forked-synapse/docs/reverse_proxy.rst

Using a reverse proxy with Synapse
==================================

It is recommended to put a reverse proxy such as
`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
`Caddy <https://caddyserver.com/docs/proxy>`_ or
`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
doing so is that it means that you can expose the default https port (443) to
Matrix clients without needing to run Synapse with root privileges.

**NOTE**: Your reverse proxy must not 'canonicalise' or 'normalise' the
requested URI in any way (for example, by decoding ``%xx`` escapes). Beware
that Apache *will* canonicalise URIs unless you specifify ``nocanon``.

When setting up a reverse proxy, remember that Matrix clients and other Matrix
servers do not necessarily need to connect to your server via the same server
name or port. Indeed, clients will use port 443 by default, whereas servers
default to port 8448. Where these are different, we refer to the 'client port'
and the 'federation port'. See `Setting up federation
<federate.md>`_ for more details of the algorithm used for
federation connections.

Let's assume that we expect clients to connect to our server at
``https://matrix.example.com``, and other servers to connect at
``https://example.com:8448``. Here are some example configurations:

* nginx::

      server {
          listen 443 ssl;
          listen [::]:443 ssl;
          server_name matrix.example.com;

          location /_matrix {
              proxy_pass http://localhost:8008;
              proxy_set_header X-Forwarded-For $remote_addr;
          }
      }

      server {
          listen 8448 ssl default_server;
          listen [::]:8448 ssl default_server;
          server_name example.com;

          location / {
              proxy_pass http://localhost:8008;
              proxy_set_header X-Forwarded-For $remote_addr;
          }
      }

* Caddy::

      matrix.example.com {
        proxy /_matrix http://localhost:8008 {
          transparent
        }
      }

      example.com:8448 {
        proxy / http://localhost:8008 {
          transparent
        }
      }

* Apache (note the ``nocanon`` options here!)::

      <VirtualHost *:443>
          SSLEngine on
          ServerName matrix.example.com;

          AllowEncodedSlashes NoDecode
          ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
          ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
      </VirtualHost>

      <VirtualHost *:8448>
          SSLEngine on
          ServerName example.com;
          
          AllowEncodedSlashes NoDecode
          ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
          ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
      </VirtualHost>

* HAProxy::

      frontend https
        bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1

        # Matrix client traffic
        acl matrix hdr(host) -i matrix.example.com
        use_backend matrix if matrix

      frontend matrix-federation
        bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1
        default_backend matrix

      backend matrix
        server matrix 127.0.0.1:8008

You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
recorded correctly.

Having done so, you can then use ``https://matrix.example.com`` (instead of
``https://matrix.example.com:8448``) as the "Custom server" when connecting to
Synapse from a client.
Clarifications for reverse proxy docs (#4607) Factor out the reverse proxy info to a separate file, add some more info on reverse-proxying the federation port. 2019-02-11 06:44:28 -05:00			`Using a reverse proxy with Synapse`
			`==================================`

			`It is recommended to put a reverse proxy such as`
			`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
			`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
			`Caddy <https://caddyserver.com/docs/proxy>`_ or
			`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
			`doing so is that it means that you can expose the default https port (443) to`
			`Matrix clients without needing to run Synapse with root privileges.`

			`NOTE: Your reverse proxy must not 'canonicalise' or 'normalise' the`
			requested URI in any way (for example, by decoding ``%xx`` escapes). Beware
			that Apache will canonicalise URIs unless you specifify ``nocanon``.

			`When setting up a reverse proxy, remember that Matrix clients and other Matrix`
			`servers do not necessarily need to connect to your server via the same server`
			`name or port. Indeed, clients will use port 443 by default, whereas servers`
			`default to port 8448. Where these are different, we refer to the 'client port'`
			and the 'federation port'. See `Setting up federation
Repoint docs for federation (#4881) 2019-03-19 06:37:18 -04:00			<federate.md>`_ for more details of the algorithm used for
Clarifications for reverse proxy docs (#4607) Factor out the reverse proxy info to a separate file, add some more info on reverse-proxying the federation port. 2019-02-11 06:44:28 -05:00			`federation connections.`

			`Let's assume that we expect clients to connect to our server at`
			``https://matrix.example.com``, and other servers to connect at
			``https://example.com:8448``. Here are some example configurations:

			`* nginx::`

			`server {`
			`listen 443 ssl;`
			`listen [::]:443 ssl;`
			`server_name matrix.example.com;`

			`location /_matrix {`
			`proxy_pass http://localhost:8008;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`}`
			`}`

			`server {`
			`listen 8448 ssl default_server;`
			`listen [::]:8448 ssl default_server;`
			`server_name example.com;`

			`location / {`
			`proxy_pass http://localhost:8008;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`}`
			`}`

			`* Caddy::`

			`matrix.example.com {`
			`proxy /_matrix http://localhost:8008 {`
			`transparent`
			`}`
			`}`

			`example.com:8448 {`
			`proxy / http://localhost:8008 {`
			`transparent`
			`}`
			`}`

			* Apache (note the ``nocanon`` options here!)::

			`<VirtualHost *:443>`
			`SSLEngine on`
			`ServerName matrix.example.com;`

Add AllowEncodedSlashes to apache (#5068) * Add AllowEncodedSlashes to apache Add `AllowEncodedSlashes On` to apache config to support encoding for v3 rooms. "The AllowEncodedSlashes setting is not inherited by virtual hosts, and virtual hosts are used in many default Apache configurations, such as the one in Ubuntu. The workaround is to add the AllowEncodedSlashes setting inside a <VirtualHost> container (/etc/apache2/sites-available/default in Ubuntu)." Source: https://stackoverflow.com/questions/4390436/need-to-allow-encoded-slashes-on-apache * change allowencodedslashes to nodecode 2019-05-09 18:27:04 -04:00			`AllowEncodedSlashes NoDecode`
Update Apache Setup To Remove Location Syntax (#4870) This one should close #4841. Many thanks to @dev4223 for bringing it up and finding a solution. Signed-off-by: Colin White 2019-03-21 10:05:56 -04:00			`ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon`
			`ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix`
Clarifications for reverse proxy docs (#4607) Factor out the reverse proxy info to a separate file, add some more info on reverse-proxying the federation port. 2019-02-11 06:44:28 -05:00			`</VirtualHost>`

			`<VirtualHost *:8448>`
			`SSLEngine on`
			`ServerName example.com;`
Update Apache Setup To Remove Location Syntax (#4870) This one should close #4841. Many thanks to @dev4223 for bringing it up and finding a solution. Signed-off-by: Colin White 2019-03-21 10:05:56 -04:00
Add AllowEncodedSlashes to apache (#5068) * Add AllowEncodedSlashes to apache Add `AllowEncodedSlashes On` to apache config to support encoding for v3 rooms. "The AllowEncodedSlashes setting is not inherited by virtual hosts, and virtual hosts are used in many default Apache configurations, such as the one in Ubuntu. The workaround is to add the AllowEncodedSlashes setting inside a <VirtualHost> container (/etc/apache2/sites-available/default in Ubuntu)." Source: https://stackoverflow.com/questions/4390436/need-to-allow-encoded-slashes-on-apache * change allowencodedslashes to nodecode 2019-05-09 18:27:04 -04:00			`AllowEncodedSlashes NoDecode`
Update Apache Setup To Remove Location Syntax (#4870) This one should close #4841. Many thanks to @dev4223 for bringing it up and finding a solution. Signed-off-by: Colin White 2019-03-21 10:05:56 -04:00			`ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon`
			`ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix`
Clarifications for reverse proxy docs (#4607) Factor out the reverse proxy info to a separate file, add some more info on reverse-proxying the federation port. 2019-02-11 06:44:28 -05:00			`</VirtualHost>`

Added HAProxy example (#4660) * Added HAProxy example Proposal of an example with HAProxy. Asked by #4541. Signed-off-by: Benoît S. (“Benpro”) <gitlab@benpro.fr> * Following suggestions of @richvdh 2019-02-21 12:44:10 -05:00			`* HAProxy::`

			`frontend https`
Fix v4v6 option in HAProxy example config (#4790) The v4v6 option only has a usage one ipv6 socket: https://serverfault.com/q/747895 Signed-off-by: Flakebi <flakebi@t-online.de> 2019-03-04 08:19:41 -05:00			`bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1`

Added HAProxy example (#4660) * Added HAProxy example Proposal of an example with HAProxy. Asked by #4541. Signed-off-by: Benoît S. (“Benpro”) <gitlab@benpro.fr> * Following suggestions of @richvdh 2019-02-21 12:44:10 -05:00			`# Matrix client traffic`
			`acl matrix hdr(host) -i matrix.example.com`
			`use_backend matrix if matrix`
Fix v4v6 option in HAProxy example config (#4790) The v4v6 option only has a usage one ipv6 socket: https://serverfault.com/q/747895 Signed-off-by: Flakebi <flakebi@t-online.de> 2019-03-04 08:19:41 -05:00
Added HAProxy example (#4660) * Added HAProxy example Proposal of an example with HAProxy. Asked by #4541. Signed-off-by: Benoît S. (“Benpro”) <gitlab@benpro.fr> * Following suggestions of @richvdh 2019-02-21 12:44:10 -05:00			`frontend matrix-federation`
Fix v4v6 option in HAProxy example config (#4790) The v4v6 option only has a usage one ipv6 socket: https://serverfault.com/q/747895 Signed-off-by: Flakebi <flakebi@t-online.de> 2019-03-04 08:19:41 -05:00			`bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1`
Added HAProxy example (#4660) * Added HAProxy example Proposal of an example with HAProxy. Asked by #4541. Signed-off-by: Benoît S. (“Benpro”) <gitlab@benpro.fr> * Following suggestions of @richvdh 2019-02-21 12:44:10 -05:00			`default_backend matrix`
Fix v4v6 option in HAProxy example config (#4790) The v4v6 option only has a usage one ipv6 socket: https://serverfault.com/q/747895 Signed-off-by: Flakebi <flakebi@t-online.de> 2019-03-04 08:19:41 -05:00
Added HAProxy example (#4660) * Added HAProxy example Proposal of an example with HAProxy. Asked by #4541. Signed-off-by: Benoît S. (“Benpro”) <gitlab@benpro.fr> * Following suggestions of @richvdh 2019-02-21 12:44:10 -05:00			`backend matrix`
			`server matrix 127.0.0.1:8008`

Clarifications for reverse proxy docs (#4607) Factor out the reverse proxy info to a separate file, add some more info on reverse-proxying the federation port. 2019-02-11 06:44:28 -05:00			You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
			for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
			`recorded correctly.`

			Having done so, you can then use ``https://matrix.example.com`` (instead of
			``https://matrix.example.com:8448``) as the "Custom server" when connecting to
			`Synapse from a client.`