|
@@ -3,8 +3,9 @@
|
|
|
It is recommended to put a reverse proxy such as
|
|
|
[nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html),
|
|
|
[Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
|
|
|
-[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or
|
|
|
-[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage
|
|
|
+[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
|
|
|
+[HAProxy](https://www.haproxy.org/) or
|
|
|
+[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
|
|
|
of doing so is that it means that you can expose the default https port
|
|
|
(443) to Matrix clients without needing to run Synapse with root
|
|
|
privileges.
|
|
@@ -162,6 +163,52 @@ backend matrix
|
|
|
server matrix 127.0.0.1:8008
|
|
|
```
|
|
|
|
|
|
+### Relayd
|
|
|
+
|
|
|
+```
|
|
|
+table <webserver> { 127.0.0.1 }
|
|
|
+table <matrixserver> { 127.0.0.1 }
|
|
|
+
|
|
|
+http protocol "https" {
|
|
|
+ tls { no tlsv1.0, ciphers "HIGH" }
|
|
|
+ tls keypair "example.com"
|
|
|
+ match header set "X-Forwarded-For" value "$REMOTE_ADDR"
|
|
|
+ match header set "X-Forwarded-Proto" value "https"
|
|
|
+
|
|
|
+ # set CORS header for .well-known/matrix/server, .well-known/matrix/client
|
|
|
+ # httpd does not support setting headers, so do it here
|
|
|
+ match request path "/.well-known/matrix/*" tag "matrix-cors"
|
|
|
+ match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*"
|
|
|
+
|
|
|
+ pass quick path "/_matrix/*" forward to <matrixserver>
|
|
|
+ pass quick path "/_synapse/client/*" forward to <matrixserver>
|
|
|
+
|
|
|
+ # pass on non-matrix traffic to webserver
|
|
|
+ pass forward to <webserver>
|
|
|
+}
|
|
|
+
|
|
|
+relay "https_traffic" {
|
|
|
+ listen on egress port 443 tls
|
|
|
+ protocol "https"
|
|
|
+ forward to <matrixserver> port 8008 check tcp
|
|
|
+ forward to <webserver> port 8080 check tcp
|
|
|
+}
|
|
|
+
|
|
|
+http protocol "matrix" {
|
|
|
+ tls { no tlsv1.0, ciphers "HIGH" }
|
|
|
+ tls keypair "example.com"
|
|
|
+ block
|
|
|
+ pass quick path "/_matrix/*" forward to <matrixserver>
|
|
|
+ pass quick path "/_synapse/client/*" forward to <matrixserver>
|
|
|
+}
|
|
|
+
|
|
|
+relay "matrix_federation" {
|
|
|
+ listen on egress port 8448 tls
|
|
|
+ protocol "matrix"
|
|
|
+ forward to <matrixserver> port 8008 check tcp
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
## Homeserver Configuration
|
|
|
|
|
|
You will also want to set `bind_addresses: ['127.0.0.1']` and
|