mirror of
https://github.com/element-hq/synapse.git
synced 2025-03-06 16:06:52 +00:00
bd9a1079bc
Update reverse proxy docs with what we've learned from https://github.com/element-hq/synapse/pull/17986 Also vice versa and update our nginx config with what I learned from the reverse proxy docs. ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
50 lines
1.7 KiB
Django/Jinja
50 lines
1.7 KiB
Django/Jinja
# This file contains the base config for the reverse proxy, as part of ../Dockerfile-workers.
|
|
# configure_workers_and_start.py uses and amends to this file depending on the workers
|
|
# that have been selected.
|
|
|
|
{{ upstream_directives }}
|
|
|
|
server {
|
|
# Listen on an unoccupied port number
|
|
listen 8008;
|
|
listen [::]:8008;
|
|
|
|
{% if tls_cert_path is not none and tls_key_path is not none %}
|
|
listen 8448 ssl;
|
|
listen [::]:8448 ssl;
|
|
|
|
ssl_certificate {{ tls_cert_path }};
|
|
ssl_certificate_key {{ tls_key_path }};
|
|
|
|
# Some directives from cipherlist.eu (fka cipherli.st):
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off; # Requires nginx >= 1.5.9
|
|
{% endif %}
|
|
|
|
server_name localhost;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 100M;
|
|
|
|
{{ worker_locations }}
|
|
|
|
# Send all other traffic to the main process
|
|
location ~* ^(\\/_matrix|\\/_synapse) {
|
|
{% if using_unix_sockets %}
|
|
proxy_pass http://unix:/run/main_public.sock;
|
|
{% else %}
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://localhost:8080;
|
|
{% endif %}
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host:$server_port;
|
|
}
|
|
}
|