From 43eff9e3104f990ae82dd600663b8709b6531db8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Fri, 26 Feb 2021 21:34:41 +0100 Subject: [PATCH 1/7] added relayd proxy example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- docs/reverse_proxy.md | 51 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index bb7caa8bb90f..01da22d57944 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -3,8 +3,9 @@ It is recommended to put a reverse proxy such as [nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html), [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html), -[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or -[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage +[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy), +[HAProxy](https://www.haproxy.org/) or +[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. @@ -160,6 +161,52 @@ backend matrix server matrix 127.0.0.1:8008 ``` +### Relayd + +``` +table { 127.0.0.1 } +table { 127.0.0.1 } + +http protocol "https" { + tls { no tlsv1.0, ciphers "HIGH" } + tls keypair "example.com" + match header set "X-Forwarded-For" value "$REMOTE_ADDR" + match header set "X-Forwarded-Proto" value "https" + + # set CORS header for .well-known/matrix/server, .well-known/matrix/client + # httpd does not support setting headers, so do it here + match request path "/.well-known/matrix/*" tag "matrix-cors" + match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*" + + pass quick path "/_matrix/*" forward to + pass quick path "/_synapse/client/*" forward to + + # pass on non-matrix traffic to webserver + pass forward to +} + +relay "https_traffic" { + listen on egress port 443 tls + protocol "https" + forward to port 8008 check tcp + forward to port 8080 check tcp +} + +http protocol "matrix" { + tls { no tlsv1.0, ciphers "HIGH" } + tls keypair "example.com" + block + pass quick path "/_matrix/*" forward to + pass quick path "/_synapse/client/*" forward to +} + +relay "matrix_federation" { + listen on egress port 8448 tls + protocol "matrix" + forward to port 8008 check tcp +} +``` + ## Homeserver Configuration You will also want to set `bind_addresses: ['127.0.0.1']` and From 8ff911b4304ce3388eab1fad39c05ca1286eaab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Fri, 26 Feb 2021 22:03:28 +0100 Subject: [PATCH 2/7] list relayd among other reverse proxies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- README.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index d872b11f57d7..6a1e7135909f 100644 --- a/README.rst +++ b/README.rst @@ -183,8 +183,9 @@ Using a reverse proxy with Synapse It is recommended to put a reverse proxy such as `nginx `_, `Apache `_, -`Caddy `_ or -`HAProxy `_ in front of Synapse. One advantage of +`Caddy `_, +`HAProxy `_ or +`relayd `_ in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. From 7ff378b84a776fde49e6c90aecfe0843bb491263 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Fri, 26 Feb 2021 21:34:41 +0100 Subject: [PATCH 3/7] added relayd proxy example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- docs/reverse_proxy.md | 51 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index bb7caa8bb90f..01da22d57944 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -3,8 +3,9 @@ It is recommended to put a reverse proxy such as [nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html), [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html), -[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or -[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage +[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy), +[HAProxy](https://www.haproxy.org/) or +[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. @@ -160,6 +161,52 @@ backend matrix server matrix 127.0.0.1:8008 ``` +### Relayd + +``` +table { 127.0.0.1 } +table { 127.0.0.1 } + +http protocol "https" { + tls { no tlsv1.0, ciphers "HIGH" } + tls keypair "example.com" + match header set "X-Forwarded-For" value "$REMOTE_ADDR" + match header set "X-Forwarded-Proto" value "https" + + # set CORS header for .well-known/matrix/server, .well-known/matrix/client + # httpd does not support setting headers, so do it here + match request path "/.well-known/matrix/*" tag "matrix-cors" + match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*" + + pass quick path "/_matrix/*" forward to + pass quick path "/_synapse/client/*" forward to + + # pass on non-matrix traffic to webserver + pass forward to +} + +relay "https_traffic" { + listen on egress port 443 tls + protocol "https" + forward to port 8008 check tcp + forward to port 8080 check tcp +} + +http protocol "matrix" { + tls { no tlsv1.0, ciphers "HIGH" } + tls keypair "example.com" + block + pass quick path "/_matrix/*" forward to + pass quick path "/_synapse/client/*" forward to +} + +relay "matrix_federation" { + listen on egress port 8448 tls + protocol "matrix" + forward to port 8008 check tcp +} +``` + ## Homeserver Configuration You will also want to set `bind_addresses: ['127.0.0.1']` and From ecdb86838e48ab9ff3d00caf4274cafec922bc50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Fri, 26 Feb 2021 22:03:28 +0100 Subject: [PATCH 4/7] list relayd among other reverse proxies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- README.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index d872b11f57d7..6a1e7135909f 100644 --- a/README.rst +++ b/README.rst @@ -183,8 +183,9 @@ Using a reverse proxy with Synapse It is recommended to put a reverse proxy such as `nginx `_, `Apache `_, -`Caddy `_ or -`HAProxy `_ in front of Synapse. One advantage of +`Caddy `_, +`HAProxy `_ or +`relayd `_ in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges. From b0240b6db416f97b9644972bf52aca64206e5574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Sat, 27 Feb 2021 15:00:42 +0100 Subject: [PATCH 5/7] add changelog entry with assumed number MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- changelog.d/9503.doc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/9503.doc diff --git a/changelog.d/9503.doc b/changelog.d/9503.doc new file mode 100644 index 000000000000..a17a8faecf73 --- /dev/null +++ b/changelog.d/9503.doc @@ -0,0 +1 @@ +Add relayd entry to reverse proxy example configurations. From 590a8efd4b2b141a0a7638241750a638e41a9ebc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Sat, 27 Feb 2021 15:08:05 +0100 Subject: [PATCH 6/7] rename changelog entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- changelog.d/{9503.doc => 9507.doc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{9503.doc => 9507.doc} (100%) diff --git a/changelog.d/9503.doc b/changelog.d/9507.doc similarity index 100% rename from changelog.d/9503.doc rename to changelog.d/9507.doc From 1b7f1ef968b386051db9cbc273619d8087a0540d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leo=20B=C3=A4rring?= Date: Sat, 27 Feb 2021 15:18:15 +0100 Subject: [PATCH 7/7] another rename of the commit file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leo Bärring --- changelog.d/{9507.doc => 9508.doc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{9507.doc => 9508.doc} (100%) diff --git a/changelog.d/9507.doc b/changelog.d/9508.doc similarity index 100% rename from changelog.d/9507.doc rename to changelog.d/9508.doc