Improve NGINX reverse proxy setup instructions #971
No reviewers
nex
Labels
No labels
Bug
Cherry-picking
Database
Dependencies
Dependencies/Renovate
Difficulty
Easy
Difficulty
Hard
Difficulty
Medium
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/Federation
Matrix/Hydra
Matrix/MSC
Matrix/Media
Meta
Meta/CI
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status/Blocked
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
To-Merge
Wont fix
old/ci/cd
old/rust
No project
No assignees
5 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
continuwuation/continuwuity!971
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "Anagastes/continuwuity:main"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Added NGINX example with Unix sockets. Helpful for newbies. I've struggled with this a lot, so here's to everyone now. :)
@Anagastes Are you planning to iterate on this further? If not we can review and propose merge once the WIP status is removed :)
WIP: docs/deploying/generic.md changedto WIP: Improve NGINX reverse proxy setup instructionsAh, I see. Yes, the process wasn't entirely clear yet :D
I'll do one last check and then remove the WIP.@nex wrote in #971 (comment):
No worries! I'm currently working on improving the issue/PR flows so they'll be clearer in future ^.^
WIP: Improve NGINX reverse proxy setup instructionsto Improve NGINX reverse proxy setup instructions7bbea1a88f11a61d214e11a61d214e4169f69e6b4169f69e6bfa638c7951fa638c7951e3f9fe2f34d3fbbade64869c044059869c044059333c029f84Going to merge this now, if you were going to add LK docs (looking at the reverted commit a few weeks ago) probably worth opening a followup PR
noticed a couple things on a final-pass look over
@ -168,0 +172,4 @@Please note that your NGINX must have access to the socket.In most cases, this is the **www-data** group. For consistency reasons, we change the systemd service.Something like this perhaps? nitpicking if anything
or just 'For the best security and performance, you can use Unix sockets with NGINX. Alternatively, you can use normal TCP proxying'
@ -168,0 +203,4 @@# Synapse-Server responses may be chunked, which is an HTTP/1.1 feature.proxy_http_version 1.1;}```The default value is 20M, perhaps the nginx config should reflect that?
Also we're not synapse, so the comment is off
@ -174,0 +216,4 @@- `proxy_pass http://127.0.0.1:6167$request_uri;`- `proxy_pass http://127.0.0.1:6167;`Maybe you will check your conf bevor.bevor -> before?
Actually maybe this should just be rephrased to
Make sure that your IP and port match that on which continuwuity is listening. Check your configuration if you aren't sure.@ -168,0 +176,4 @@```User=conduwuitGroup=www-data```General clarity here.
Also, I'm not convinced making nginx and continuwuity share a group is a good idea, since the database is also group-readable, and this inherently increases the attack surface since now nginx will have the ability to completely read the database of continuwuity. Perhaps using something like
ExecStartPost=to change the permissions of the socket itself to be more permissive (world writable? unsure what the implications on that are) is the more secure option that seems in-scope.World-writable would have effectively the same security profile as network sockets AFAIK. I'm sure there's a better permissions-based solution
@ -174,0 +198,4 @@}location ~ ^(/|/_matrix|/_conduwuit) {Haven't used nginx in a hot minute, but shouldn't this be inside the server block?
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.