# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN ServerName matrix.DOMAIN ProxyVia On # Map /.well-known/acme-challenge to the certbot server # If you manage SSL certificates by yourself, this will differ. ProxyPreserveHost On ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge Redirect permanent / https://matrix.DOMAIN/ # Client-Server API ServerName matrix.DOMAIN SSLEngine On # If you manage SSL certificates by yourself, these paths will differ. SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On ProxyRequests Off ProxyVia On RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # Keep some URIs free for different proxy/location ProxyPassMatch ^/.well-known/matrix/client ! ProxyPassMatch ^/.well-known/matrix/server ! ProxyPassMatch ^/.well-known/matrix/support ! ProxyPassMatch ^/_matrix/identity ! ProxyPassMatch ^/_matrix/client/r0/user_directory/search ! # Proxy all remaining traffic to Synapse AllowEncodedSlashes NoDecode ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client # Proxy Admin API (necessary for Synapse-Admin) # ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon # ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin # Proxy Synapse-Admin # ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon # ProxyPassReverse /synapse-admin http://127.0.0.1:8766 # Map /.well-known/matrix/client for client discovery Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client Require all granted Header always set Content-Type "application/json" Header always set Access-Control-Allow-Origin "*" # Map /.well-known/matrix/server for server discovery Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server Require all granted Header always set Content-Type "application/json" # Map /.well-known/matrix/support for support discovery Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support Require all granted Header always set Content-Type "application/json" AllowOverride All # Apache 2.4: Require all granted # Or for Apache 2.2: #order allow,deny # Map /_matrix/identity to the identity server ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon # Map /_matrix/client/r0/user_directory/search to the identity server ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined # Server-Server (federation) API # Use this apache reverse proxy template to enable matrix server-to-server federation traffic # Be sure that network traffic on port 8448 is possible # # You can check your federation config at https://federationtester.matrix.org/ # Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN # # In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines. # If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool. Listen 8448 ServerName matrix.DOMAIN SSLEngine On # If you manage SSL certificates by yourself, these paths will differ. SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On ProxyRequests Off ProxyVia On RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} # Proxy all remaining traffic to the Synapse port # Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1 # Of course you can use another IPADRESS in case of using other synapse servers in your network AllowEncodedSlashes NoDecode ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined