Address comments
This commit is contained in:
parent
9e89a420e8
commit
57164e17da
30
README.rst
30
README.rst
|
@ -220,6 +220,11 @@ is configured to use TLS for `Federation`_ with a self-signed or verified
|
||||||
certificate, but please be aware that a valid certificate will be required in
|
certificate, but please be aware that a valid certificate will be required in
|
||||||
Synapse v1.0.
|
Synapse v1.0.
|
||||||
|
|
||||||
|
If you would like to use your own certificates, you can do so by changing
|
||||||
|
``tls_certificate_path`` and ``tls_private_key_path`` in ``homeserver.yaml``;
|
||||||
|
alternatively, you can use a reverse-proxy. Apart from port 8448 using TLS,
|
||||||
|
both ports are the same in the default configuration.
|
||||||
|
|
||||||
|
|
||||||
ACME setup
|
ACME setup
|
||||||
----------
|
----------
|
||||||
|
@ -261,13 +266,12 @@ Make sure to restart/reload your webserver after making changes.
|
||||||
|
|
||||||
**Authbind**
|
**Authbind**
|
||||||
|
|
||||||
``authbind`` allows a program which does not not run as root to
|
``authbind`` allows a program which does not run as root to bind to
|
||||||
bind to low-numbered ports in a controlled way. The setup is simpler, but
|
low-numbered ports in a controlled way. The setup is simpler, but requires a
|
||||||
requires a webserver not to already be running on port 80. **This includes
|
webserver not to already be running on port 80. **This includes every time
|
||||||
every time Synapse renews a certificate**, which may be cumbersome if you
|
Synapse renews a certificate**, which may be cumbersome if you usually run a
|
||||||
usually run a web server on port 80. Nevertheless, if you're sure port 80 is
|
web server on port 80. Nevertheless, if you're sure port 80 is not being used
|
||||||
not being used for any other purpose then all that is necessary is the
|
for any other purpose then all that is necessary is the following:
|
||||||
following:
|
|
||||||
|
|
||||||
Install ``authbind``. For example, on Debian/Ubuntu::
|
Install ``authbind``. For example, on Debian/Ubuntu::
|
||||||
|
|
||||||
|
@ -282,12 +286,6 @@ When Synapse is started, use the following syntax::
|
||||||
|
|
||||||
authbind --deep <synapse start command>
|
authbind --deep <synapse start command>
|
||||||
|
|
||||||
If you would like to use your own certificates, you can do so by
|
|
||||||
changing ``tls_certificate_path`` and ``tls_private_key_path`` in
|
|
||||||
``homeserver.yaml``; alternatively, you can use a reverse-proxy, but be sure
|
|
||||||
to read `Using a reverse proxy with Synapse`_ when doing so. Apart from port
|
|
||||||
8448 using TLS, both ports are the same in the default configuration.
|
|
||||||
|
|
||||||
Finally, once Synapse's is able to listen on port 80 for ACME challenge
|
Finally, once Synapse's is able to listen on port 80 for ACME challenge
|
||||||
requests, it must be told to perform ACME provisioning by setting ``enabled``
|
requests, it must be told to perform ACME provisioning by setting ``enabled``
|
||||||
to true under the ``acme`` section in ``homeserver.yaml``::
|
to true under the ``acme`` section in ``homeserver.yaml``::
|
||||||
|
@ -725,10 +723,8 @@ port. Indeed, clients will use port 443 by default, whereas servers default to
|
||||||
port 8448. Where these are different, we refer to the 'client port' and the
|
port 8448. Where these are different, we refer to the 'client port' and the
|
||||||
'federation port'.
|
'federation port'.
|
||||||
|
|
||||||
The recommended setup is therefore to configure your reverse-proxy on port
|
All Matrix endpoints begin with ``/_matrix``, so an example nginx
|
||||||
443 to port 8008 of synapse for client connections, and port 8448 for
|
configuration for forwarding client connections to Synapse might look like::
|
||||||
server-server connections. All Matrix endpoints begin with ``/_matrix``, so an
|
|
||||||
example nginx configuration might look like::
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
|
|
Loading…
Reference in New Issue