Clarifications for reverse proxy docs (#4607)

Factor out the reverse proxy info to a separate file, add some more info on
reverse-proxying the federation port.
This commit is contained in:
Richard van der Hoff 2019-02-11 11:44:28 +00:00 committed by GitHub
parent 6e2a5aa050
commit c475275926
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 117 additions and 62 deletions

View File

@ -359,8 +359,9 @@ Synapse v1.0. Instructions for having Synapse automatically provision and renew
If you would like to use your own certificates, you can do so by changing If you would like to use your own certificates, you can do so by changing
`tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`; `tls_certificate_path` and `tls_private_key_path` in `homeserver.yaml`;
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS, alternatively, you can use a reverse proxy. See
both ports are the same in the default configuration. [docs/reverse_proxy.rst](docs/reverse_proxy.rst) for information on configuring
a reverse proxy.
## Registering a user ## Registering a user

View File

@ -263,6 +263,8 @@ So, things to check are:
(it should be ``_matrix._tcp.<server_name>``), and that the port and hostname (it should be ``_matrix._tcp.<server_name>``), and that the port and hostname
it specifies are reachable from outside your network. it specifies are reachable from outside your network.
.. TODO: add a note about forgetting ``nocanon`` on a reverse-proxy config
Running a Demo Federation of Synapses Running a Demo Federation of Synapses
------------------------------------- -------------------------------------
@ -290,7 +292,6 @@ The advantages of Postgres include:
For information on how to install and use PostgreSQL, please see For information on how to install and use PostgreSQL, please see
`docs/postgres.rst <docs/postgres.rst>`_. `docs/postgres.rst <docs/postgres.rst>`_.
.. _reverse-proxy: .. _reverse-proxy:
Using a reverse proxy with Synapse Using a reverse proxy with Synapse
@ -304,54 +305,7 @@ It is recommended to put a reverse proxy such as
doing so is that it means that you can expose the default https port (443) to doing so is that it means that you can expose the default https port (443) to
Matrix clients without needing to run Synapse with root privileges. Matrix clients without needing to run Synapse with root privileges.
The most important thing to know here is that Matrix clients and other Matrix For information on configuring one, see `<docs/reverse_proxy.rst>`_.
servers do not necessarily need to connect to your server via the same
port. Indeed, clients will use port 443 by default, whereas servers default to
port 8448. Where these are different, we refer to the 'client port' and the
'federation port'.
All Matrix endpoints begin with ``/_matrix``, so an example nginx
configuration for forwarding client connections to Synapse might look like::
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name matrix.example.com;
location /_matrix {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
an example Caddy configuration might look like::
matrix.example.com {
proxy /_matrix http://localhost:8008 {
transparent
}
}
and an example Apache configuration might look like::
<VirtualHost *:443>
SSLEngine on
ServerName matrix.example.com;
<Location /_matrix>
ProxyPass http://127.0.0.1:8008/_matrix nocanon
ProxyPassReverse http://127.0.0.1:8008/_matrix
</Location>
</VirtualHost>
You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
recorded correctly.
Having done so, you can then use ``https://matrix.example.com`` (instead of
``https://matrix.example.com:8448``) as the "Custom server" when `Connecting to
Synapse from a client`_.
Identity Servers Identity Servers
================ ================

1
changelog.d/4607.misc Normal file
View File

@ -0,0 +1 @@
Clarifications for reverse proxy docs

View File

@ -42,9 +42,9 @@ imminent Matrix 1.0 release, you can also see our
* It used to work just fine, why are you breaking everything? * It used to work just fine, why are you breaking everything?
* Can I manage my own certificates rather than having Synapse renew * Can I manage my own certificates rather than having Synapse renew
certificates itself? certificates itself?
* Do you still recommend against using a reverse-proxy on the federation port? * Do you still recommend against using a reverse proxy on the federation port?
* Do I still need to give my TLS certificates to Synapse if I am using a * Do I still need to give my TLS certificates to Synapse if I am using a
reverse-proxy? reverse proxy?
* Do I need the same certificate for the client and federation port? * Do I need the same certificate for the client and federation port?
* How do I tell Synapse to reload my keys/certificates after I replace them? * How do I tell Synapse to reload my keys/certificates after I replace them?
@ -132,6 +132,9 @@ your domain, you can simply route all traffic through the reverse proxy by
updating the SRV record appropriately (or removing it, if the proxy listens on updating the SRV record appropriately (or removing it, if the proxy listens on
8448). 8448).
See [reverse_proxy.rst](reverse_proxy.rst) for information on setting up a
reverse proxy.
#### Option 3: add a .well-known file to delegate your matrix traffic #### Option 3: add a .well-known file to delegate your matrix traffic
This will allow you to keep Synapse on a separate domain, without having to This will allow you to keep Synapse on a separate domain, without having to
@ -297,17 +300,20 @@ attempt to obtain certificates from Let's Encrypt if you configure it to do
so.The only requirement is that there is a valid TLS cert present for so.The only requirement is that there is a valid TLS cert present for
federation end points. federation end points.
### Do you still recommend against using a reverse-proxy on the federation port? ### Do you still recommend against using a reverse proxy on the federation port?
We no longer actively recommend against using a reverse proxy. Many admins will We no longer actively recommend against using a reverse proxy. Many admins will
find it easier to direct federation traffic to a reverse-proxy and manage their find it easier to direct federation traffic to a reverse proxy and manage their
own TLS certificates, and this is a supported configuration. own TLS certificates, and this is a supported configuration.
See [reverse_proxy.rst](reverse_proxy.rst) for information on setting up a
reverse proxy.
### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy? ### Do I still need to give my TLS certificates to Synapse if I am using a reverse proxy?
Practically speaking, this is no longer necessary. Practically speaking, this is no longer necessary.
If you are using a reverse-proxy for all of your TLS traffic, then you can set If you are using a reverse proxy for all of your TLS traffic, then you can set
`no_tls: True`. In that case, the only reason Synapse needs the certificate is `no_tls: True`. In that case, the only reason Synapse needs the certificate is
to populate a legacy 'tls_fingerprints' field in the federation API. This is to populate a legacy 'tls_fingerprints' field in the federation API. This is
ignored by Synapse 0.99.0 and later, and the only time pre-0.99 Synapses will ignored by Synapse 0.99.0 and later, and the only time pre-0.99 Synapses will
@ -321,9 +327,9 @@ this, you can give it any TLS certificate at all. This will be fixed soon.
### Do I need the same certificate for the client and federation port? ### Do I need the same certificate for the client and federation port?
No. There is nothing stopping you doing so, particularly if you are using a No. There is nothing stopping you from using different certificates,
reverse-proxy. However, Synapse will use the same certificate on any ports particularly if you are using a reverse proxy. However, Synapse will use the
where TLS is configured. same certificate on any ports where TLS is configured.
### How do I tell Synapse to reload my keys/certificates after I replace them? ### How do I tell Synapse to reload my keys/certificates after I replace them?

94
docs/reverse_proxy.rst Normal file
View File

@ -0,0 +1,94 @@
Using a reverse proxy with Synapse
==================================
It is recommended to put a reverse proxy such as
`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
`Caddy <https://caddyserver.com/docs/proxy>`_ or
`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
doing so is that it means that you can expose the default https port (443) to
Matrix clients without needing to run Synapse with root privileges.
**NOTE**: Your reverse proxy must not 'canonicalise' or 'normalise' the
requested URI in any way (for example, by decoding ``%xx`` escapes). Beware
that Apache *will* canonicalise URIs unless you specifify ``nocanon``.
When setting up a reverse proxy, remember that Matrix clients and other Matrix
servers do not necessarily need to connect to your server via the same server
name or port. Indeed, clients will use port 443 by default, whereas servers
default to port 8448. Where these are different, we refer to the 'client port'
and the 'federation port'. See `Setting up federation
<../README.rst#setting-up-federation>`_ for more details of the algorithm used for
federation connections.
Let's assume that we expect clients to connect to our server at
``https://matrix.example.com``, and other servers to connect at
``https://example.com:8448``. Here are some example configurations:
* nginx::
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name matrix.example.com;
location /_matrix {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
server_name example.com;
location / {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
* Caddy::
matrix.example.com {
proxy /_matrix http://localhost:8008 {
transparent
}
}
example.com:8448 {
proxy / http://localhost:8008 {
transparent
}
}
* Apache (note the ``nocanon`` options here!)::
<VirtualHost *:443>
SSLEngine on
ServerName matrix.example.com;
<Location /_matrix>
ProxyPass http://127.0.0.1:8008/_matrix nocanon
ProxyPassReverse http://127.0.0.1:8008/_matrix
</Location>
</VirtualHost>
<VirtualHost *:8448>
SSLEngine on
ServerName example.com;
<Location />
ProxyPass http://127.0.0.1:8008/_matrix nocanon
ProxyPassReverse http://127.0.0.1:8008/_matrix
</Location>
</VirtualHost>
You will also want to set ``bind_addresses: ['127.0.0.1']`` and ``x_forwarded: true``
for port 8008 in ``homeserver.yaml`` to ensure that client IP addresses are
recorded correctly.
Having done so, you can then use ``https://matrix.example.com`` (instead of
``https://matrix.example.com:8448``) as the "Custom server" when connecting to
Synapse from a client.

View File

@ -26,9 +26,8 @@ Configuration
To make effective use of the workers, you will need to configure an HTTP To make effective use of the workers, you will need to configure an HTTP
reverse-proxy such as nginx or haproxy, which will direct incoming requests to reverse-proxy such as nginx or haproxy, which will direct incoming requests to
the correct worker, or to the main synapse instance. Note that this includes the correct worker, or to the main synapse instance. Note that this includes
requests made to the federation port. The caveats regarding running a requests made to the federation port. See `<reverse_proxy.rst>`_ for
reverse-proxy on the federation port still apply (see information on setting up a reverse proxy.
https://github.com/matrix-org/synapse/blob/master/README.rst#reverse-proxying-the-federation-port).
To enable workers, you need to add two replication listeners to the master To enable workers, you need to add two replication listeners to the master
synapse, e.g.:: synapse, e.g.::