reverse_proxy.rst 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106
  1. Using a reverse proxy with Synapse
  2. ==================================
  3. It is recommended to put a reverse proxy such as
  4. `nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
  5. `Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
  6. `Caddy <https://caddyserver.com/docs/proxy>`_ or
  7. `HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
  8. doing so is that it means that you can expose the default https port (443) to
  9. Matrix clients without needing to run Synapse with root privileges.
  10. **NOTE**: Your reverse proxy must not 'canonicalise' or 'normalise' the
  11. requested URI in any way (for example, by decoding ``%xx`` escapes). Beware
  12. that Apache *will* canonicalise URIs unless you specifify ``nocanon``.
  13. When setting up a reverse proxy, remember that Matrix clients and other Matrix
  14. servers do not necessarily need to connect to your server via the same server
  15. name or port. Indeed, clients will use port 443 by default, whereas servers
  16. default to port 8448. Where these are different, we refer to the 'client port'
  17. and the 'federation port'. See `Setting up federation
  18. <federate.md>`_ for more details of the algorithm used for
  19. federation connections.
  20. Let's assume that we expect clients to connect to our server at
  21. ``https://matrix.example.com``, and other servers to connect at
  22. ``https://example.com:8448``. Here are some example configurations:
  23. * nginx::
  24. server {
  25. listen 443 ssl;
  26. listen [::]:443 ssl;
  27. server_name matrix.example.com;
  28. location /_matrix {
  29. proxy_pass http://localhost:8008;
  30. proxy_set_header X-Forwarded-For $remote_addr;
  31. }
  32. }
  33. server {
  34. listen 8448 ssl default_server;
  35. listen [::]:8448 ssl default_server;
  36. server_name example.com;
  37. location / {
  38. proxy_pass http://localhost:8008;
  39. proxy_set_header X-Forwarded-For $remote_addr;
  40. }
  41. }
  42. * Caddy::
  43. matrix.example.com {
  44. proxy /_matrix http://localhost:8008 {
  45. transparent
  46. }
  47. }
  48. example.com:8448 {
  49. proxy / http://localhost:8008 {
  50. transparent
  51. }
  52. }
  53. * Apache (note the ``nocanon`` options here!)::
  54. <VirtualHost *:443>
  55. SSLEngine on
  56. ServerName matrix.example.com;
  57. ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
  58. ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
  59. </VirtualHost>
  60. <VirtualHost *:8448>
  61. SSLEngine on
  62. ServerName example.com;
  63. ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
  64. ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
  65. </VirtualHost>
  66. * HAProxy::
  67. frontend https
  68. bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1
  69. # Matrix client traffic
  70. acl matrix hdr(host) -i matrix.example.com
  71. use_backend matrix if matrix
  72. frontend matrix-federation
  73. bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1
  74. default_backend matrix
  75. backend matrix
  76. server matrix 127.0.0.1:8008
  77. You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
  78. for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
  79. recorded correctly.
  80. Having done so, you can then use ``https://matrix.example.com`` (instead of
  81. ``https://matrix.example.com:8448``) as the "Custom server" when connecting to
  82. Synapse from a client.