summary refs log tree commit diff
path: root/docs/well-known.md
blob: b55cf40a0cf28751df2dcd2913023ab1e5c8d0a8 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Well-Known

The mapping for a server name to a hostname for federation is done via
`SRV` records. Synapse v1.0 mandates valid X.509 certificates for the
federation endpoint where the certificate must match the server name.

This presents difficulties for hosted server offerings: ExampleCorp
may want to delegate responsibility for running its Matrix homeserver to an
outside supplier, but it may be difficult for that supplier to obtain a TLS
certificate for `example.com` (and ExampleCorp may be reluctant to let them have
one).

`.well-known` solves this problem by augmenting the current `SRV` record
with a `.well-known` lookup.

## Configuring `.well-known`

 1. Give synapse a certificate corresponding to the target domain
    (`customer.example.com`). Currently Synapse's ACME
    support [does not support
    this](https://github.com/matrix-org/synapse/issues/4552), so you will have
    to acquire a certificate yourself and give it to Synapse via
    `tls_certificate_path` and `tls_private_key_path`.

 2. Restart Synapse to ensure the new certificate is loaded.

 3. Arrange for a `.well-known` file at
    `https://<server_name>/.well-known/matrix/server` with contents:

    ```json
    {"m.server": "<target server name>"}
    ```

    where the target server name is resolved as usual (i.e. SRV lookup, falling
    back to talking to port 8448).

    In the above `example.com` exmaple above, where synapse is listening on
    port 8000, `https://example.com/.well-known/matrix/server` should have
    `m.server` set to one of:

    1. `customer.example.com` ─ with a SRV record on
       `_matrix._tcp.customer.example.com` pointing to port 8000, or:

    2. `customer.example.com` ─ updating synapse to listen on the default port
       8448, or:

    3. `customer.example.com:8000` ─ ensuring that if there is a reverse proxy
       on `customer.example.com:8000` it correctly handles HTTP requests with
       Host header set to `customer.example.com:8000`.