summary refs log tree commit diff
path: root/README.rst
diff options
context:
space:
mode:
authorAndrew Morgan <andrew@amorgan.xyz>2019-02-05 15:29:42 +0000
committerAndrew Morgan <andrew@amorgan.xyz>2019-02-05 15:33:23 +0000
commit08b26afeee7b7db8c9d511cb63244927cf48ba9d (patch)
treecab1fa9eef5b115dfc2ded50af30d45c59159069 /README.rst
parentDon't imply self-signed certs are required (diff)
downloadsynapse-08b26afeee7b7db8c9d511cb63244927cf48ba9d.tar.xz
Move ACME docs to docs/ACME.rst and link from UPGRADE.
Diffstat (limited to 'README.rst')
-rw-r--r--README.rst69
1 files changed, 0 insertions, 69 deletions
diff --git a/README.rst b/README.rst
index 9e3d85de4c..829de0864c 100644
--- a/README.rst
+++ b/README.rst
@@ -225,75 +225,6 @@ If you would like to use your own certificates, you can do so by changing
 alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
 both ports are the same in the default configuration.
 
-
-ACME setup
-----------
-
-Synapse v1.0 will require valid TLS certificates for communication between servers
-(port ``8448`` by default) in addition to those that are client-facing (port
-``443``). In the case that your `server_name` config variable is the same as
-the hostname that the client connects to, then the same certificate can be
-used between client and federation ports without issue. Synapse v0.99.0+
-**will provision server-to-server certificates automatically for you for
-free** through `Let's Encrypt
-<https://letsencrypt.org/>`_ if you tell it to.
-
-In order for Synapse to complete the ACME challenge to provision a
-certificate, it needs access to port 80. Typically listening on port 80 is
-only granted to applications running as root. There are thus two solutions to
-this problem.
-
-**Using a reverse proxy**
-
-A reverse proxy such as Apache or nginx allows a single process (the web
-server) to listen on port 80 and proxy traffic to the appropriate program
-running on your server. It is the recommended method for setting up ACME as
-it allows you to use your existing webserver while also allowing Synapse to
-provision certificates as needed.
-
-For nginx users, add the following line to your existing ``server`` block::
-
-    location /.well-known/acme-challenge {
-        proxy_pass http://localhost:8009/;
-    }
-
-For Apache, add the following to your existing webserver config::
-
-    ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
-
-Make sure to restart/reload your webserver after making changes.
-
-
-**Authbind**
-
-``authbind`` allows a program which does not run as root to bind to
-low-numbered ports in a controlled way. The setup is simpler, but requires a
-webserver not to already be running on port 80. **This includes every time
-Synapse renews a certificate**, which may be cumbersome if you usually run a
-web server on port 80. Nevertheless, if you're sure port 80 is not being used
-for any other purpose then all that is necessary is the following:
-
-Install ``authbind``. For example, on Debian/Ubuntu::
-
-    sudo apt-get install authbind
-
-Allow ``authbind`` to bind port 80::
-
-    sudo touch /etc/authbind/byport/80
-    sudo chmod 777 /etc/authbind/byport/80
-
-When Synapse is started, use the following syntax::
-
-    authbind --deep <synapse start command>
-
-Finally, once Synapse's is able to listen on port 80 for ACME challenge
-requests, it must be told to perform ACME provisioning by setting ``enabled``
-to true under the ``acme`` section in ``homeserver.yaml``::
-
-    acme:
-        enabled: true
-
-
 Registering a user
 ------------------