Address comments

This commit is contained in:
Andrew Morgan 2019-02-01 16:59:06 +00:00
parent 9e89a420e8
commit 57164e17da
1 changed files with 13 additions and 17 deletions

View File

@ -220,6 +220,11 @@ is configured to use TLS for `Federation`_ with a self-signed or verified
certificate, but please be aware that a valid certificate will be required in certificate, but please be aware that a valid certificate will be required in
Synapse v1.0. Synapse v1.0.
If you would like to use your own certificates, you can do so by changing
``tls_certificate_path`` and ``tls_private_key_path`` in ``homeserver.yaml``;
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
both ports are the same in the default configuration.
ACME setup ACME setup
---------- ----------
@ -261,13 +266,12 @@ Make sure to restart/reload your webserver after making changes.
**Authbind** **Authbind**
``authbind`` allows a program which does not not run as root to ``authbind`` allows a program which does not run as root to bind to
bind to low-numbered ports in a controlled way. The setup is simpler, but low-numbered ports in a controlled way. The setup is simpler, but requires a
requires a webserver not to already be running on port 80. **This includes webserver not to already be running on port 80. **This includes every time
every time Synapse renews a certificate**, which may be cumbersome if you Synapse renews a certificate**, which may be cumbersome if you usually run a
usually run a web server on port 80. Nevertheless, if you're sure port 80 is web server on port 80. Nevertheless, if you're sure port 80 is not being used
not being used for any other purpose then all that is necessary is the for any other purpose then all that is necessary is the following:
following:
Install ``authbind``. For example, on Debian/Ubuntu:: Install ``authbind``. For example, on Debian/Ubuntu::
@ -282,12 +286,6 @@ When Synapse is started, use the following syntax::
authbind --deep <synapse start command> authbind --deep <synapse start command>
If you would like to use your own certificates, you can do so by
changing ``tls_certificate_path`` and ``tls_private_key_path`` in
``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
to read `Using a reverse proxy with Synapse`_ when doing so. Apart from port
8448 using TLS, both ports are the same in the default configuration.
Finally, once Synapse's is able to listen on port 80 for ACME challenge Finally, once Synapse's is able to listen on port 80 for ACME challenge
requests, it must be told to perform ACME provisioning by setting ``enabled`` requests, it must be told to perform ACME provisioning by setting ``enabled``
to true under the ``acme`` section in ``homeserver.yaml``:: to true under the ``acme`` section in ``homeserver.yaml``::
@ -725,10 +723,8 @@ port. Indeed, clients will use port 443 by default, whereas servers default to
port 8448. Where these are different, we refer to the 'client port' and the port 8448. Where these are different, we refer to the 'client port' and the
'federation port'. 'federation port'.
The recommended setup is therefore to configure your reverse-proxy on port All Matrix endpoints begin with ``/_matrix``, so an example nginx
443 to port 8008 of synapse for client connections, and port 8448 for configuration for forwarding client connections to Synapse might look like::
server-server connections. All Matrix endpoints begin with ``/_matrix``, so an
example nginx configuration might look like::
server { server {
listen 443 ssl; listen 443 ssl;