This is
|
||||||
ignored by Synapse 0.99.0 and later, and the only time pre-0.99 Synapses will
|
ignored by Synapse 0.99.0 and later, and the only time pre-0.99 Synapses will
|
||||||
|
@ -321,9 +327,9 @@ this, you can give it any TLS certificate at all. This will be fixed soon.
|
||||||
|
|
||||||
### Do I need the same certificate for the client and federation port?
|
### Do I need the same certificate for the client and federation port?
|
||||||
|
|
||||||
No. There is nothing stopping you doing so, particularly if you are using a
|
No. There is nothing stopping you from using different certificates,
|
||||||
reverse-proxy. However, Synapse will use the same certificate on any ports
|
particularly if you are using a reverse proxy. However, Synapse will use the
|
||||||
where TLS is configured.
|
same certificate on any ports where TLS is configured.
|
||||||
|
|
||||||
### How do I tell Synapse to reload my keys/certificates after I replace them?
|
### How do I tell Synapse to reload my keys/certificates after I replace them?
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,94 @@
|
||||||
|
Using a reverse proxy with Synapse
|
||||||
|
==================================
|
||||||
|
|
||||||
|
It is recommended to put a reverse proxy such as
|
||||||
|
`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
|
||||||
|
`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
|
||||||
|
`Caddy <https://caddyserver.com/docs/proxy>`_ or
|
||||||
|
`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
|
||||||
|
doing so is that it means that you can expose the default https port (443) to
|
||||||
|
Matrix clients without needing to run Synapse with root privileges.
|
||||||
|
|
||||||
|
**NOTE**: Your reverse proxy must not 'canonicalise' or 'normalise' the
|
||||||
|
requested URI in any way (for example, by decoding ``%xx`` escapes). Beware
|
||||||
|
that Apache *will* canonicalise URIs unless you specifify ``nocanon``.
|
||||||
|
|
||||||
|
When setting up a reverse proxy, remember that Matrix clients and other Matrix
|
||||||
|
servers do not necessarily need to connect to your server via the same server
|
||||||
|
name or port. Indeed, clients will use port 443 by default, whereas servers
|
||||||
|
default to port 8448. Where these are different, we refer to the 'client port'
|
||||||
|
and the 'federation port'. See `Setting up federation
|
||||||
|
<../README.rst#setting-up-federation>`_ for more details of the algorithm used for
|
||||||
|
federation connections.
|
||||||
|
|
||||||
|
Let's assume that we expect clients to connect to our server at
|
||||||
|
``https://matrix.example.com``, and other servers to connect at
|
||||||
|
``https://example.com:8448``. Here are some example configurations:
|
||||||
|
|
||||||
|
* nginx::
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name matrix.example.com;
|
||||||
|
|
||||||
|
location /_matrix {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 8448 ssl default_server;
|
||||||
|
listen [::]:8448 ssl default_server;
|
||||||
|
server_name example.com;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
* Caddy::
|
||||||
|
|
||||||
|
matrix.example.com {
|
||||||
|
proxy /_matrix http://localhost:8008 {
|
||||||
|
transparent
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
example.com:8448 {
|
||||||
|
proxy / http://localhost:8008 {
|
||||||
|
transparent
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
* Apache (note the ``nocanon`` options here!)::
|
||||||
|
|
||||||
|
<VirtualHost *:443>
|
||||||
|
SSLEngine on
|
||||||
|
ServerName matrix.example.com;
|
||||||
|
|
||||||
|
<Location /_matrix>
|
||||||
|
ProxyPass http://127.0.0.1:8008/_matrix nocanon
|
||||||
|
ProxyPassReverse http://127.0.0.1:8008/_matrix
|
||||||
|
</Location>
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:8448>
|
||||||
|
SSLEngine on
|
||||||
|
ServerName example.com;
|
||||||
|
|
||||||
|
<Location />
|
||||||
|
ProxyPass http://127.0.0.1:8008/_matrix nocanon
|
||||||
|
ProxyPassReverse http://127.0.0.1:8008/_matrix
|
||||||
|
</Location>
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
|
||||||
|
for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
|
||||||
|
recorded correctly.
|
||||||
|
|
||||||
|
Having done so, you can then use ``https://matrix.example.com`` (instead of
|
||||||
|
``https://matrix.example.com:8448``) as the "Custom server" when connecting to
|
||||||
|
Synapse from a client.
|
|
@ -26,9 +26,8 @@ Configuration
|
||||||
To make effective use of the workers, you will need to configure an HTTP
|
To make effective use of the workers, you will need to configure an HTTP
|
||||||
reverse-proxy such as nginx or haproxy, which will direct incoming requests to
|
reverse-proxy such as nginx or haproxy, which will direct incoming requests to
|
||||||
the correct worker, or to the main synapse instance. Note that this includes
|
the correct worker, or to the main synapse instance. Note that this includes
|
||||||
requests made to the federation port. The caveats regarding running a
|
requests made to the federation port. See `<reverse_proxy.rst>`_ for
|
||||||
reverse-proxy on the federation port still apply (see
|
information on setting up a reverse proxy.
|
||||||
https://github.com/matrix-org/synapse/blob/master/README.rst#reverse-proxying-the-federation-port).
|
|
||||||
|
|
||||||
To enable workers, you need to add two replication listeners to the master
|
To enable workers, you need to add two replication listeners to the master
|
||||||
synapse, e.g.::
|
synapse, e.g.::
|
||||||
|
|
Loading…
Reference in New Issue