Scribd
Upload
223 views3 pages

Matrix Synapse-4-6

The document provides instructions for installing and configuring Matrix Synapse, an open network for secure communication, on a server. It describes enabling HTTPS using Let's Encrypt SSL certificates, installing and configuring Nginx as a reverse proxy, and generating and renewing SSL certificates automatically with certbot. The goal is to set up Matrix Synapse with HTTPS secured by Nginx on port 443 to example.com, using Let's Encrypt for free SSL certificates.

Uploaded by

Andrey Quesada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
223 views3 pages

Matrix Synapse-4-6

The document provides instructions for installing and configuring Matrix Synapse, an open network for secure communication, on a server. It describes enabling HTTPS using Let's Encrypt SSL certificates, installing and configuring Nginx as a reverse proxy, and generating and renewing SSL certificates automatically with certbot. The goal is to set up Matrix Synapse with HTTPS secured by Nginx on port 443 to example.com, using Let's Encrypt for free SSL certificates.

Uploaded by

Andrey Quesada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

3/11/2020 Matrix Synapse [NaWiki]

sudoedit /etc/matrix-synapse/homeserver.yaml

enable_registration: False

registration_shared_secret: [shared_secred_key]

Check ports

The best is to leave it default as it comes delivered (watch here https://github.com/matrix-


org/synapse/blob/master/docs/sample_config.yaml ), so check if it matches the follwing:

sudoedit /etc/matrix-synapse/homeserver.yaml

- port: 8008
tls: false
bind_addresses: ['::1', '127.0.0.1']
type: http
x_forwarded: true

Be aware that indentation is important in *.yaml files!

Save and exit.

Note: registration_shared_secret : If set allows registration by anyone who also has the
shared secret, even if registration is disabled.

Now restart the Synapse services.

sudo systemctl restart matrix-synapse.service

Check the homeserver service with the following command

sudo ss -plntu

You will get the Synapse service is now on the local IP address. And we have completed the Synapse
installation and configuration.

Step 4 - Generate SSL Letsencrypt Certificates


In this tutorial, we will enable HTTPS for the Nginx reverse proxy, and we will generate the SSL
certificate files from Letsencrypt. So, start with installing the letsencrypt tool. (it is possible to add -y
again)
https://www.natrius.eu/dokuwiki/doku.php?id=digital:server:matrixsynapse 4/13
3/11/2020 Matrix Synapse [NaWiki]

sudo apt install letsencrypt

If nginx is installed first, lets stop nginx so certbot can listen to port 80

sudo systemctl stop nginx.service

Install the most recent certbot

sudo add-apt-repository ppa:certbot/certbot


sudo apt-get install certbot python-certbot-nginx

Generate the SSL certificate files for the matrix domain name example.com using the certbot command
as shown below.

sudo certbot --nginx

The Letsencrypt tool will generate SSL certificate files by running the 'standalone' temporary web server
for verification. When it's complete, you will get the information that its done and where the certificates
are stored. Usally the SSL certificate files for the Synapse domain name example.com are generated
inside the /etc/letsencrypt/live/ directory.

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-03-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

https://www.natrius.eu/dokuwiki/doku.php?id=digital:server:matrixsynapse 5/13
3/11/2020 Matrix Synapse [NaWiki]

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate


Donating to EFF: https://eff.org/donate-le

There should already be a cronjob generater for automatic renewal of the certs, as they last only 90 days.
To check if the cron is up

sudo certbot renew --dry-run

Step 5 - Install and configure Nginx as a reverse proxy


Now install the Nginx web server and configure it as a reverse proxy for the homeserver that is running on
the port '8008'. Start with installing the Nginx web server using the apt command below. (it is possible to
add -y again)

sudo apt install nginx

After the installation is complete, start the service and enable it to launch everytime at system boot

sudo systemctl start nginx.service


sudo systemctl enable nginx.service

Next, we will create a new virtual host configuration for the domain name example.com . Go to the
'/etc/nginx' configuration directory and create a new virtual host file 'matrix'.

sudoedit /etc/nginx/sites-available/matrix

Paste the following configuration there, changing the domain example.com to your own:

server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# If you don't wanna serve a site, comment this out

https://www.natrius.eu/dokuwiki/doku.php?id=digital:server:matrixsynapse 6/13

You might also like