From e837be5b5cb43406bd124e3f27a2b7be1bd31aa8 Mon Sep 17 00:00:00 2001 From: Brendan Abolivier Date: Tue, 18 Feb 2020 13:53:46 +0000 Subject: Fix links in the reverse proxy doc --- docs/reverse_proxy.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'docs/reverse_proxy.md') diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index dcfc5c64aa..af6d73927a 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -18,9 +18,10 @@ When setting up a reverse proxy, remember that Matrix clients and other Matrix servers do not necessarily need to connect to your server via the same server name or port. Indeed, clients will use port 443 by default, whereas servers default to port 8448. Where these are different, we -refer to the 'client port' and the \'federation port\'. See [Setting -up federation](federate.md) for more details of the algorithm used for -federation connections. +refer to the 'client port' and the \'federation port\'. See [the Matrix +specification](https://matrix.org/docs/spec/server_server/latest#resolving-server-names) +for more details of the algorithm used for federation connections, and +[delegate.md]() for instructions on setting up delegation. Let's assume that we expect clients to connect to our server at `https://matrix.example.com`, and other servers to connect at -- cgit 1.5.1 From 4a0dadafbebdd4ff97627a4737f74096b92ff950 Mon Sep 17 00:00:00 2001 From: Ryan Hovland <18075290+ProCycleDev@users.noreply.github.com> Date: Mon, 13 Apr 2020 09:23:36 -0700 Subject: Add setting to nginx configuration to allow larger file uploads (#7251) --- changelog.d/7251.doc | 1 + docs/reverse_proxy.md | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 changelog.d/7251.doc (limited to 'docs/reverse_proxy.md') diff --git a/changelog.d/7251.doc b/changelog.d/7251.doc new file mode 100644 index 0000000000..596a28e65d --- /dev/null +++ b/changelog.d/7251.doc @@ -0,0 +1 @@ +Modify suggested nginx reverse proxy configuration to match Synapse's default file upload size. Contributed by @ProCycleDev. diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index af6d73927a..c7222f73b9 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -42,6 +42,9 @@ the reverse proxy and the homeserver. location /_matrix { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 10M; } } -- cgit 1.5.1 From 207b1737ee0acd226359d59ce3b7f7d46111b1c8 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 5 May 2020 11:29:29 +0100 Subject: Update reverse_proxy.md a couple of cleanups --- docs/reverse_proxy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/reverse_proxy.md') diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index af6d73927a..50f4a0f484 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -9,7 +9,7 @@ of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. -> **NOTE**: Your reverse proxy must not `canonicalise` or `normalise` +**NOTE**: Your reverse proxy must not `canonicalise` or `normalise` the requested URI in any way (for example, by decoding `%xx` escapes). Beware that Apache *will* canonicalise URIs unless you specifify `nocanon`. @@ -18,7 +18,7 @@ When setting up a reverse proxy, remember that Matrix clients and other Matrix servers do not necessarily need to connect to your server via the same server name or port. Indeed, clients will use port 443 by default, whereas servers default to port 8448. Where these are different, we -refer to the 'client port' and the \'federation port\'. See [the Matrix +refer to the 'client port' and the 'federation port'. See [the Matrix specification](https://matrix.org/docs/spec/server_server/latest#resolving-server-names) for more details of the algorithm used for federation connections, and [delegate.md]() for instructions on setting up delegation. @@ -28,9 +28,9 @@ Let's assume that we expect clients to connect to our server at `https://example.com:8448`. The following sections detail the configuration of the reverse proxy and the homeserver. -## Webserver configuration examples +## Reverse-proxy configuration examples -> **NOTE**: You only need one of these. +**NOTE**: You only need one of these. ### nginx -- cgit 1.5.1 From 572b444dabc0f35f5d6fe6ebb0cfeb079a8fbf1f Mon Sep 17 00:00:00 2001 From: Jeff Peeler Date: Fri, 15 May 2020 09:36:01 -0400 Subject: Add Caddy 2 example (#7463) The specific headers that are passed using this new configuration format are Host and X-Forwarded-For, which should be all that's required. Note that for production another matcher should be added in the first section to properly handle the base_url lookup: reverse_proxy /.well-known/matrix/* http://localhost:8008 Signed-off-by: Jeff Peeler --- changelog.d/7463.doc | 1 + docs/reverse_proxy.md | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 changelog.d/7463.doc (limited to 'docs/reverse_proxy.md') diff --git a/changelog.d/7463.doc b/changelog.d/7463.doc new file mode 100644 index 0000000000..85e6354303 --- /dev/null +++ b/changelog.d/7463.doc @@ -0,0 +1 @@ +Add additional reverse proxy example for Caddy v2. Contributed by Jeff Peeler. diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index 7c300023c6..82bd5d1cdf 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -62,7 +62,7 @@ the reverse proxy and the homeserver. > **NOTE**: Do not add a `/` after the port in `proxy_pass`, otherwise nginx will canonicalise/normalise the URI. -### Caddy +### Caddy 1 matrix.example.com { proxy /_matrix http://localhost:8008 { @@ -76,6 +76,16 @@ canonicalise/normalise the URI. } } +### Caddy 2 + + matrix.example.com { + reverse_proxy /_matrix/* http://localhost:8008 + } + + example.com:8448 { + reverse_proxy http://localhost:8008 + } + ### Apache -- cgit 1.5.1 From 24d9151a085283104defd90010785919ec64d596 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Fri, 15 May 2020 15:13:39 +0100 Subject: Formatting for reverse-proxy docs (#7514) also a small clarification to nginx --- changelog.d/7514.doc | 1 + docs/reverse_proxy.md | 146 +++++++++++++++++++++++++++----------------------- 2 files changed, 79 insertions(+), 68 deletions(-) create mode 100644 changelog.d/7514.doc (limited to 'docs/reverse_proxy.md') diff --git a/changelog.d/7514.doc b/changelog.d/7514.doc new file mode 100644 index 0000000000..981168c7e8 --- /dev/null +++ b/changelog.d/7514.doc @@ -0,0 +1 @@ +Improve the formatting of `reverse_proxy.md`. diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index 82bd5d1cdf..cbb8269568 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -34,97 +34,107 @@ the reverse proxy and the homeserver. ### nginx - server { - listen 443 ssl; - listen [::]:443 ssl; - server_name matrix.example.com; - - location /_matrix { - proxy_pass http://localhost:8008; - proxy_set_header X-Forwarded-For $remote_addr; - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 10M; - } - } - - server { - listen 8448 ssl default_server; - listen [::]:8448 ssl default_server; - server_name example.com; - - location / { - proxy_pass http://localhost:8008; - proxy_set_header X-Forwarded-For $remote_addr; - } - } - -> **NOTE**: Do not add a `/` after the port in `proxy_pass`, otherwise nginx will +``` +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name matrix.example.com; + + location /_matrix { + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 10M; + } +} + +server { + listen 8448 ssl default_server; + listen [::]:8448 ssl default_server; + server_name example.com; + + location / { + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} +``` + +**NOTE**: Do not add a path after the port in `proxy_pass`, otherwise nginx will canonicalise/normalise the URI. ### Caddy 1 - matrix.example.com { - proxy /_matrix http://localhost:8008 { - transparent - } - } +``` +matrix.example.com { + proxy /_matrix http://localhost:8008 { + transparent + } +} - example.com:8448 { - proxy / http://localhost:8008 { - transparent - } - } +example.com:8448 { + proxy / http://localhost:8008 { + transparent + } +} +``` ### Caddy 2 - matrix.example.com { - reverse_proxy /_matrix/* http://localhost:8008 - } +``` +matrix.example.com { + reverse_proxy /_matrix/* http://localhost:8008 +} - example.com:8448 { - reverse_proxy http://localhost:8008 - } +example.com:8448 { + reverse_proxy http://localhost:8008 +} +``` ### Apache - - SSLEngine on - ServerName matrix.example.com; +``` + + SSLEngine on + ServerName matrix.example.com; - AllowEncodedSlashes NoDecode - ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon - ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix - + AllowEncodedSlashes NoDecode + ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon + ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix + - - SSLEngine on - ServerName example.com; + + SSLEngine on + ServerName example.com; - AllowEncodedSlashes NoDecode - ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon - ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix - + AllowEncodedSlashes NoDecode + ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon + ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix + +``` -> **NOTE**: ensure the `nocanon` options are included. +**NOTE**: ensure the `nocanon` options are included. ### HAProxy - frontend https - bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1 +``` +frontend https + bind :::443 v4v6 ssl crt /etc/ssl/haproxy/ strict-sni alpn h2,http/1.1 - # Matrix client traffic - acl matrix-host hdr(host) -i matrix.example.com - acl matrix-path path_beg /_matrix + # Matrix client traffic + acl matrix-host hdr(host) -i matrix.example.com + acl matrix-path path_beg /_matrix - use_backend matrix if matrix-host matrix-path + use_backend matrix if matrix-host matrix-path - frontend matrix-federation - bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1 - default_backend matrix +frontend matrix-federation + bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1 + default_backend matrix - backend matrix - server matrix 127.0.0.1:8008 +backend matrix + server matrix 127.0.0.1:8008 +``` ## Homeserver Configuration -- cgit 1.5.1