Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add /_synapse/client to the reverse proxy docs #8227

Merged
merged 8 commits into from
Sep 10, 2020
12 changes: 12 additions & 0 deletions UPGRADE.rst
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,18 @@ for example:
wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb
dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb

Upgrading to v1.20.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're going to need to make sure that this and #8004 land in the same release, otherwise this is going to be confusing.

====================

Forwarding ``/_synapse/client`` through your reverse proxy
----------------------------------------------------------

The `reverse proxy documentation
<https://github.com/matrix-org/synapse/blob/develop/docs/reverse_proxy.md>`_ has been updated
to include reverse proxy directives for ``/_synapse/client/*`` endpoints. As the user password
reset flow now uses endpoints under this prefix, **you must update your reverse proxy
configurations for user password reset to work**.

Upgrading to v1.18.0
====================

Expand Down
1 change: 1 addition & 0 deletions changelog.d/8227.doc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add `/synapse/client` to the reverse proxy documentation.
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
25 changes: 22 additions & 3 deletions docs/reverse_proxy.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ privileges.

**NOTE**: Your reverse proxy must not `canonicalise` or `normalise`
the requested URI in any way (for example, by decoding `%xx` escapes).
Beware that Apache *will* canonicalise URIs unless you specifify
Beware that Apache *will* canonicalise URIs unless you specify
`nocanon`.

When setting up a reverse proxy, remember that Matrix clients and other
Expand All @@ -23,6 +23,10 @@ specification](https://matrix.org/docs/spec/server_server/latest#resolving-serve
for more details of the algorithm used for federation connections, and
[delegate.md](<delegate.md>) for instructions on setting up delegation.

Endpoints that are part of the standardised Matrix specification are
located under `/_matrix`, whereas endpoints specific to Synapse are
located under `/_synapse`.
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved

Let's assume that we expect clients to connect to our server at
`https://matrix.example.com`, and other servers to connect at
`https://example.com:8448`. The following sections detail the configuration of
Expand All @@ -45,7 +49,7 @@ server {

server_name matrix.example.com;

location /_matrix {
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
# Nginx by default only allows file uploads up to 1M in size
Expand All @@ -65,6 +69,10 @@ matrix.example.com {
proxy /_matrix http://localhost:8008 {
transparent
}

proxy /_synapse/client http://localhost:8008 {
transparent
}
}

example.com:8448 {
Expand All @@ -79,6 +87,7 @@ example.com:8448 {
```
matrix.example.com {
reverse_proxy /_matrix/* http://localhost:8008
reverse_proxy /_synapse/client/* http://localhost:8008
}

example.com:8448 {
Expand All @@ -96,6 +105,8 @@ example.com:8448 {
AllowEncodedSlashes NoDecode
ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client nocanon
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
</VirtualHost>

<VirtualHost *:8448>
Expand All @@ -119,8 +130,9 @@ frontend https
# Matrix client traffic
acl matrix-host hdr(host) -i matrix.example.com
acl matrix-path path_beg /_matrix
acl synapse-client-path path_beg /_matrix
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved

use_backend matrix if matrix-host matrix-path
use_backend matrix if matrix-host matrix-path || matrix-host synapse-client-path
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved

frontend matrix-federation
bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1
Expand All @@ -146,3 +158,10 @@ connecting to Synapse from a client.
Synapse exposes a health check endpoint for use by reverse proxies.
Each configured HTTP listener has a `/health` endpoint which always returns
200 OK (and doesn't get logged).

## Synapse administration endpoints

Endpoints for administering your Synapse instance are placed under
`/_synapse/admin`. These require authentication through an access token of an
admin user. Nevertheless, it is not advised to expose these ports to the public
internet.
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved