Matthias/conduit
1
0
Fork 0
Code Issues 179 Pull requests 44 Projects Releases 5 Packages Wiki Activity

Docs: Delegation #956

Open
purplemeteorite wants to merge 3 commits from docs-delegation into next
pull from: docs-delegation
merge into: Matthias:next
Conversation 33 Commits 3 Files changed 1 +59 -20
1 changed files with 59 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
DEPLOY.md
View file

@ -84,25 +84,6 @@ In Debian or RHEL, you can use this command to create a Conduit user:
sudo adduser --system conduit --group --disable-login --no-create-home
```
## Forwarding ports in the firewall or the router
Conduit uses the ports 443 and 8448 both of which need to be open in the firewall.
If Conduit runs behind a router or in a container and has a different public IP address than the host system these public ports need to be forwarded directly or indirectly to the port mentioned in the config.
## Optional: Avoid port 8448
If Conduit runs behind Cloudflare reverse proxy, which doesn't support port 8448 on free plans, [delegation](https://matrix-org.github.io/synapse/latest/delegate.html) can be set up to have federation traffic routed to port 443:
```apache
# .well-known delegation on Apache
<Files "/.well-known/matrix/server">
ErrorDocument 200 '{"m.server": "your.server.name:443"}'
Header always set Content-Type application/json
Header always set Access-Control-Allow-Origin *
</Files>
```
[SRV DNS record](https://spec.matrix.org/latest/server-server-api/#resolving-server-names) delegation is also [possible](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-srv-record/).
## Setting up a systemd service
Now we'll set up a systemd service for Conduit, so it's easy to start/stop Conduit and set it to autostart when your
@ -203,7 +184,65 @@ sudo chmod 700 /var/lib/matrix-conduit/
## Setting up the Reverse Proxy
This depends on whether you use Apache, Caddy, Nginx or another web server.
## Delegation
A matrix username has the format `@username:example.com`, where `example.com` corresponds to the server name. Other homeservers and clients will try to use this address to reach your server. By default, clients use port 443 and federation traffic uses port 8448. If you want to host Conduit under a different domain or use a different port, delegation makes it possible to reroute incoming requests to an address and port of your choice. Both of these are optional, and they are not exclusive.
> Note: Some proxies (for example Cloudflare) don't support port 8448, making delegation necessary.
### Setting up delegation
Delegation can be set up with an [SRV DNS record](https://matrix-org.github.io/synapse/latest/delegate.html#srv-dns-record-delegation) or by serving a JSON response, usually referred to as `.well-known` delegation. This documentation only discusses the second option, which is generally recommended. It is important to note that `.well-known` has to be served on `example.com:443`, which corresponds to the server name and the standard HTTPS port, not where Conduit actually is. See the following examples for more information and choose the right one for your reverse proxy.
#### Nginx
```nginx
server {
server_name example.com; # Change to the name of your server
### Federation traffic, i.e. server-to-server communication
location /.well-known/matrix/server {
types { } default_type "application/json; charset=utf-8";
return 200 '{"m.server": "conduit.example.com:443"}'; # the address and port of Conduit
}
### Client-server traffic
location /.well-known/matrix/client {
types { } default_type "application/json; charset=utf-8";
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Content-Type, Authorization';
return 200 '{"m.homeserver": {"base_url": "https://conduit.example.com"}}'; # the address of Conduit
}
# Don't forget to set up TLS
}
```
#### Caddy
There are multiple ways to configure Caddy. This example uses a Caddyfile.
```conf
example.com {
handle_path /.well-known/matrix/* {
### Federation traffic, i.e. server-to-server communication
respond /server `{"m.server": "conduit.example.com:443"}`
### Client-server traffic
handle_path /client {
header Access-Control-Allow-Origin *
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
respond `{"m.homeserver": {"base_url": "https://conduit.example.com"}}`
}
}
}
```
## Forwarding traffic to Conduit
Since Conduit listens on port 6167, you need a reverse proxy to forward incoming requests to it. By default, ports 8448 and 443 need to be forwarded, although this may vary if you have set up delegation in the previous step. Example configurations for various reverse proxies can be found below.
### Apache