From a340a442da1d90f29b280a142ba6fb2eaac506f8 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 23 Dec 2025 14:47:05 -0500 Subject: [PATCH] nginx: add matrix socket for synapse admin API The admin API needs to be used through nginx now in order to direct the requests to the correct workers. --- nginx/nginx.conf | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index fc04a0f..c7148c6 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -152,6 +152,7 @@ http { server { listen 443 ssl; listen [::]:443 ssl; + listen unix:/run/nginx/matrix.sock; http2 on; server_name matrix.grapheneos.org; @@ -194,7 +195,7 @@ http { proxy_pass http://synapse-sync; } - location ~ ^/_matrix/client/(?:api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(?:v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/unstable/im.nheko.summary/summary/.*$|^/_matrix/client/(?:r0|v3|unstable)/account/3pid$|^/_matrix/client/(?:r0|v3|unstable)/account/whoami$|^/_matrix/client/(?:r0|v3|unstable)/account/deactivate$|^/_matrix/client/(?:r0|v3)/delete_devices$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/devices(?:/|$)|^/_matrix/client/versions$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(?:api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(?:api/v1|r0|v3|unstable)/search$|^/_matrix/client/(?:r0|v3|unstable)/user/.*/filter(?:/|$)|^/_matrix/client/(?:api/v1|r0|v3|unstable)/directory/room/.*$|^/_matrix/client/(?:r0|v3|unstable)/capabilities$|^/_matrix/client/(?:r0|v3|unstable)/notifications$|^/_synapse/admin/v1/rooms/[^/]+$|^/_matrix/client/(?:r0|v3|unstable)/keys/query$|^/_matrix/client/(?:r0|v3|unstable)/keys/changes$|^/_matrix/client/(?:r0|v3|unstable)/keys/claim$|^/_matrix/client/(?:r0|v3|unstable)/room_keys/|^/_matrix/client/(?:r0|v3|unstable)/keys/upload|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/device_signing/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/signatures/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/login$|^/_matrix/client/(?:r0|v3|unstable)/register$|^/_matrix/client/(?:r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(?:r0|v3|unstable)/password_policy$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/(?:join|invite|leave|ban|unban|kick)$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/join/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/profile/|^/_matrix/client/(?:r0|v3|unstable)/user_directory/search$|^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(?:/.*/restart)?$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$ { + location ~ ^/_matrix/client/(?:api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(?:v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/unstable/im.nheko.summary/summary/.*$|^/_matrix/client/(?:r0|v3|unstable)/account/3pid$|^/_matrix/client/(?:r0|v3|unstable)/account/whoami$|^/_matrix/client/(?:r0|v3|unstable)/account/deactivate$|^/_matrix/client/(?:r0|v3)/delete_devices$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/devices(?:/|$)|^/_matrix/client/versions$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(?:api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(?:api/v1|r0|v3|unstable)/search$|^/_matrix/client/(?:r0|v3|unstable)/user/.*/filter(?:/|$)|^/_matrix/client/(?:api/v1|r0|v3|unstable)/directory/room/.*$|^/_matrix/client/(?:r0|v3|unstable)/capabilities$|^/_matrix/client/(?:r0|v3|unstable)/notifications$|^/_matrix/client/(?:r0|v3|unstable)/keys/query$|^/_matrix/client/(?:r0|v3|unstable)/keys/changes$|^/_matrix/client/(?:r0|v3|unstable)/keys/claim$|^/_matrix/client/(?:r0|v3|unstable)/room_keys/|^/_matrix/client/(?:r0|v3|unstable)/keys/upload|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/device_signing/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/signatures/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/login$|^/_matrix/client/(?:r0|v3|unstable)/register$|^/_matrix/client/(?:r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(?:r0|v3|unstable)/password_policy$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/(?:join|invite|leave|ban|unban|kick)$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/join/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/profile/|^/_matrix/client/(?:r0|v3|unstable)/user_directory/search$|^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(?:/.*/restart)?$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$ { proxy_pass http://synapse-client_reader; } @@ -202,7 +203,7 @@ http { proxy_pass http://synapse-federation_reader; } - location ~ ^/_matrix/media/|^/_matrix/client/v1/media/|^/_matrix/federation/v1/media/|^/_synapse/admin/v1/purge_media_cache$|^/_synapse/admin/v1/room/.*/media.*$|^/_synapse/admin/v1/user/.*/media.*$|^/_synapse/admin/v1/media/.*$|^/_synapse/admin/v1/quarantine_media/.*$|^/_synapse/admin/v1/users/.*/media$ { + location ~ ^/_matrix/media/|^/_matrix/client/v1/media/|^/_matrix/federation/v1/media/ { proxy_pass http://synapse-media_repository; } @@ -211,6 +212,41 @@ http { } } + location /_synapse/admin/ { + allow unix:; + deny all; + + # remove security headers that are statically set to the strictest possible values below + proxy_hide_header Referrer-Policy; + proxy_hide_header X-Frame-Options; + + include snippets/security-headers.conf; + add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'" always; + # obsolete and replaced with Content-Security-Policy frame-ancestors 'none' + add_header X-Frame-Options "DENY" always; + add_header X-Robots-Tag "none" always; + + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_connect_timeout 5s; + proxy_send_timeout 15s; + proxy_read_timeout 600s; + + client_max_body_size 100m; + client_body_buffer_size 16k; + + proxy_pass http://synapse-main; + + location ~ ^/_synapse/admin/v1/rooms/[^/]+$ { + proxy_pass http://synapse-client_reader; + } + + location ~ ^/_synapse/admin/v1/purge_media_cache$|^/_synapse/admin/v1/room/.*/media.*$|^/_synapse/admin/v1/user/.*/media.*$|^/_synapse/admin/v1/media/.*$|^/_synapse/admin/v1/quarantine_media/.*$|^/_synapse/admin/v1/users/.*/media$ { + proxy_pass http://synapse-media_repository; + } + } + location / { return 404; }