Home Explore Help
Register Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Tree: 6307f83cc3
Branches Tags
synapse
/
develop
/
reverse_proxy.html

reverse_proxy.html 34 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430 
  1. <!DOCTYPE HTML>
    2. 

  2. <html lang="en" class="sidebar-visible no-js light">
    3. 

  3.     <head>
    4. 

  4.         <!-- Book generated using mdBook -->
    5. 

  5.         <meta charset="UTF-8">
    6. 

  6.         <title>Configuring a Reverse Proxy - Synapse</title>
    7. 

  7.         <!-- Custom HTML head -->
    8. 

  8.         <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
    9. 

  9.         <meta name="description" content="">
    10. 

  10.         <meta name="viewport" content="width=device-width, initial-scale=1">
    11. 

  11.         <meta name="theme-color" content="#ffffff" />
    12. 

  12. 

  13.         <link rel="icon" href="favicon.svg">
    14. 

  14.         <link rel="shortcut icon" href="favicon.png">
    15. 

  15.         <link rel="stylesheet" href="css/variables.css">
    16. 

  16.         <link rel="stylesheet" href="css/general.css">
    17. 

  17.         <link rel="stylesheet" href="css/chrome.css">
    18. 

  18.         <link rel="stylesheet" href="css/print.css" media="print">
    19. 

  19.         <!-- Fonts -->
    20. 

  20.         <link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
    21. 

  21.         <link rel="stylesheet" href="fonts/fonts.css">
    22. 

  22.         <!-- Highlight.js Stylesheets -->
    23. 

  23.         <link rel="stylesheet" href="highlight.css">
    24. 

  24.         <link rel="stylesheet" href="tomorrow-night.css">
    25. 

  25.         <link rel="stylesheet" href="ayu-highlight.css">
    26. 

  26. 

  27.         <!-- Custom theme stylesheets -->
    28. 

  28.         <link rel="stylesheet" href="docs/website_files/table-of-contents.css">
    29. 

  29.         <link rel="stylesheet" href="docs/website_files/remove-nav-buttons.css">
    30. 

  30.         <link rel="stylesheet" href="docs/website_files/indent-section-headers.css">
    31. 

  31.         <link rel="stylesheet" href="docs/website_files/version-picker.css">
    32. 

  32.     </head>
    33. 

  33.     <body>
    34. 

  34.         <!-- Provide site root to javascript -->
    35. 

  35.         <script type="text/javascript">
    36. 

  36.             var path_to_root = "";
    37. 

  37.             var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
    38. 

  38.         </script>
    39. 

  39. 

  40.         <!-- Work around some values being stored in localStorage wrapped in quotes -->
    41. 

  41.         <script type="text/javascript">
    42. 

  42.             try {
    43. 

  43.                 var theme = localStorage.getItem('mdbook-theme');
    44. 

  44.                 var sidebar = localStorage.getItem('mdbook-sidebar');
    45. 

  45.                 if (theme.startsWith('"') && theme.endsWith('"')) {
    46. 

  46.                     localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
    47. 

  47.                 }
    48. 

  48.                 if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
    49. 

  49.                     localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
    50. 

  50.                 }
    51. 

  51.             } catch (e) { }
    52. 

  52.         </script>
    53. 

  53. 

  54.         <!-- Set the theme before any content is loaded, prevents flash -->
    55. 

  55.         <script type="text/javascript">
    56. 

  56.             var theme;
    57. 

  57.             try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
    58. 

  58.             if (theme === null || theme === undefined) { theme = default_theme; }
    59. 

  59.             var html = document.querySelector('html');
    60. 

  60.             html.classList.remove('no-js')
    61. 

  61.             html.classList.remove('light')
    62. 

  62.             html.classList.add(theme);
    63. 

  63.             html.classList.add('js');
    64. 

  64.         </script>
    65. 

  65. 

  66.         <!-- Hide / unhide sidebar before it is displayed -->
    67. 

  67.         <script type="text/javascript">
    68. 

  68.             var html = document.querySelector('html');
    69. 

  69.             var sidebar = 'hidden';
    70. 

  70.             if (document.body.clientWidth >= 1080) {
    71. 

  71.                 try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
    72. 

  72.                 sidebar = sidebar || 'visible';
    73. 

  73.             }
    74. 

  74.             html.classList.remove('sidebar-visible');
    75. 

  75.             html.classList.add("sidebar-" + sidebar);
    76. 

  76.         </script>
    77. 

  77. 

  78.         <nav id="sidebar" class="sidebar" aria-label="Table of contents">
    79. 

  79.             <div class="sidebar-scrollbox">
    80. 

  80.                 <ol class="chapter"><li class="chapter-item expanded affix "><li class="part-title">Introduction</li><li class="chapter-item expanded "><a href="welcome_and_overview.html">Welcome and Overview</a></li><li class="chapter-item expanded affix "><li class="part-title">Setup</li><li class="chapter-item expanded "><a href="setup/installation.html">Installation</a></li><li class="chapter-item expanded "><a href="postgres.html">Using Postgres</a></li><li class="chapter-item expanded "><a href="reverse_proxy.html" class="active">Configuring a Reverse Proxy</a></li><li class="chapter-item expanded "><a href="setup/forward_proxy.html">Configuring a Forward/Outbound Proxy</a></li><li class="chapter-item expanded "><a href="turn-howto.html">Configuring a Turn Server</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="setup/turn/coturn.html">coturn TURN server</a></li><li class="chapter-item expanded "><a href="setup/turn/eturnal.html">eturnal TURN server</a></li></ol></li><li class="chapter-item expanded "><a href="delegate.html">Delegation</a></li><li class="chapter-item expanded affix "><li class="part-title">Upgrading</li><li class="chapter-item expanded "><a href="upgrade.html">Upgrading between Synapse Versions</a></li><li class="chapter-item expanded affix "><li class="part-title">Usage</li><li class="chapter-item expanded "><a href="federate.html">Federation</a></li><li class="chapter-item expanded "><a href="usage/configuration/index.html">Configuration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/config_documentation.html">Configuration Manual</a></li><li class="chapter-item expanded "><a href="usage/configuration/homeserver_sample_config.html">Homeserver Sample Config File</a></li><li class="chapter-item expanded "><a href="usage/configuration/logging_sample_config.html">Logging Sample Config File</a></li><li class="chapter-item expanded "><a href="structured_logging.html">Structured Logging</a></li><li class="chapter-item expanded "><a href="templates.html">Templates</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/index.html">User Authentication</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/index.html">Single-Sign On</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="openid.html">OpenID Connect</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/cas.html">CAS</a></li><li class="chapter-item expanded "><a href="sso_mapping_providers.html">SSO Mapping Providers</a></li></ol></li><li class="chapter-item expanded "><a href="password_auth_providers.html">Password Auth Providers</a></li><li class="chapter-item expanded "><a href="jwt.html">JSON Web Tokens</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/refresh_tokens.html">Refresh Tokens</a></li></ol></li><li class="chapter-item expanded "><a href="CAPTCHA_SETUP.html">Registration Captcha</a></li><li class="chapter-item expanded "><a href="application_services.html">Application Services</a></li><li class="chapter-item expanded "><a href="server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="consent_tracking.html">Consent Tracking</a></li><li class="chapter-item expanded "><a href="user_directory.html">User Directory</a></li><li class="chapter-item expanded "><a href="message_retention_policies.html">Message Retention Policies</a></li><li class="chapter-item expanded "><a href="modules/index.html">Pluggable Modules</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/writing_a_module.html">Writing a module</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/spam_checker_callbacks.html">Spam checker callbacks</a></li><li class="chapter-item expanded "><a href="modules/third_party_rules_callbacks.html">Third-party rules callbacks</a></li><li class="chapter-item expanded "><a href="modules/presence_router_callbacks.html">Presence router callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_validity_callbacks.html">Account validity callbacks</a></li><li class="chapter-item expanded "><a href="modules/password_auth_provider_callbacks.html">Password auth provider callbacks</a></li><li class="chapter-item expanded "><a href="modules/background_update_controller_callbacks.html">Background update controller callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_data_callbacks.html">Account data callbacks</a></li><li class="chapter-item expanded "><a href="modules/add_extra_fields_to_client_events_unsigned.html">Add extra fields to client events unsigned section callbacks</a></li><li class="chapter-item expanded "><a href="modules/porting_legacy_module.html">Porting a legacy module to the new interface</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="workers.html">Workers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="synctl_workers.html">Using synctl with Workers</a></li><li class="chapter-item expanded "><a href="systemd-with-workers/index.html">Systemd</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/index.html">Administration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/admin_api/index.html">Admin API</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="admin_api/account_validity.html">Account Validity</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/background_updates.html">Background Updates</a></li><li class="chapter-item expanded "><a href="admin_api/event_reports.html">Event Reports</a></li><li class="chapter-item expanded "><a href="admin_api/experimental_features.html">Experimental Features</a></li><li class="chapter-item expanded "><a href="admin_api/media_admin_api.html">Media</a></li><li class="chapter-item expanded "><a href="admin_api/purge_history_api.html">Purge History</a></li><li class="chapter-item expanded "><a href="admin_api/register_api.html">Register Users</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/registration_tokens.html">Registration Tokens</a></li><li class="chapter-item expanded "><a href="admin_api/room_membership.html">Manipulate Room Membership</a></li><li class="chapter-item expanded "><a href="admin_api/rooms.html">Rooms</a></li><li class="chapter-item expanded "><a href="admin_api/server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="admin_api/statistics.html">Statistics</a></li><li class="chapter-item expanded "><a href="admin_api/user_admin_api.html">Users</a></li><li class="chapter-item expanded "><a href="admin_api/version_api.html">Server Version</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/federation.html">Federation</a></li></ol></li><li class="chapter-item expanded "><a href="manhole.html">Manhole</a></li><li class="chapter-item expanded "><a href="metrics-howto.html">Monitoring</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/monitoring/reporting_homeserver_usage_statistics.html">Reporting Homeserver Usage Statistics</a></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/monthly_active_users.html">Monthly Active Users</a></li><li class="chapter-item expanded "><a href="usage/administration/understanding_synapse_through_grafana_graphs.html">Understanding Synapse Through Grafana Graphs</a></li><li class="chapter-item expanded "><a href="usage/administration/useful_sql_for_admins.html">Useful SQL for Admins</a></li><li class="chapter-item expanded "><a href="usage/administration/database_maintenance_tools.html">Database Maintenance Tools</a></li><li class="chapter-item expanded "><a href="usage/administration/state_groups.html">State Groups</a></li><li class="chapter-item expanded "><a href="usage/administration/request_log.html">Request log format</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_faq.html">Admin FAQ</a></li><li class="chapter-item expanded "><div>Scripts</div></li></ol></li><li class="chapter-item expanded "><li class="part-title">Development</li><li class="chapter-item expanded "><a href="development/contributing_guide.html">Contributing Guide</a></li><li class="chapter-item expanded "><a href="code_style.html">Code Style</a></li><li class="chapter-item expanded "><a href="development/reviews.html">Reviewing Code</a></li><li class="chapter-item expanded "><a href="development/releases.html">Release Cycle</a></li><li class="chapter-item expanded "><a href="development/git.html">Git Usage</a></li><li class="chapter-item expanded "><div>Testing</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/demo.html">Demo scripts</a></li></ol></li><li class="chapter-item expanded "><a href="opentracing.html">OpenTracing</a></li><li class="chapter-item expanded "><a href="development/database_schema.html">Database Schemas</a></li><li class="chapter-item expanded "><a href="development/experimental_features.html">Experimental features</a></li><li class="chapter-item expanded "><a href="development/dependencies.html">Dependency management</a></li><li class="chapter-item expanded "><div>Synapse Architecture</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/synapse_architecture/cancellation.html">Cancellation</a></li><li class="chapter-item expanded "><a href="log_contexts.html">Log Contexts</a></li><li class="chapter-item expanded "><a href="replication.html">Replication</a></li><li class="chapter-item expanded "><a href="development/synapse_architecture/streams.html">Streams</a></li><li class="chapter-item expanded "><a href="tcp_replication.html">TCP Replication</a></li><li class="chapter-item expanded "><a href="development/synapse_architecture/faster_joins.html">Faster remote joins</a></li></ol></li><li class="chapter-item expanded "><a href="development/internal_documentation/index.html">Internal Documentation</a></li><li><ol class="section"><li class="chapter-item expanded "><div>Single Sign-On</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="development/cas.html">CAS</a></li></ol></li><li class="chapter-item expanded "><a href="development/room-dag-concepts.html">Room DAG concepts</a></li><li class="chapter-item expanded "><div>State Resolution</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="auth_chain_difference_algorithm.html">The Auth Chain Difference Algorithm</a></li></ol></li><li class="chapter-item expanded "><a href="media_repository.html">Media Repository</a></li><li class="chapter-item expanded "><a href="room_and_user_statistics.html">Room and User Statistics</a></li></ol></li><li class="chapter-item expanded "><div>Scripts</div></li><li class="chapter-item expanded affix "><li class="part-title">Other</li><li class="chapter-item expanded "><a href="deprecation_policy.html">Dependency Deprecation Policy</a></li><li class="chapter-item expanded "><a href="other/running_synapse_on_single_board_computers.html">Running Synapse on a Single-Board Computer</a></li></ol>
    81. 

  81.             </div>
    82. 

  82.             <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
    83. 

  83.         </nav>
    84. 

  84. 

  85.         <div id="page-wrapper" class="page-wrapper">
    86. 

  86. 

  87.             <div class="page">
    88. 

  88.                 <div id="menu-bar-hover-placeholder"></div>
    89. 

  89.                 <div id="menu-bar" class="menu-bar sticky bordered">
    90. 

  90.                     <div class="left-buttons">
    91. 

  91.                         <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
    92. 

  92.                             <i class="fa fa-bars"></i>
    93. 

  93.                         </button>
    94. 

  94.                         <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
    95. 

  95.                             <i class="fa fa-paint-brush"></i>
    96. 

  96.                         </button>
    97. 

  97.                         <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
    98. 

  98.                             <li role="none"><button role="menuitem" class="theme" id="light">Light (default)</button></li>
    99. 

  99.                             <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
    100. 

  100.                             <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
    101. 

  101.                             <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
    102. 

  102.                             <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
    103. 

  103.                         </ul>
    104. 

  104.                         <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
    105. 

  105.                             <i class="fa fa-search"></i>
    106. 

  106.                         </button>
    107. 

  107.                         <div class="version-picker">
    108. 

  108.                             <div class="dropdown">
    109. 

  109.                                 <div class="select">
    110. 

  110.                                     <span></span>
    111. 

  111.                                     <i class="fa fa-chevron-down"></i>
    112. 

  112.                                 </div>
    113. 

  113.                                 <input type="hidden" name="version">
    114. 

  114.                                 <ul class="dropdown-menu">
    115. 

  115.                                     <!-- Versions will be added dynamically in version-picker.js -->
    116. 

  116.                                 </ul>
    117. 

  117.                             </div>
    118. 

  118.                         </div>
    119. 

  119.                     </div>
    120. 

  120. 

  121.                     <h1 class="menu-title">Synapse</h1>
    122. 

  122. 

  123.                     <div class="right-buttons">
    124. 

  124.                         <a href="print.html" title="Print this book" aria-label="Print this book">
    125. 

  125.                             <i id="print-button" class="fa fa-print"></i>
    126. 

  126.                         </a>
    127. 

  127.                         <a href="https://github.com/matrix-org/synapse" title="Git repository" aria-label="Git repository">
    128. 

  128.                             <i id="git-repository-button" class="fa fa-github"></i>
    129. 

  129.                         </a>
    130. 

  130.                         <a href="https://github.com/matrix-org/synapse/edit/develop/docs/reverse_proxy.md" title="Suggest an edit" aria-label="Suggest an edit">
    131. 

  131.                             <i id="git-edit-button" class="fa fa-edit"></i>
    132. 

  132.                         </a>
    133. 

  133.                     </div>
    134. 

  134.                 </div>
    135. 

  135. 

  136.                 <div id="search-wrapper" class="hidden">
    137. 

  137.                     <form id="searchbar-outer" class="searchbar-outer">
    138. 

  138.                         <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
    139. 

  139.                     </form>
    140. 

  140.                     <div id="searchresults-outer" class="searchresults-outer hidden">
    141. 

  141.                         <div id="searchresults-header" class="searchresults-header"></div>
    142. 

  142.                         <ul id="searchresults">
    143. 

  143.                         </ul>
    144. 

  144.                     </div>
    145. 

  145.                 </div>
    146. 

  146.                 <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
    147. 

  147.                 <script type="text/javascript">
    148. 

  148.                     document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
    149. 

  149.                     document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
    150. 

  150.                     Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
    151. 

  151.                         link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
    152. 

  152.                     });
    153. 

  153.                 </script>
    154. 

  154. 

  155.                 <div id="content" class="content">
    156. 

  156.                     <main>
    157. 

  157.                         <!-- Page table of contents -->
    158. 

  158.                         <div class="sidetoc">
    159. 

  159.                             <nav class="pagetoc"></nav>
    160. 

  160.                         </div>
    161. 

  161. 

  162.                         <h1 id="using-a-reverse-proxy-with-synapse"><a class="header" href="#using-a-reverse-proxy-with-synapse">Using a reverse proxy with Synapse</a></h1>
    163. 

  163. <p>It is recommended to put a reverse proxy such as
    164. 

  164. <a href="https://nginx.org/en/docs/http/ngx_http_proxy_module.html">nginx</a>,
    165. 

  165. <a href="https://httpd.apache.org/docs/current/mod/mod_proxy_http.html">Apache</a>,
    166. 

  166. <a href="https://caddyserver.com/docs/quick-starts/reverse-proxy">Caddy</a>,
    167. 

  167. <a href="https://www.haproxy.org/">HAProxy</a> or
    168. 

  168. <a href="https://man.openbsd.org/relayd.8">relayd</a> in front of Synapse. One advantage
    169. 

  169. of doing so is that it means that you can expose the default https port
    170. 

  170. (443) to Matrix clients without needing to run Synapse with root
    171. 

  171. privileges.</p>
    172. 

  172. <p>You should configure your reverse proxy to forward requests to <code>/_matrix</code> or
    173. 

  173. <code>/_synapse/client</code> to Synapse, and have it set the <code>X-Forwarded-For</code> and
    174. 

  174. <code>X-Forwarded-Proto</code> request headers.</p>
    175. 

  175. <p>You should remember that Matrix clients and other Matrix servers do not
    176. 

  176. necessarily need to connect to your server via the same server name or
    177. 

  177. port. Indeed, clients will use port 443 by default, whereas servers default to
    178. 

  178. port 8448. Where these are different, we refer to the 'client port' and the
    179. 

  179. 'federation port'. See <a href="https://matrix.org/docs/spec/server_server/latest#resolving-server-names">the Matrix
    180. 

  180. specification</a>
    181. 

  181. for more details of the algorithm used for federation connections, and
    182. 

  182. <a href="delegate.html">Delegation</a> for instructions on setting up delegation.</p>
    183. 

  183. <p><strong>NOTE</strong>: Your reverse proxy must not <code>canonicalise</code> or <code>normalise</code>
    184. 

  184. the requested URI in any way (for example, by decoding <code>%xx</code> escapes).
    185. 

  185. Beware that Apache <em>will</em> canonicalise URIs unless you specify
    186. 

  186. <code>nocanon</code>.</p>
    187. 

  187. <p>Let's assume that we expect clients to connect to our server at
    188. 

  188. <code>https://matrix.example.com</code>, and other servers to connect at
    189. 

  189. <code>https://example.com:8448</code>.  The following sections detail the configuration of
    190. 

  190. the reverse proxy and the homeserver.</p>
    191. 

  191. <h2 id="homeserver-configuration"><a class="header" href="#homeserver-configuration">Homeserver Configuration</a></h2>
    192. 

  192. <p>The HTTP configuration will need to be updated for Synapse to correctly record 
    193. 

  193. client IP addresses and generate redirect URLs while behind a reverse proxy. </p>
    194. 

  194. <p>In <code>homeserver.yaml</code> set <code>x_forwarded: true</code> in the port 8008 section and 
    195. 

  195. consider setting <code>bind_addresses: ['127.0.0.1']</code> so that the server only
    196. 

  196. listens to traffic on localhost. (Do not change <code>bind_addresses</code> to <code>127.0.0.1</code> 
    197. 

  197. when using a containerized Synapse, as that will prevent it from responding
    198. 

  198. to proxied traffic.)</p>
    199. 

  199. <p>Optionally, you can also set
    200. 

  200. <a href="./usage/configuration/config_documentation.html#listeners"><code>request_id_header</code></a>
    201. 

  201. so that the server extracts and re-uses the same request ID format that the
    202. 

  202. reverse proxy is using.</p>
    203. 

  203. <h2 id="reverse-proxy-configuration-examples"><a class="header" href="#reverse-proxy-configuration-examples">Reverse-proxy configuration examples</a></h2>
    204. 

  204. <p><strong>NOTE</strong>: You only need one of these.</p>
    205. 

  205. <h3 id="nginx"><a class="header" href="#nginx">nginx</a></h3>
    206. 

  206. <pre><code class="language-nginx">server {
    207. 

  207.     listen 443 ssl http2;
    208. 

  208.     listen [::]:443 ssl http2;
    209. 

  209. 

  210.     # For the federation port
    211. 

  211.     listen 8448 ssl http2 default_server;
    212. 

  212.     listen [::]:8448 ssl http2 default_server;
    213. 

  213. 

  214.     server_name matrix.example.com;
    215. 

  215. 

  216.     location ~ ^(/_matrix|/_synapse/client) {
    217. 

  217.         # note: do not add a path (even a single /) after the port in `proxy_pass`,
    218. 

  218.         # otherwise nginx will canonicalise the URI and cause signature verification
    219. 

  219.         # errors.
    220. 

  220.         proxy_pass http://localhost:8008;
    221. 

  221.         proxy_set_header X-Forwarded-For $remote_addr;
    222. 

  222.         proxy_set_header X-Forwarded-Proto $scheme;
    223. 

  223.         proxy_set_header Host $host;
    224. 

  224. 

  225.         # Nginx by default only allows file uploads up to 1M in size
    226. 

  226.         # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
    227. 

  227.         client_max_body_size 50M;
    228. 

  228. 	
    229. 

  229. 	# Synapse responses may be chunked, which is an HTTP/1.1 feature.
    230. 

  230. 	proxy_http_version 1.1;
    231. 

  231.     }
    232. 

  232. }
    233. 

  233. </code></pre>
    234. 

  234. <h3 id="caddy-v2"><a class="header" href="#caddy-v2">Caddy v2</a></h3>
    235. 

  235. <pre><code>matrix.example.com {
    236. 

  236.   reverse_proxy /_matrix/* localhost:8008
    237. 

  237.   reverse_proxy /_synapse/client/* localhost:8008
    238. 

  238. }
    239. 

  239. 

  240. example.com:8448 {
    241. 

  241.   reverse_proxy /_matrix/* localhost:8008
    242. 

  242. }
    243. 

  243. </code></pre>
    244. 

  244. <p><a href="delegate.html">Delegation</a> example:</p>
    245. 

  245. <pre><code>example.com {
    246. 

  246. 	header /.well-known/matrix/* Content-Type application/json
    247. 

  247. 	header /.well-known/matrix/* Access-Control-Allow-Origin *
    248. 

  248. 	respond /.well-known/matrix/server `{&quot;m.server&quot;: &quot;matrix.example.com:443&quot;}`
    249. 

  249. 	respond /.well-known/matrix/client `{&quot;m.homeserver&quot;:{&quot;base_url&quot;:&quot;https://matrix.example.com&quot;},&quot;m.identity_server&quot;:{&quot;base_url&quot;:&quot;https://identity.example.com&quot;}}`
    250. 

  250. }
    251. 

  251. 

  252. matrix.example.com {
    253. 

  253.     reverse_proxy /_matrix/* localhost:8008
    254. 

  254.     reverse_proxy /_synapse/client/* localhost:8008
    255. 

  255. }
    256. 

  256. </code></pre>
    257. 

  257. <h3 id="apache"><a class="header" href="#apache">Apache</a></h3>
    258. 

  258. <pre><code class="language-apache">&lt;VirtualHost *:443&gt;
    259. 

  259.     SSLEngine on
    260. 

  260.     ServerName matrix.example.com
    261. 

  261. 

  262.     RequestHeader set &quot;X-Forwarded-Proto&quot; expr=%{REQUEST_SCHEME}
    263. 

  263.     AllowEncodedSlashes NoDecode
    264. 

  264.     ProxyPreserveHost on
    265. 

  265.     ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
    266. 

  266.     ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
    267. 

  267.     ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client nocanon
    268. 

  268.     ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
    269. 

  269. &lt;/VirtualHost&gt;
    270. 

  270. 

  271. &lt;VirtualHost *:8448&gt;
    272. 

  272.     SSLEngine on
    273. 

  273.     ServerName example.com
    274. 

  274. 

  275.     RequestHeader set &quot;X-Forwarded-Proto&quot; expr=%{REQUEST_SCHEME}
    276. 

  276.     AllowEncodedSlashes NoDecode
    277. 

  277.     ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
    278. 

  278.     ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
    279. 

  279. &lt;/VirtualHost&gt;
    280. 

  280. </code></pre>
    281. 

  281. <p><strong>NOTE</strong>: ensure the  <code>nocanon</code> options are included.</p>
    282. 

  282. <p><strong>NOTE 2</strong>: It appears that Synapse is currently incompatible with the ModSecurity module for Apache (<code>mod_security2</code>). If you need it enabled for other services on your web server, you can disable it for Synapse's two VirtualHosts by including the following lines before each of the two <code>&lt;/VirtualHost&gt;</code> above:</p>
    283. 

  283. <pre><code class="language-apache">&lt;IfModule security2_module&gt;
    284. 

  284.     SecRuleEngine off
    285. 

  285. &lt;/IfModule&gt;
    286. 

  286. </code></pre>
    287. 

  287. <p><strong>NOTE 3</strong>: Missing <code>ProxyPreserveHost on</code> can lead to a redirect loop.</p>
    288. 

  288. <h3 id="haproxy"><a class="header" href="#haproxy">HAProxy</a></h3>
    289. 

  289. <pre><code>frontend https
    290. 

  290.   bind *:443,[::]:443 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
    291. 

  291.   http-request set-header X-Forwarded-Proto https if { ssl_fc }
    292. 

  292.   http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
    293. 

  293.   http-request set-header X-Forwarded-For %[src]
    294. 

  294. 

  295.   # Matrix client traffic
    296. 

  296.   acl matrix-host hdr(host) -i matrix.example.com matrix.example.com:443
    297. 

  297.   acl matrix-path path_beg /_matrix
    298. 

  298.   acl matrix-path path_beg /_synapse/client
    299. 

  299. 

  300.   use_backend matrix if matrix-host matrix-path
    301. 

  301. 

  302. frontend matrix-federation
    303. 

  303.   bind *:8448,[::]:8448 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1
    304. 

  304.   http-request set-header X-Forwarded-Proto https if { ssl_fc }
    305. 

  305.   http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
    306. 

  306.   http-request set-header X-Forwarded-For %[src]
    307. 

  307. 

  308.   default_backend matrix
    309. 

  309. 

  310. backend matrix
    311. 

  311.   server matrix 127.0.0.1:8008
    312. 

  312. </code></pre>
    313. 

  313. <p>Example configuration, if using a UNIX socket. The configuration lines regarding the frontends do not need to be modified.</p>
    314. 

  314. <pre><code>backend matrix
    315. 

  315.   server matrix unix@/run/synapse/main_public.sock
    316. 

  316. </code></pre>
    317. 

  317. <p><a href="delegate.html">Delegation</a> example:</p>
    318. 

  318. <pre><code>frontend https
    319. 

  319.   acl matrix-well-known-client-path path /.well-known/matrix/client
    320. 

  320.   acl matrix-well-known-server-path path /.well-known/matrix/server
    321. 

  321.   use_backend matrix-well-known-client if matrix-well-known-client-path
    322. 

  322.   use_backend matrix-well-known-server if matrix-well-known-server-path
    323. 

  323.  
    324. 

  324. backend matrix-well-known-client
    325. 

  325.   http-after-response set-header Access-Control-Allow-Origin &quot;*&quot;
    326. 

  326.   http-after-response set-header Access-Control-Allow-Methods &quot;GET, POST, PUT, DELETE, OPTIONS&quot;
    327. 

  327.   http-after-response set-header Access-Control-Allow-Headers &quot;Origin, X-Requested-With, Content-Type, Accept, Authorization&quot;
    328. 

  328.   http-request return status 200 content-type application/json string '{&quot;m.homeserver&quot;:{&quot;base_url&quot;:&quot;https://matrix.example.com&quot;},&quot;m.identity_server&quot;:{&quot;base_url&quot;:&quot;https://identity.example.com&quot;}}'
    329. 

  329. 

  330. backend matrix-well-known-server
    331. 

  331.   http-after-response set-header Access-Control-Allow-Origin &quot;*&quot;
    332. 

  332.   http-after-response set-header Access-Control-Allow-Methods &quot;GET, POST, PUT, DELETE, OPTIONS&quot;
    333. 

  333.   http-after-response set-header Access-Control-Allow-Headers &quot;Origin, X-Requested-With, Content-Type, Accept, Authorization&quot;
    334. 

  334.   http-request return status 200 content-type application/json string '{&quot;m.server&quot;:&quot;matrix.example.com:443&quot;}'
    335. 

  335. </code></pre>
    336. 

  336. <h3 id="relayd"><a class="header" href="#relayd">Relayd</a></h3>
    337. 

  337. <pre><code>table &lt;webserver&gt;    { 127.0.0.1 }
    338. 

  338. table &lt;matrixserver&gt; { 127.0.0.1 }
    339. 

  339. 

  340. http protocol &quot;https&quot; {
    341. 

  341.     tls { no tlsv1.0, ciphers &quot;HIGH&quot; }
    342. 

  342.     tls keypair &quot;example.com&quot;
    343. 

  343.     match header set &quot;X-Forwarded-For&quot;   value &quot;$REMOTE_ADDR&quot;
    344. 

  344.     match header set &quot;X-Forwarded-Proto&quot; value &quot;https&quot;
    345. 

  345. 

  346.     # set CORS header for .well-known/matrix/server, .well-known/matrix/client
    347. 

  347.     # httpd does not support setting headers, so do it here
    348. 

  348.     match request path &quot;/.well-known/matrix/*&quot; tag &quot;matrix-cors&quot;
    349. 

  349.     match response tagged &quot;matrix-cors&quot; header set &quot;Access-Control-Allow-Origin&quot; value &quot;*&quot;
    350. 

  350. 

  351.     pass quick path &quot;/_matrix/*&quot;         forward to &lt;matrixserver&gt;
    352. 

  352.     pass quick path &quot;/_synapse/client/*&quot; forward to &lt;matrixserver&gt;
    353. 

  353. 

  354.     # pass on non-matrix traffic to webserver
    355. 

  355.     pass                                 forward to &lt;webserver&gt;
    356. 

  356. }
    357. 

  357. 

  358. relay &quot;https_traffic&quot; {
    359. 

  359.     listen on egress port 443 tls
    360. 

  360.     protocol &quot;https&quot;
    361. 

  361.     forward to &lt;matrixserver&gt; port 8008 check tcp
    362. 

  362.     forward to &lt;webserver&gt;    port 8080 check tcp
    363. 

  363. }
    364. 

  364. 

  365. http protocol &quot;matrix&quot; {
    366. 

  366.     tls { no tlsv1.0, ciphers &quot;HIGH&quot; }
    367. 

  367.     tls keypair &quot;example.com&quot;
    368. 

  368.     block
    369. 

  369.     pass quick path &quot;/_matrix/*&quot;         forward to &lt;matrixserver&gt;
    370. 

  370.     pass quick path &quot;/_synapse/client/*&quot; forward to &lt;matrixserver&gt;
    371. 

  371. }
    372. 

  372. 

  373. relay &quot;matrix_federation&quot; {
    374. 

  374.     listen on egress port 8448 tls
    375. 

  375.     protocol &quot;matrix&quot;
    376. 

  376.     forward to &lt;matrixserver&gt; port 8008 check tcp
    377. 

  377. }
    378. 

  378. </code></pre>
    379. 

  379. <h2 id="health-check-endpoint"><a class="header" href="#health-check-endpoint">Health check endpoint</a></h2>
    380. 

  380. <p>Synapse exposes a health check endpoint for use by reverse proxies.
    381. 

  381. Each configured HTTP listener has a <code>/health</code> endpoint which always returns
    382. 

  382. 200 OK (and doesn't get logged).</p>
    383. 

  383. <h2 id="synapse-administration-endpoints"><a class="header" href="#synapse-administration-endpoints">Synapse administration endpoints</a></h2>
    384. 

  384. <p>Endpoints for administering your Synapse instance are placed under
    385. 

  385. <code>/_synapse/admin</code>. These require authentication through an access token of an
    386. 

  386. admin user. However as access to these endpoints grants the caller a lot of power,
    387. 

  387. we do not recommend exposing them to the public internet without good reason.</p>
    388. 

  388. 

  389.                     </main>
    390. 

  390. 

  391.                     <nav class="nav-wrapper" aria-label="Page navigation">
    392. 

  392.                         <!-- Mobile navigation buttons -->
    393. 

  393.                             <a rel="prev" href="postgres.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
    394. 

  394.                                 <i class="fa fa-angle-left"></i>
    395. 

  395.                             </a>
    396. 

  396.                             <a rel="next" href="setup/forward_proxy.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
    397. 

  397.                                 <i class="fa fa-angle-right"></i>
    398. 

  398.                             </a>
    399. 

  399.                         <div style="clear: both"></div>
    400. 

  400.                     </nav>
    401. 

  401.                 </div>
    402. 

  402.             </div>
    403. 

  403. 

  404.             <nav class="nav-wide-wrapper" aria-label="Page navigation">
    405. 

  405.                     <a rel="prev" href="postgres.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
    406. 

  406.                         <i class="fa fa-angle-left"></i>
    407. 

  407.                     </a>
    408. 

  408.                     <a rel="next" href="setup/forward_proxy.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
    409. 

  409.                         <i class="fa fa-angle-right"></i>
    410. 

  410.                     </a>
    411. 

  411.             </nav>
    412. 

  412. 

  413.         </div>
    414. 

  414. 

  415.         <script type="text/javascript">
    416. 

  416.             window.playground_copyable = true;
    417. 

  417.         </script>
    418. 

  418.         <script src="elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
    419. 

  419.         <script src="mark.min.js" type="text/javascript" charset="utf-8"></script>
    420. 

  420.         <script src="searcher.js" type="text/javascript" charset="utf-8"></script>
    421. 

  421.         <script src="clipboard.min.js" type="text/javascript" charset="utf-8"></script>
    422. 

  422.         <script src="highlight.js" type="text/javascript" charset="utf-8"></script>
    423. 

  423.         <script src="book.js" type="text/javascript" charset="utf-8"></script>
    424. 

  424. 

  425.         <!-- Custom JS scripts -->
    426. 

  426.         <script type="text/javascript" src="docs/website_files/table-of-contents.js"></script>
    427. 

  427.         <script type="text/javascript" src="docs/website_files/version-picker.js"></script>
    428. 

  428.         <script type="text/javascript" src="docs/website_files/version.js"></script>
    429. 

  429.     </body>
    430. 

  430. </html>
    431.