mirror of
https://github.com/element-hq/synapse.git
synced 2024-12-14 11:57:44 +00:00
Update reverse proxy to add OpenBSD relayd example configuration. (#9508)
Update reverse proxy to add OpenBSD relayd example configuration. Signed-off-by: Leo Bärring <leo.barring@protonmail.com>
This commit is contained in:
parent
e5da770cce
commit
0fc4eb103a
3 changed files with 53 additions and 4 deletions
|
@ -183,8 +183,9 @@ Using a reverse proxy with Synapse
|
||||||
It is recommended to put a reverse proxy such as
|
It is recommended to put a reverse proxy such as
|
||||||
`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
|
`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
|
||||||
`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
|
`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
|
||||||
`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_ or
|
`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_,
|
||||||
`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
|
`HAProxy <https://www.haproxy.org/>`_ or
|
||||||
|
`relayd <https://man.openbsd.org/relayd.8>`_ in front of Synapse. One advantage of
|
||||||
doing so is that it means that you can expose the default https port (443) to
|
doing so is that it means that you can expose the default https port (443) to
|
||||||
Matrix clients without needing to run Synapse with root privileges.
|
Matrix clients without needing to run Synapse with root privileges.
|
||||||
|
|
||||||
|
|
1
changelog.d/9508.doc
Normal file
1
changelog.d/9508.doc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Add relayd entry to reverse proxy example configurations.
|
|
@ -3,8 +3,9 @@
|
||||||
It is recommended to put a reverse proxy such as
|
It is recommended to put a reverse proxy such as
|
||||||
[nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html),
|
[nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html),
|
||||||
[Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
|
[Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
|
||||||
[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or
|
[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
|
||||||
[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage
|
[HAProxy](https://www.haproxy.org/) or
|
||||||
|
[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
|
||||||
of doing so is that it means that you can expose the default https port
|
of doing so is that it means that you can expose the default https port
|
||||||
(443) to Matrix clients without needing to run Synapse with root
|
(443) to Matrix clients without needing to run Synapse with root
|
||||||
privileges.
|
privileges.
|
||||||
|
@ -162,6 +163,52 @@ backend matrix
|
||||||
server matrix 127.0.0.1:8008
|
server matrix 127.0.0.1:8008
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Relayd
|
||||||
|
|
||||||
|
```
|
||||||
|
table <webserver> { 127.0.0.1 }
|
||||||
|
table <matrixserver> { 127.0.0.1 }
|
||||||
|
|
||||||
|
http protocol "https" {
|
||||||
|
tls { no tlsv1.0, ciphers "HIGH" }
|
||||||
|
tls keypair "example.com"
|
||||||
|
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
|
||||||
|
match header set "X-Forwarded-Proto" value "https"
|
||||||
|
|
||||||
|
# set CORS header for .well-known/matrix/server, .well-known/matrix/client
|
||||||
|
# httpd does not support setting headers, so do it here
|
||||||
|
match request path "/.well-known/matrix/*" tag "matrix-cors"
|
||||||
|
match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*"
|
||||||
|
|
||||||
|
pass quick path "/_matrix/*" forward to <matrixserver>
|
||||||
|
pass quick path "/_synapse/client/*" forward to <matrixserver>
|
||||||
|
|
||||||
|
# pass on non-matrix traffic to webserver
|
||||||
|
pass forward to <webserver>
|
||||||
|
}
|
||||||
|
|
||||||
|
relay "https_traffic" {
|
||||||
|
listen on egress port 443 tls
|
||||||
|
protocol "https"
|
||||||
|
forward to <matrixserver> port 8008 check tcp
|
||||||
|
forward to <webserver> port 8080 check tcp
|
||||||
|
}
|
||||||
|
|
||||||
|
http protocol "matrix" {
|
||||||
|
tls { no tlsv1.0, ciphers "HIGH" }
|
||||||
|
tls keypair "example.com"
|
||||||
|
block
|
||||||
|
pass quick path "/_matrix/*" forward to <matrixserver>
|
||||||
|
pass quick path "/_synapse/client/*" forward to <matrixserver>
|
||||||
|
}
|
||||||
|
|
||||||
|
relay "matrix_federation" {
|
||||||
|
listen on egress port 8448 tls
|
||||||
|
protocol "matrix"
|
||||||
|
forward to <matrixserver> port 8008 check tcp
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Homeserver Configuration
|
## Homeserver Configuration
|
||||||
|
|
||||||
You will also want to set `bind_addresses: ['127.0.0.1']` and
|
You will also want to set `bind_addresses: ['127.0.0.1']` and
|
||||||
|
|
Loading…
Reference in a new issue