Skip to content
Snippets Groups Projects
Select Git revision
  • tedomum default
  • deploy-exploding-state-groups
  • fix-exploding-state-groups
  • v1.125.0+tedomum.1
  • v1.123.0+tedomum.1
  • v1.122.0+tedomum.1
  • v1.121.1+tedomum.1
  • v1.119.0+tedomum.1
  • v1.118.0+tedomum.1
  • v1.114.0+tedomum.1
  • v1.109.0+tedomum.1
  • v1.105.1+tedomum.1
  • v1.98.0+tedomum.1
  • v1.97.0+tedomum.1
  • v1.96.1+tedomum.1
  • v1.95.1+tedomum.1
  • v1.88.0+tedomum.1
  • v1.73.0
  • v1.73.0rc2
  • v1.73.0rc1
  • v1.72.0
  • v1.72.0rc1
  • v1.71.0
23 results
Blame Permalink
reverse_proxy.md 8.53 KiB

Using a reverse proxy with Synapse

It is recommended to put a reverse proxy such as nginx, Apache, Caddy, HAProxy or relayd in front of Synapse. One advantage of doing so is that it means that you can expose the default https port (443) to Matrix clients without needing to run Synapse with root privileges.

You should configure your reverse proxy to forward requests to /_matrix or /_synapse/client to Synapse, and have it set the X-Forwarded-For and X-Forwarded-Proto request headers.

You should remember that Matrix clients and other Matrix servers do not necessarily need to connect to your server via the same server name or port. Indeed, clients will use port 443 by default, whereas servers default to port 8448. Where these are different, we refer to the 'client port' and the 'federation port'. See the Matrix specification for more details of the algorithm used for federation connections, and Delegation for instructions on setting up delegation.

NOTE: Your reverse proxy must not canonicalise or normalise the requested URI in any way (for example, by decoding %xx escapes). Beware that Apache will canonicalise URIs unless you specify nocanon.

Let's assume that we expect clients to connect to our server at https://matrix.example.com, and other servers to connect at https://example.com:8448. The following sections detail the configuration of the reverse proxy and the homeserver.

Homeserver Configuration

The HTTP configuration will need to be updated for Synapse to correctly record client IP addresses and generate redirect URLs while behind a reverse proxy.

In homeserver.yaml set x_forwarded: true in the port 8008 section and consider setting bind_addresses: ['127.0.0.1'] so that the server only listens to traffic on localhost. (Do not change bind_addresses to 127.0.0.1 when using a containerized Synapse, as that will prevent it from responding to proxied traffic.)

Reverse-proxy configuration examples