Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit 0fc4eb1

Browse files
authored
Update reverse proxy to add OpenBSD relayd example configuration. (#9508)
Update reverse proxy to add OpenBSD relayd example configuration. Signed-off-by: Leo Bärring <leo.barring@protonmail.com>
1 parent e5da770 commit 0fc4eb1

File tree

3 files changed

+53
-4
lines changed

3 files changed

+53
-4
lines changed

README.rst

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -183,8 +183,9 @@ Using a reverse proxy with Synapse
183183
It is recommended to put a reverse proxy such as
184184
`nginx <https://nginx.org/en/docs/http/ngx_http_proxy_module.html>`_,
185185
`Apache <https://httpd.apache.org/docs/current/mod/mod_proxy_http.html>`_,
186-
`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_ or
187-
`HAProxy <https://www.haproxy.org/>`_ in front of Synapse. One advantage of
186+
`Caddy <https://caddyserver.com/docs/quick-starts/reverse-proxy>`_,
187+
`HAProxy <https://www.haproxy.org/>`_ or
188+
`relayd <https://man.openbsd.org/relayd.8>`_ in front of Synapse. One advantage of
188189
doing so is that it means that you can expose the default https port (443) to
189190
Matrix clients without needing to run Synapse with root privileges.
190191

changelog.d/9508.doc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Add relayd entry to reverse proxy example configurations.

docs/reverse_proxy.md

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,9 @@
33
It is recommended to put a reverse proxy such as
44
[nginx](https://nginx.org/en/docs/http/ngx_http_proxy_module.html),
55
[Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
6-
[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy) or
7-
[HAProxy](https://www.haproxy.org/) in front of Synapse. One advantage
6+
[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
7+
[HAProxy](https://www.haproxy.org/) or
8+
[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
89
of doing so is that it means that you can expose the default https port
910
(443) to Matrix clients without needing to run Synapse with root
1011
privileges.
@@ -162,6 +163,52 @@ backend matrix
162163
server matrix 127.0.0.1:8008
163164
```
164165

166+
### Relayd
167+
168+
```
169+
table <webserver> { 127.0.0.1 }
170+
table <matrixserver> { 127.0.0.1 }
171+
172+
http protocol "https" {
173+
tls { no tlsv1.0, ciphers "HIGH" }
174+
tls keypair "example.com"
175+
match header set "X-Forwarded-For" value "$REMOTE_ADDR"
176+
match header set "X-Forwarded-Proto" value "https"
177+
178+
# set CORS header for .well-known/matrix/server, .well-known/matrix/client
179+
# httpd does not support setting headers, so do it here
180+
match request path "/.well-known/matrix/*" tag "matrix-cors"
181+
match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*"
182+
183+
pass quick path "/_matrix/*" forward to <matrixserver>
184+
pass quick path "/_synapse/client/*" forward to <matrixserver>
185+
186+
# pass on non-matrix traffic to webserver
187+
pass forward to <webserver>
188+
}
189+
190+
relay "https_traffic" {
191+
listen on egress port 443 tls
192+
protocol "https"
193+
forward to <matrixserver> port 8008 check tcp
194+
forward to <webserver> port 8080 check tcp
195+
}
196+
197+
http protocol "matrix" {
198+
tls { no tlsv1.0, ciphers "HIGH" }
199+
tls keypair "example.com"
200+
block
201+
pass quick path "/_matrix/*" forward to <matrixserver>
202+
pass quick path "/_synapse/client/*" forward to <matrixserver>
203+
}
204+
205+
relay "matrix_federation" {
206+
listen on egress port 8448 tls
207+
protocol "matrix"
208+
forward to <matrixserver> port 8008 check tcp
209+
}
210+
```
211+
165212
## Homeserver Configuration
166213

167214
You will also want to set `bind_addresses: ['127.0.0.1']` and

0 commit comments

Comments
 (0)