From 0fc4eb103a1587d861ae388c6b30bcc04851e70c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Sat, 6 Mar 2021 12:49:19 +0100 Subject: [PATCH] Update reverse proxy to add OpenBSD relayd example configuration. (#9508) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update reverse proxy to add OpenBSD relayd example configuration. Signed-off-by: Leo Bärring --- README.rst | 5 +++-- changelog.d/9508.doc | 1 + docs/reverse_proxy.md | 51 +++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 changelog.d/9508.doc diff --git a/README.rst b/README.rst index d872b11f57..6a1e713590 100644 --- a/README.rst +++ b/README.rst @@ -183,8 +183,9 @@ Using a reverse proxy with Synapse It is recommended to put a reverse proxy such as `nginx `_, `Apache `_, -`Caddy `_ or -`HAProxy `_ in front of Synapse. One advantage of +`Caddy `_, +`HAProxy `_ or +`relayd `_ in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. diff --git a/changelog.d/9508.doc b/changelog.d/9508.doc new file mode 100644 index 0000000000..a17a8faecf --- /dev/null +++ b/changelog.d/9508.doc @@ -0,0 +1 @@ +Add relayd entry to reverse proxy example configurations. diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index 81e5a68a36..860afd5a04 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -3,8 +3,9 @@ It is recommended to put a reverse proxy such as [nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html), [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html), -[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or -[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage +[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy), +[HAProxy](https://www.haproxy.org/) or +[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. @@ -162,6 +163,52 @@ backend matrix server matrix 127.0.0.1:8008 ``` +### Relayd + +``` +table { 127.0.0.1 } +table { 127.0.0.1 } + +http protocol "https" { + tls { no tlsv1.0, ciphers "HIGH" } + tls keypair "example.com" + match header set "X-Forwarded-For" value "$REMOTE_ADDR" + match header set "X-Forwarded-Proto" value "https" + + # set CORS header for .well-known/matrix/server, .well-known/matrix/client + # httpd does not support setting headers, so do it here + match request path "/.well-known/matrix/*" tag "matrix-cors" + match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*" + + pass quick path "/_matrix/*" forward to + pass quick path "/_synapse/client/*" forward to + + # pass on non-matrix traffic to webserver + pass forward to +} + +relay "https_traffic" { + listen on egress port 443 tls + protocol "https" + forward to port 8008 check tcp + forward to port 8080 check tcp +} + +http protocol "matrix" { + tls { no tlsv1.0, ciphers "HIGH" } + tls keypair "example.com" + block + pass quick path "/_matrix/*" forward to + pass quick path "/_synapse/client/*" forward to +} + +relay "matrix_federation" { + listen on egress port 8448 tls + protocol "matrix" + forward to port 8008 check tcp +} +``` + ## Homeserver Configuration You will also want to set `bind_addresses: ['127.0.0.1']` and