Docs: Delegation #956
1 changed files with 59 additions and 20 deletions
79
DEPLOY.md
79
DEPLOY.md
|
@ -84,25 +84,6 @@ In Debian or RHEL, you can use this command to create a Conduit user:
|
||||||
sudo adduser --system conduit --group --disable-login --no-create-home
|
sudo adduser --system conduit --group --disable-login --no-create-home
|
||||||
```
|
```
|
||||||
|
|
||||||
## Forwarding ports in the firewall or the router
|
|
||||||
|
|
||||||
Conduit uses the ports 443 and 8448 both of which need to be open in the firewall.
|
|
||||||
|
|
||||||
If Conduit runs behind a router or in a container and has a different public IP address than the host system these public ports need to be forwarded directly or indirectly to the port mentioned in the config.
|
|
||||||
|
|
||||||
## Optional: Avoid port 8448
|
|
||||||
|
|
||||||
If Conduit runs behind Cloudflare reverse proxy, which doesn't support port 8448 on free plans, [delegation](https://matrix-org.github.io/synapse/latest/delegate.html) can be set up to have federation traffic routed to port 443:
|
|
||||||
```apache
|
|
||||||
# .well-known delegation on Apache
|
|
||||||
<Files "/.well-known/matrix/server">
|
|
||||||
ErrorDocument 200 '{"m.server": "your.server.name:443"}'
|
|
||||||
Header always set Content-Type application/json
|
|
||||||
Header always set Access-Control-Allow-Origin *
|
|
||||||
</Files>
|
|
||||||
```
|
|
||||||
[SRV DNS record](https://spec.matrix.org/latest/server-server-api/#resolving-server-names) delegation is also [possible](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-srv-record/).
|
|
||||||
|
|
||||||
## Setting up a systemd service
|
## Setting up a systemd service
|
||||||
|
|
||||||
Now we'll set up a systemd service for Conduit, so it's easy to start/stop Conduit and set it to autostart when your
|
Now we'll set up a systemd service for Conduit, so it's easy to start/stop Conduit and set it to autostart when your
|
||||||
|
@ -203,7 +184,65 @@ sudo chmod 700 /var/lib/matrix-conduit/
|
||||||
|
|
||||||
## Setting up the Reverse Proxy
|
## Setting up the Reverse Proxy
|
||||||
|
|
||||||
This depends on whether you use Apache, Caddy, Nginx or another web server.
|
## Delegation
|
||||||
|
|
||||||
|
A matrix username has the format `@username:example.com`, where `example.com` corresponds to the server name. Other homeservers and clients will try to use this address to reach your server. By default, clients use port 443 and federation traffic uses port 8448. If you want to host Conduit under a different domain or use a different port, delegation makes it possible to reroute incoming requests to an address and port of your choice. Both of these are optional, and they are not exclusive.
|
||||||
|
|
||||||
|
> Note: Some proxies (for example Cloudflare) don't support port 8448, making delegation necessary.
|
||||||
|
|
||||||
|
### Setting up delegation
|
||||||
|
|
||||||
|
Delegation can be set up with an [SRV DNS record](https://matrix-org.github.io/synapse/latest/delegate.html#srv-dns-record-delegation) or by serving a JSON response, usually referred to as `.well-known` delegation. This documentation only discusses the second option, which is generally recommended. It is important to note that `.well-known` has to be served on `example.com:443`, which corresponds to the server name and the standard HTTPS port, not where Conduit actually is. See the following examples for more information and choose the right one for your reverse proxy.
|
||||||
|
|
||||||
|
|
||||||
|
#### Nginx
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
server {
|
||||||
|
|
||||||
|
server_name example.com; # Change to the name of your server
|
||||||
|
|
||||||
|
### Federation traffic, i.e. server-to-server communication
|
||||||
|
location /.well-known/matrix/server {
|
||||||
|
types { } default_type "application/json; charset=utf-8";
|
||||||
|
return 200 '{"m.server": "conduit.example.com:443"}'; # the address and port of Conduit
|
||||||
|
}
|
||||||
|
### Client-server traffic
|
||||||
|
location /.well-known/matrix/client {
|
||||||
|
types { } default_type "application/json; charset=utf-8";
|
||||||
|
add_header 'Access-Control-Allow-Origin' *;
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Content-Type, Authorization';
|
||||||
|
return 200 '{"m.homeserver": {"base_url": "https://conduit.example.com"}}'; # the address of Conduit
|
||||||
|
}
|
||||||
|
# Don't forget to set up TLS
|
||||||
|
}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Caddy
|
||||||
|
There are multiple ways to configure Caddy. This example uses a Caddyfile.
|
||||||
|
```conf
|
||||||
|
example.com {
|
||||||
|
handle_path /.well-known/matrix/* {
|
||||||
|
### Federation traffic, i.e. server-to-server communication
|
||||||
|
respond /server `{"m.server": "conduit.example.com:443"}`
|
||||||
|
### Client-server traffic
|
||||||
|
handle_path /client {
|
||||||
|
header Access-Control-Allow-Origin *
|
||||||
|
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
|
||||||
|
header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
|
||||||
|
respond `{"m.homeserver": {"base_url": "https://conduit.example.com"}}`
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Forwarding traffic to Conduit
|
||||||
|
|
||||||
|
Since Conduit listens on port 6167, you need a reverse proxy to forward incoming requests to it. By default, ports 8448 and 443 need to be forwarded, although this may vary if you have set up delegation in the previous step. Example configurations for various reverse proxies can be found below.
|
||||||
|
|
||||||
### Apache
|
### Apache
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue