mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Merge pull request #6940 from matrix-org/babolivier/federate.md
Clean up and update federation docs
This commit is contained in:
commit
bbe39f808c
1
changelog.d/6940.doc
Normal file
1
changelog.d/6940.doc
Normal file
@ -0,0 +1 @@
|
|||||||
|
Clean up and update docs on setting up federation.
|
94
docs/delegate.md
Normal file
94
docs/delegate.md
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
# Delegation
|
||||||
|
|
||||||
|
By default, other homeservers will expect to be able to reach yours via
|
||||||
|
your `server_name`, on port 8448. For example, if you set your `server_name`
|
||||||
|
to `example.com` (so that your user names look like `@user:example.com`),
|
||||||
|
other servers will try to connect to yours at `https://example.com:8448/`.
|
||||||
|
|
||||||
|
Delegation is a Matrix feature allowing a homeserver admin to retain a
|
||||||
|
`server_name` of `example.com` so that user IDs, room aliases, etc continue
|
||||||
|
to look like `*:example.com`, whilst having federation traffic routed
|
||||||
|
to a different server and/or port (e.g. `synapse.example.com:443`).
|
||||||
|
|
||||||
|
## .well-known delegation
|
||||||
|
|
||||||
|
To use this method, you need to be able to alter the
|
||||||
|
`server_name` 's https server to serve the `/.well-known/matrix/server`
|
||||||
|
URL. Having an active server (with a valid TLS certificate) serving your
|
||||||
|
`server_name` domain is out of the scope of this documentation.
|
||||||
|
|
||||||
|
The URL `https://<server_name>/.well-known/matrix/server` should
|
||||||
|
return a JSON structure containing the key `m.server` like so:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"m.server": "<synapse.server.name>[:<yourport>]"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
In our example, this would mean that URL `https://example.com/.well-known/matrix/server`
|
||||||
|
should return:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"m.server": "synapse.example.com:443"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Note, specifying a port is optional. If no port is specified, then it defaults
|
||||||
|
to 8448.
|
||||||
|
|
||||||
|
With .well-known delegation, federating servers will check for a valid TLS
|
||||||
|
certificate for the delegated hostname (in our example: `synapse.example.com`).
|
||||||
|
|
||||||
|
## SRV DNS record delegation
|
||||||
|
|
||||||
|
It is also possible to do delegation using a SRV DNS record. However, that is
|
||||||
|
considered an advanced topic since it's a bit complex to set up, and `.well-known`
|
||||||
|
delegation is already enough in most cases.
|
||||||
|
|
||||||
|
However, if you really need it, you can find some documentation on how such a
|
||||||
|
record should look like and how Synapse will use it in [the Matrix
|
||||||
|
specification](https://matrix.org/docs/spec/server_server/latest#resolving-server-names).
|
||||||
|
|
||||||
|
## Delegation FAQ
|
||||||
|
|
||||||
|
### When do I need delegation?
|
||||||
|
|
||||||
|
If your homeserver's APIs are accessible on the default federation port (8448)
|
||||||
|
and the domain your `server_name` points to, you do not need any delegation.
|
||||||
|
|
||||||
|
For instance, if you registered `example.com` and pointed its DNS A record at a
|
||||||
|
fresh server, you could install Synapse on that host, giving it a `server_name`
|
||||||
|
of `example.com`, and once a reverse proxy has been set up to proxy all requests
|
||||||
|
sent to the port `8448` and serve TLS certificates for `example.com`, you
|
||||||
|
wouldn't need any delegation set up.
|
||||||
|
|
||||||
|
**However**, if your homeserver's APIs aren't accessible on port 8448 and on the
|
||||||
|
domain `server_name` points to, you will need to let other servers know how to
|
||||||
|
find it using delegation.
|
||||||
|
|
||||||
|
### Do you still recommend against using a reverse proxy on the federation port?
|
||||||
|
|
||||||
|
We no longer actively recommend against using a reverse proxy. Many admins will
|
||||||
|
find it easier to direct federation traffic to a reverse proxy and manage their
|
||||||
|
own TLS certificates, and this is a supported configuration.
|
||||||
|
|
||||||
|
See [reverse_proxy.md](reverse_proxy.md) for information on setting up a
|
||||||
|
reverse proxy.
|
||||||
|
|
||||||
|
### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
|
||||||
|
|
||||||
|
This is no longer necessary. If you are using a reverse proxy for all of your
|
||||||
|
TLS traffic, then you can set `no_tls: True` in the Synapse config.
|
||||||
|
|
||||||
|
In that case, the only reason Synapse needs the certificate is to populate a legacy
|
||||||
|
`tls_fingerprints` field in the federation API. This is ignored by Synapse 0.99.0
|
||||||
|
and later, and the only time pre-0.99 Synapses will check it is when attempting to
|
||||||
|
fetch the server keys - and generally this is delegated via `matrix.org`, which
|
||||||
|
is running a modern version of Synapse.
|
||||||
|
|
||||||
|
### Do I need the same certificate for the client and federation port?
|
||||||
|
|
||||||
|
No. There is nothing stopping you from using different certificates,
|
||||||
|
particularly if you are using a reverse proxy.
|
178
docs/federate.md
178
docs/federate.md
@ -1,163 +1,41 @@
|
|||||||
Setting up Federation
|
Setting up federation
|
||||||
=====================
|
=====================
|
||||||
|
|
||||||
Federation is the process by which users on different servers can participate
|
Federation is the process by which users on different servers can participate
|
||||||
in the same room. For this to work, those other servers must be able to contact
|
in the same room. For this to work, those other servers must be able to contact
|
||||||
yours to send messages.
|
yours to send messages.
|
||||||
|
|
||||||
The ``server_name`` configured in the Synapse configuration file (often
|
The `server_name` configured in the Synapse configuration file (often
|
||||||
``homeserver.yaml``) defines how resources (users, rooms, etc.) will be
|
`homeserver.yaml`) defines how resources (users, rooms, etc.) will be
|
||||||
identified (eg: ``@user:example.com``, ``#room:example.com``). By
|
identified (eg: `@user:example.com`, `#room:example.com`). By default,
|
||||||
default, it is also the domain that other servers will use to
|
it is also the domain that other servers will use to try to reach your
|
||||||
try to reach your server (via port 8448). This is easy to set
|
server (via port 8448). This is easy to set up and will work provided
|
||||||
up and will work provided you set the ``server_name`` to match your
|
you set the `server_name` to match your machine's public DNS hostname.
|
||||||
machine's public DNS hostname, and provide Synapse with a TLS certificate
|
|
||||||
which is valid for your ``server_name``.
|
For this default configuration to work, you will need to listen for TLS
|
||||||
|
connections on port 8448. The preferred way to do that is by using a
|
||||||
|
reverse proxy: see [reverse_proxy.md](<reverse_proxy.md>) for instructions
|
||||||
|
on how to correctly set one up.
|
||||||
|
|
||||||
|
In some cases you might not want to run Synapse on the machine that has
|
||||||
|
the `server_name` as its public DNS hostname, or you might want federation
|
||||||
|
traffic to use a different port than 8448. For example, you might want to
|
||||||
|
have your user names look like `@user:example.com`, but you want to run
|
||||||
|
Synapse on `synapse.example.com` on port 443. This can be done using
|
||||||
|
delegation, which allows an admin to control where federation traffic should
|
||||||
|
be sent. See [delegate.md](delegate.md) for instructions on how to set this up.
|
||||||
|
|
||||||
Once federation has been configured, you should be able to join a room over
|
Once federation has been configured, you should be able to join a room over
|
||||||
federation. A good place to start is ``#synapse:matrix.org`` - a room for
|
federation. A good place to start is `#synapse:matrix.org` - a room for
|
||||||
Synapse admins.
|
Synapse admins.
|
||||||
|
|
||||||
|
|
||||||
## Delegation
|
|
||||||
|
|
||||||
For a more flexible configuration, you can have ``server_name``
|
|
||||||
resources (eg: ``@user:example.com``) served by a different host and
|
|
||||||
port (eg: ``synapse.example.com:443``). There are two ways to do this:
|
|
||||||
|
|
||||||
- adding a ``/.well-known/matrix/server`` URL served on ``https://example.com``.
|
|
||||||
- adding a DNS ``SRV`` record in the DNS zone of domain
|
|
||||||
``example.com``.
|
|
||||||
|
|
||||||
Without configuring delegation, the matrix federation will
|
|
||||||
expect to find your server via ``example.com:8448``. The following methods
|
|
||||||
allow you retain a `server_name` of `example.com` so that your user IDs, room
|
|
||||||
aliases, etc continue to look like `*:example.com`, whilst having your
|
|
||||||
federation traffic routed to a different server.
|
|
||||||
|
|
||||||
### .well-known delegation
|
|
||||||
|
|
||||||
To use this method, you need to be able to alter the
|
|
||||||
``server_name`` 's https server to serve the ``/.well-known/matrix/server``
|
|
||||||
URL. Having an active server (with a valid TLS certificate) serving your
|
|
||||||
``server_name`` domain is out of the scope of this documentation.
|
|
||||||
|
|
||||||
The URL ``https://<server_name>/.well-known/matrix/server`` should
|
|
||||||
return a JSON structure containing the key ``m.server`` like so:
|
|
||||||
|
|
||||||
{
|
|
||||||
"m.server": "<synapse.server.name>[:<yourport>]"
|
|
||||||
}
|
|
||||||
|
|
||||||
In our example, this would mean that URL ``https://example.com/.well-known/matrix/server``
|
|
||||||
should return:
|
|
||||||
|
|
||||||
{
|
|
||||||
"m.server": "synapse.example.com:443"
|
|
||||||
}
|
|
||||||
|
|
||||||
Note, specifying a port is optional. If a port is not specified an SRV lookup
|
|
||||||
is performed, as described below. If the target of the
|
|
||||||
delegation does not have an SRV record, then the port defaults to 8448.
|
|
||||||
|
|
||||||
Most installations will not need to configure .well-known. However, it can be
|
|
||||||
useful in cases where the admin is hosting on behalf of someone else and
|
|
||||||
therefore cannot gain access to the necessary certificate. With .well-known,
|
|
||||||
federation servers will check for a valid TLS certificate for the delegated
|
|
||||||
hostname (in our example: ``synapse.example.com``).
|
|
||||||
|
|
||||||
### DNS SRV delegation
|
|
||||||
|
|
||||||
To use this delegation method, you need to have write access to your
|
|
||||||
``server_name`` 's domain zone DNS records (in our example it would be
|
|
||||||
``example.com`` DNS zone).
|
|
||||||
|
|
||||||
This method requires the target server to provide a
|
|
||||||
valid TLS certificate for the original ``server_name``.
|
|
||||||
|
|
||||||
You need to add a SRV record in your ``server_name`` 's DNS zone with
|
|
||||||
this format:
|
|
||||||
|
|
||||||
_matrix._tcp.<yourdomain.com> <ttl> IN SRV <priority> <weight> <port> <synapse.server.name>
|
|
||||||
|
|
||||||
In our example, we would need to add this SRV record in the
|
|
||||||
``example.com`` DNS zone:
|
|
||||||
|
|
||||||
_matrix._tcp.example.com. 3600 IN SRV 10 5 443 synapse.example.com.
|
|
||||||
|
|
||||||
Once done and set up, you can check the DNS record with ``dig -t srv
|
|
||||||
_matrix._tcp.<server_name>``. In our example, we would expect this:
|
|
||||||
|
|
||||||
$ dig -t srv _matrix._tcp.example.com
|
|
||||||
_matrix._tcp.example.com. 3600 IN SRV 10 0 443 synapse.example.com.
|
|
||||||
|
|
||||||
Note that the target of a SRV record cannot be an alias (CNAME record): it has to point
|
|
||||||
directly to the server hosting the synapse instance.
|
|
||||||
|
|
||||||
### Delegation FAQ
|
|
||||||
#### When do I need a SRV record or .well-known URI?
|
|
||||||
|
|
||||||
If your homeserver listens on the default federation port (8448), and your
|
|
||||||
`server_name` points to the host that your homeserver runs on, you do not need an SRV
|
|
||||||
record or `.well-known/matrix/server` URI.
|
|
||||||
|
|
||||||
For instance, if you registered `example.com` and pointed its DNS A record at a
|
|
||||||
fresh server, you could install Synapse on that host,
|
|
||||||
giving it a `server_name` of `example.com`, and once [ACME](acme.md) support is enabled,
|
|
||||||
it would automatically generate a valid TLS certificate for you via Let's Encrypt
|
|
||||||
and no SRV record or .well-known URI would be needed.
|
|
||||||
|
|
||||||
**However**, if your server does not listen on port 8448, or if your `server_name`
|
|
||||||
does not point to the host that your homeserver runs on, you will need to let
|
|
||||||
other servers know how to find it. The way to do this is via .well-known or an
|
|
||||||
SRV record.
|
|
||||||
|
|
||||||
#### I have created a .well-known URI. Do I also need an SRV record?
|
|
||||||
|
|
||||||
No. You can use either `.well-known` delegation or use an SRV record for delegation. You
|
|
||||||
do not need to use both to delegate to the same location.
|
|
||||||
|
|
||||||
#### Can I manage my own certificates rather than having Synapse renew certificates itself?
|
|
||||||
|
|
||||||
Yes, you are welcome to manage your certificates yourself. Synapse will only
|
|
||||||
attempt to obtain certificates from Let's Encrypt if you configure it to do
|
|
||||||
so.The only requirement is that there is a valid TLS cert present for
|
|
||||||
federation end points.
|
|
||||||
|
|
||||||
#### Do you still recommend against using a reverse proxy on the federation port?
|
|
||||||
|
|
||||||
We no longer actively recommend against using a reverse proxy. Many admins will
|
|
||||||
find it easier to direct federation traffic to a reverse proxy and manage their
|
|
||||||
own TLS certificates, and this is a supported configuration.
|
|
||||||
|
|
||||||
See [reverse_proxy.md](reverse_proxy.md) for information on setting up a
|
|
||||||
reverse proxy.
|
|
||||||
|
|
||||||
#### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
|
|
||||||
|
|
||||||
Practically speaking, this is no longer necessary.
|
|
||||||
|
|
||||||
If you are using a reverse proxy for all of your TLS traffic, then you can set
|
|
||||||
`no_tls: True` in the Synapse config. In that case, the only reason Synapse
|
|
||||||
needs the certificate is to populate a legacy `tls_fingerprints` field in the
|
|
||||||
federation API. This is ignored by Synapse 0.99.0 and later, and the only time
|
|
||||||
pre-0.99 Synapses will check it is when attempting to fetch the server keys -
|
|
||||||
and generally this is delegated via `matrix.org`, which will be running a modern
|
|
||||||
version of Synapse.
|
|
||||||
|
|
||||||
#### Do I need the same certificate for the client and federation port?
|
|
||||||
|
|
||||||
No. There is nothing stopping you from using different certificates,
|
|
||||||
particularly if you are using a reverse proxy. However, Synapse will use the
|
|
||||||
same certificate on any ports where TLS is configured.
|
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
You can use the [federation tester](
|
You can use the [federation tester](https://matrix.org/federationtester)
|
||||||
<https://matrix.org/federationtester>) to check if your homeserver is
|
to check if your homeserver is configured correctly. Alternatively try the
|
||||||
configured correctly. Alternatively try the [JSON API used by the federation tester](https://matrix.org/federationtester/api/report?server_name=DOMAIN).
|
[JSON API used by the federation tester](https://matrix.org/federationtester/api/report?server_name=DOMAIN).
|
||||||
Note that you'll have to modify this URL to replace ``DOMAIN`` with your
|
Note that you'll have to modify this URL to replace `DOMAIN` with your
|
||||||
``server_name``. Hitting the API directly provides extra detail.
|
`server_name`. Hitting the API directly provides extra detail.
|
||||||
|
|
||||||
The typical failure mode for federation is that when the server tries to join
|
The typical failure mode for federation is that when the server tries to join
|
||||||
a room, it is rejected with "401: Unauthorized". Generally this means that other
|
a room, it is rejected with "401: Unauthorized". Generally this means that other
|
||||||
@ -169,8 +47,8 @@ you invite them to. This can be caused by an incorrectly-configured reverse
|
|||||||
proxy: see [reverse_proxy.md](<reverse_proxy.md>) for instructions on how to correctly
|
proxy: see [reverse_proxy.md](<reverse_proxy.md>) for instructions on how to correctly
|
||||||
configure a reverse proxy.
|
configure a reverse proxy.
|
||||||
|
|
||||||
## Running a Demo Federation of Synapses
|
## Running a demo federation of Synapses
|
||||||
|
|
||||||
If you want to get up and running quickly with a trio of homeservers in a
|
If you want to get up and running quickly with a trio of homeservers in a
|
||||||
private federation, there is a script in the ``demo`` directory. This is mainly
|
private federation, there is a script in the `demo` directory. This is mainly
|
||||||
useful just for development purposes. See [demo/README](<../demo/README>).
|
useful just for development purposes. See [demo/README](<../demo/README>).
|
||||||
|
@ -18,9 +18,10 @@ When setting up a reverse proxy, remember that Matrix clients and other
|
|||||||
Matrix servers do not necessarily need to connect to your server via the
|
Matrix servers do not necessarily need to connect to your server via the
|
||||||
same server name or port. Indeed, clients will use port 443 by default,
|
same server name or port. Indeed, clients will use port 443 by default,
|
||||||
whereas servers default to port 8448. Where these are different, we
|
whereas servers default to port 8448. Where these are different, we
|
||||||
refer to the 'client port' and the \'federation port\'. See [Setting
|
refer to the 'client port' and the \'federation port\'. See [the Matrix
|
||||||
up federation](federate.md) for more details of the algorithm used for
|
specification](https://matrix.org/docs/spec/server_server/latest#resolving-server-names)
|
||||||
federation connections.
|
for more details of the algorithm used for federation connections, and
|
||||||
|
[delegate.md](<delegate.md>) for instructions on setting up delegation.
|
||||||
|
|
||||||
Let's assume that we expect clients to connect to our server at
|
Let's assume that we expect clients to connect to our server at
|
||||||
`https://matrix.example.com`, and other servers to connect at
|
`https://matrix.example.com`, and other servers to connect at
|
||||||
|
Loading…
Reference in New Issue
Block a user