Home Explore Help
Register Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Browse Source

Update reverse proxy to add OpenBSD relayd example configuration. (#9508)

Update reverse proxy to add OpenBSD relayd example configuration.

Signed-off-by: Leo Bärring <leo.barring@protonmail.com>
Leo Bärring 3 years ago
parent
e5da770cce
commit
0fc4eb103a
3 changed files with 53 additions and 4 deletions
Split View Show Diff Stats
  1. 3 2
      README.rst
  2. 1 0
      changelog.d/9508.doc
  3. 49 2
      docs/reverse_proxy.md

+ 3 - 2
README.rst
View File 

@@ -183,8 +183,9 @@ Using a reverse proxy with Synapse
 
 It is recommended to put a reverse proxy such as
 
 `nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
 
 `Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
 
-`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_ or
 
-`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
 
+`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_,
 
+`HAProxy <https://www.haproxy.org/>`_ or
 
+`relayd <https://man.openbsd.org/relayd.8>`_ in front of Synapse. One advantage of
 
 doing so is that it means that you can expose the default https port (443) to
 
 Matrix clients without needing to run Synapse with root privileges.

+ 1 - 0
changelog.d/9508.doc
View File 

@@ -0,0 +1 @@
 
+Add relayd entry to reverse proxy example configurations.

+ 49 - 2
docs/reverse_proxy.md
View File 

@@ -3,8 +3,9 @@
 
 It is recommended to put a reverse proxy such as
 
 [nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html),
 
 [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
 
-[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or
 
-[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage
 
+[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
 
+[HAProxy](https://www.haproxy.org/) or
 
+[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
 
 of doing so is that it means that you can expose the default https port
 
 (443) to Matrix clients without needing to run Synapse with root
 
 privileges.
 
@@ -162,6 +163,52 @@ backend matrix
 
   server matrix 127.0.0.1:8008
 
 ```
 
 
+### Relayd
 
+
 
+```
 
+table <webserver>    { 127.0.0.1 }
 
+table <matrixserver> { 127.0.0.1 }
 
+
 
+http protocol "https" {
 
+    tls { no tlsv1.0, ciphers "HIGH" }
 
+    tls keypair "example.com"
 
+    match header set "X-Forwarded-For"   value "$REMOTE_ADDR"
 
+    match header set "X-Forwarded-Proto" value "https"
 
+
 
+    # set CORS header for .well-known/matrix/server, .well-known/matrix/client
 
+    # httpd does not support setting headers, so do it here
 
+    match request path "/.well-known/matrix/*" tag "matrix-cors"
 
+    match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*"
 
+
 
+    pass quick path "/_matrix/*"         forward to <matrixserver>
 
+    pass quick path "/_synapse/client/*" forward to <matrixserver>
 
+
 
+    # pass on non-matrix traffic to webserver
 
+    pass                                 forward to <webserver>
 
+}
 
+
 
+relay "https_traffic" {
 
+    listen on egress port 443 tls
 
+    protocol "https"
 
+    forward to <matrixserver> port 8008 check tcp
 
+    forward to <webserver>    port 8080 check tcp
 
+}
 
+
 
+http protocol "matrix" {
 
+    tls { no tlsv1.0, ciphers "HIGH" }
 
+    tls keypair "example.com"
 
+    block
 
+    pass quick path "/_matrix/*"         forward to <matrixserver>
 
+    pass quick path "/_synapse/client/*" forward to <matrixserver>
 
+}
 
+
 
+relay "matrix_federation" {
 
+    listen on egress port 8448 tls
 
+    protocol "matrix"
 
+    forward to <matrixserver> port 8008 check tcp
 
+}
 
+```
 
+
 
 ## Homeserver Configuration
 
 
 You will also want to set `bind_addresses: ['127.0.0.1']` and