repo: https://github.com/matrix-org/dendrite
Here we will use docker to deploy dendrite with s3 storage
Project structure
❯ tree -L 3 . ├── compose.yaml ├── config │ ├── dendrite.yaml │ ├── matrix_key.pem ├── media-repo │ └── data │ └── media-repo.yaml └── postgresql.conf
1. Create compose file
sample
compose.yaml
代码: 全选
services:
postgres:
hostname: postgres
image: postgres:15-alpine
restart: always
container_name: dendrite_matrix_db
command: ["postgres", "-c", "config_file=/etc/postgresql.conf"]
volumes:
- ./postgresql:/var/lib/postgresql/data
- ./postgresql.conf:/etc/postgresql.conf
environment:
POSTGRES_HOST_AUTH_METHOD: "trust"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 5s
timeout: 5s
retries: 5
networks:
- internal
- dendrite_network
monolith:
hostname: monolith
image: matrixdotorg/dendrite-monolith:latest
container_name: dendrite_matrix_server
ports:
- 127.0.0.1:18008:8008
volumes:
- ./config:/etc/dendrite
- ./media:/var/dendrite/media
depends_on:
- postgres
- media_repo
networks:
- internal
- dendrite_network
restart: unless-stopped
# External media API for S3 storage
media_repo:
hostname: media_repo
image: turt2live/matrix-media-repo:latest
restart: always
container_name: dendrite_matrix_media_repo
depends_on:
- postgres
ports:
- "127.0.0.1:10803:8000"
volumes:
- ./media-repo/data:/data
networks:
- dendrite_network
networks:
internal:
attachable: true
dendrite_network:
postgresql.conf using PGTUNE2. Prepare database
launch postgresql database
代码: 全选
docker compose up postgres -d代码: 全选
docker exec -it dendrite_matrix_db sh代码: 全选
su postgres代码: 全选
# dendrite database
createuser -P dendrite
createdb -O dendrite -E UTF-8 dendrite
# matrix-media-repo database
createuser -P mediarepo
createdb -O mediarepo -E UTF-8 mediarepo
代码: 全选
exit
exit
docker compose down
3. Prepare dendrite monolith configuration
generate
matrix_key.pem
代码: 全选
docker run --rm --entrypoint="" \
-v $(pwd):/mnt \
matrixdotorg/dendrite-monolith:latest \
/usr/bin/generate-keys \
-private-key /mnt/matrix_key.pem
代码: 全选
mkdir config
matrix_key.pem to the config folder
代码: 全选
mv matrix_key.pem config/
dendrite.yamlreplace dendrite.qqs.tw with your server name
代码: 全选
# vim config/dendrite.yaml
# This is the Dendrite configuration file.
#
# The configuration is split up into sections - each Dendrite component has a
# configuration section, in addition to the "global" section which applies to
# all components.
# The version of the configuration file.
version: 2
# Global Matrix configuration. This configuration applies to all components.
global:
# The domain name of this homeserver.
server_name: dendrite.qqs.tw
# The path to the signing private key file, used to sign requests and events.
# Note that this is NOT the same private key as used for TLS! To generate a
# signing key, use "./bin/generate-keys --private-key matrix_key.pem".
private_key: matrix_key.pem
# The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
# to old signing keys that were formerly in use on this domain name. These
# keys will not be used for federation request or event signing, but will be
# provided to any other homeserver that asks when trying to verify old events.
old_private_keys:
# If the old private key file is available:
# - private_key: old_matrix_key.pem
# expired_at: 1601024554498
# If only the public key (in base64 format) and key ID are known:
# - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
# key_id: ed25519:mykeyid
# expired_at: 1601024554498
# How long a remote server can cache our server signing key before requesting it
# again. Increasing this number will reduce the number of requests made by other
# servers for our key but increases the period that a compromised key will be
# considered valid by other homeservers.
key_validity_period: 168h0m0s
# Global database connection pool, for PostgreSQL monolith deployments only. If
# this section is populated then you can omit the "database" blocks in all other
# sections. For monolith deployments using SQLite databases,
# you must configure the "database" block for each component instead.
database:
connection_string: postgresql://dendrite:dendrite@postgres/dendrite?sslmode=disable
max_open_conns: 90
max_idle_conns: 5
conn_max_lifetime: -1
# Configuration for in-memory caches. Caches can often improve performance by
# keeping frequently accessed items (like events, identifiers etc.) in memory
# rather than having to read them from the database.
cache:
# The estimated maximum size for the global cache in bytes, or in terabytes,
# gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
# 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
# memory limit for the entire process. A cache that is too small may ultimately
# provide little or no benefit.
max_size_estimated: 1gb
# The maximum amount of time that a cache entry can live for in memory before
# it will be evicted and/or refreshed from the database. Lower values result in
# easier admission of new cache entries but may also increase database load in
# comparison to higher values, so adjust conservatively. Higher values may make
# it harder for new items to make it into the cache, e.g. if new rooms suddenly
# become popular.
max_age: 1h
# The server name to delegate server-server communications to, with optional port
# e.g. localhost:443
well_known_server_name: ""
# The server name to delegate client-server communications to, with optional port
# e.g. localhost:443
well_known_client_name: ""
# Lists of domains that the server will trust as identity servers to verify third
# party identifiers such as phone numbers and email addresses.
trusted_third_party_id_servers:
- matrix.org
- vector.im
# Disables federation. Dendrite will not be able to communicate with other servers
# in the Matrix federation and the federation API will not be exposed.
disable_federation: false
# Configures the handling of presence events. Inbound controls whether we receive
# presence events from other servers, outbound controls whether we send presence
# events for our local users to other servers.
presence:
enable_inbound: false
enable_outbound: false
# Configures phone-home statistics reporting. These statistics contain the server
# name, number of active users and some information on your deployment config.
# We use this information to understand how Dendrite is being used in the wild.
report_stats:
enabled: false
endpoint: https://panopticon.matrix.org/push
# Server notices allows server admins to send messages to all users on the server.
server_notices:
enabled: false
# The local part, display name and avatar URL (as a mxc:// URL) for the user that
# will send the server notices. These are visible to all users on the deployment.
local_part: "_server"
display_name: "Server Alerts"
avatar_url: ""
# The room name to be used when sending server notices. This room name will
# appear in user clients.
room_name: "Server Alerts"
# Configuration for NATS JetStream
jetstream:
# A list of NATS Server addresses to connect to. If none are specified, an
# internal NATS server will be started automatically when running Dendrite in
# monolith mode.
addresses:
# - localhost:4222
# Disable the validation of TLS certificates of NATS. This is
# not recommended in production since it may allow NATS traffic
# to be sent to an insecure endpoint.
disable_tls_validation: false
# Persistent directory to store JetStream streams in. This directory should be
# preserved across Dendrite restarts.
storage_path: ./
# The prefix to use for stream names for this homeserver - really only useful
# if you are running more than one Dendrite server on the same NATS deployment.
topic_prefix: Dendrite
# Configuration for Prometheus metric collection.
metrics:
enabled: false
basic_auth:
username: metrics
password: metrics
# Optional DNS cache. The DNS cache may reduce the load on DNS servers if there
# is no local caching resolver available for use.
dns_cache:
enabled: true
cache_size: 256
cache_lifetime: "5m" # 5 minutes; https://pkg.go.dev/time@master#ParseDuration
# Configuration for the Appservice API.
app_service_api:
# Disable the validation of TLS certificates of appservices. This is
# not recommended in production since it may allow appservice traffic
# to be sent to an insecure endpoint.
disable_tls_validation: false
# Appservice configuration files to load into this homeserver.
config_files:
# - /path/to/appservice_registration.yaml
# Configuration for the Client API.
client_api:
# Prevents new users from being able to register on this homeserver, except when
# using the registration shared secret below.
registration_disabled: true
# Prevents new guest accounts from being created. Guest registration is also
# disabled implicitly by setting 'registration_disabled' above.
guests_disabled: true
# If set, allows registration by anyone who knows the shared secret, regardless
# of whether registration is otherwise disabled.
registration_shared_secret: ""
# Whether to require reCAPTCHA for registration. If you have enabled registration
# then this is HIGHLY RECOMMENDED to reduce the risk of your homeserver being used
# for coordinated spam attacks.
enable_registration_captcha: false
# Settings for ReCAPTCHA.
recaptcha_public_key: ""
recaptcha_private_key: ""
recaptcha_bypass_secret: ""
# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
# recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
# recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
# recaptcha_form_field: "h-captcha-response"
# recaptcha_sitekey_class: "h-captcha"
# TURN server information that this homeserver should send to clients.
turn:
turn_user_lifetime: "5m"
turn_uris:
# - turn:turn.server.org?transport=udp
# - turn:turn.server.org?transport=tcp
turn_shared_secret: ""
# If your TURN server requires static credentials, then you will need to enter
# them here instead of supplying a shared secret. Note that these credentials
# will be visible to clients!
# turn_username: ""
# turn_password: ""
# Settings for rate-limited endpoints. Rate limiting kicks in after the threshold
# number of "slots" have been taken by requests from a specific host. Each "slot"
# will be released after the cooloff time in milliseconds. Server administrators
# and appservice users are exempt from rate limiting by default.
rate_limiting:
enabled: true
threshold: 20
cooloff_ms: 500
exempt_user_ids:
# - "@user:domain.com"
# Configuration for the Federation API.
federation_api:
# How many times we will try to resend a failed transaction to a specific server. The
# backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. Once
# the max retries are exceeded, Dendrite will no longer try to send transactions to
# that server until it comes back to life and connects to us again.
send_max_retries: 16
# Disable the validation of TLS certificates of remote federated homeservers. Do not
# enable this option in production as it presents a security risk!
disable_tls_validation: false
# Disable HTTP keepalives, which also prevents connection reuse. Dendrite will typically
# keep HTTP connections open to remote hosts for 5 minutes as they can be reused much
# more quickly than opening new connections each time. Disabling keepalives will close
# HTTP connections immediately after a successful request but may result in more CPU and
# memory being used on TLS handshakes for each new connection instead.
disable_http_keepalives: false
# Perspective keyservers to use as a backup when direct key fetches fail. This may
# be required to satisfy key requests for servers that are no longer online when
# joining some rooms.
key_perspectives:
- server_name: matrix.org
keys:
- key_id: ed25519:auto
public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
- key_id: ed25519:a_RXGa
public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
# This option will control whether Dendrite will prefer to look up keys directly
# or whether it should try perspective servers first, using direct fetches as a
# last resort.
prefer_direct_fetch: false
# Configuration for the Media API.
media_api:
# Storage path for uploaded media. May be relative or absolute.
base_path: ./media_store
# The maximum allowed file size (in bytes) for media uploads to this homeserver
# (0 = unlimited). If using a reverse proxy, ensure it allows requests at least
#this large (e.g. the client_max_body_size setting in nginx).
max_file_size_bytes: 104857600
# Whether to dynamically generate thumbnails if needed.
dynamic_thumbnails: false
# The maximum number of simultaneous thumbnail generators to run.
max_thumbnail_generators: 10
# A list of thumbnail sizes to be generated for media content.
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 640
height: 480
method: scale
# Configuration for enabling experimental MSCs on this homeserver.
mscs:
mscs:
# - msc2836 # (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
# - msc2946 # (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
# Configuration for the Sync API.
sync_api:
# This option controls which HTTP header to inspect to find the real remote IP
# address of the client. This is likely required if Dendrite is running behind
# a reverse proxy server.
real_ip_header: X-Real-IP
# Configuration for the full-text search engine.
search:
# Whether or not search is enabled.
enabled: true
# The path where the search index will be created in.
index_path: "./searchindex"
# The language most likely to be used on the server - used when indexing, to
# ensure the returned results match expectations. A full list of possible languages
# can be found at https://github.com/blevesearch/bleve/tree/master/analysis/lang
language: "en"
# Configuration for the User API.
user_api:
# The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31
# See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information.
# Setting this lower makes registration/login consume less CPU resources at the cost
# of security should the database be compromised. Setting this higher makes registration/login
# consume more CPU resources but makes it harder to brute force password hashes. This value
# can be lowered if performing tests or on embedded Dendrite instances (e.g WASM builds).
bcrypt_cost: 10
# The length of time that a token issued for a relying party from
# /_matrix/client/r0/user/{userId}/openid/request_token endpoint
# is considered to be valid in milliseconds.
# The default lifetime is 3600000ms (60 minutes).
# openid_token_lifetime_ms: 3600000
# Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
# By default, any room aliases included in this list will be created as a publicly joinable room
# when the first user registers for the homeserver. If the room already exists,
# make certain it is a publicly joinable room, i.e. the join rule of the room must be set to 'public'.
# As Spaces are just rooms under the hood, Space aliases may also be used.
auto_join_rooms:
# - "#main:matrix.org"
# Configuration for Opentracing.
# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
# how this works and how to set it up.
tracing:
enabled: false
jaeger:
serviceName: ""
disabled: false
rpc_metrics: false
tags: []
sampler: null
reporter: null
headers: null
baggage_restrictions: null
throttler: null
# Logging configuration. The "std" logging type controls the logs being sent to
# stdout. The "file" logging type controls logs being written to a log folder on
# the disk. Supported log levels are "debug", "info", "warn", "error".
logging:
- type: std
level: info
- type: file
level: info
params:
path: ./logs
4. Create matrix-media-repo configuration file
create media-repo folder
代码: 全选
mkdir -p media-repo/data/代码: 全选
# vim media-repo/data/media-repo.yaml
# General repo configuration
repo:
bindAddress: '0.0.0.0'
port: 8000
# The database configuration for the media repository
# Do NOT put your homeserver's existing database credentials here. Create a new database and
# user instead. Using the same server is fine, just not the same username and database.
database:
# Currently only "postgres" is supported.
postgres: "postgresql://mediarepo:mediarepo@postgres/mediarepo?sslmode=disable"
# The configuration for the homeservers this media repository is known to control. Servers
# not listed here will not be able to upload media.
homeservers:
- name: 'dendrite.qqs.tw' # This should match the server_name of your homeserver, and the Host header
# provided to the media repo.
csApi: "http://monolith:8008" # The base URL to where the homeserver can actually be reached
# These users have full access to the administrative functions of the media repository.
# See docs/admin.md for information on what these people can do. They must belong to one of the
# configured homeservers above.
admins:
- "@xxxxxx:xxxxxxx"
# Datastores are places where media should be persisted. This isn't dedicated for just uploads:
# thumbnails and other misc data is also stored in these places. The media repo, when looking
# for a datastore to use, will always use the smallest datastore first.
datastores:
- type: s3
enabled: true # Enable this to set up s3 uploads
forKinds: ["thumbnails", "remote_media", "local_media", "archives"]
opts:
# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
# small file uploads. If the file size is unknown, the file is written to this location
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
# memory usage, set this to an empty string.
tempPath: "/tmp/mediarepo_s3_upload"
endpoint: xxxxxxxxxxxxxxxxxx
accessKeyId: "xxxxxxxxxxxxxxxxxxxxxxx"
accessSecret: "xxxxxxxxxxxxxxxxxxxxxx"
ssl: true
bucketName: "xxxxxxxxxxxxxxxxx"
# An optional region for where this S3 endpoint is located. Typically not needed, though
# some providers will need this (like Scaleway). Uncomment to use.
region: "xxxxxxxxxxxxxx"
# An optional storage class for tuning how the media is stored at s3.
# See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use.
#storageClass: STANDARD
# Options for controlling archives. Archives are exports of a particular user's content for
# the purpose of GDPR or moving media to a different server.
archiving:
# Whether archiving is enabled or not. Default enabled.
enabled: true
# If true, users can request a copy of their own data. By default, only repository administrators
# can request a copy.
# This includes the ability for homeserver admins to request a copy of their own server's
# data, as known to the repo.
selfService: false
# The number of bytes to target per archive before breaking up the files. This is independent
# of any file upload limits and will require a similar amount of memory when performing an export.
# The file size is also a target, not a guarantee - it is possible to have files that are smaller
# or larger than the target. This is recommended to be approximately double the size of your
# file upload limit, provided there is enough memory available for the demand of exporting.
targetBytesPerPart: 209715200 # 200mb default
# The file upload settings for the media repository
uploads:
# The maximum individual file size a user can upload.
maxBytes: 104857600 # 100MB default, 0 to disable
# The minimum number of bytes to let people upload. This is recommended to be non-zero to
# ensure that the "cost" of running the media repo is worthwhile - small file uploads tend
# to waste more CPU and database resources than small files, thus a default of 100 bytes
# is applied here as an approximate break-even point.
minBytes: 100 # 100 bytes by default
# Settings related to downloading files from the media repository
downloads:
# The maximum number of bytes to download from other servers
maxBytes: 104857600 # 100MB default, 0 to disable
# The number of workers to use when downloading remote media. Raise this number if remote
# media is downloading slowly or timing out.
#
# Maximum memory usage = numWorkers multiplied by the maximum download size
# Average memory usage is dependent on how many concurrent downloads your users are doing.
numWorkers: 10
# How long, in minutes, to cache errors related to downloading remote media. Once this time
# has passed, the media is able to be re-requested.
failureCacheMinutes: 5
# How many days after a piece of remote content is downloaded before it expires. It can be
# re-downloaded on demand, this just helps free up space in your datastore. Set to zero or
# negative to disable. Defaults to disabled.
expireAfterDays: 91
# The default size, in bytes, to return for range requests on media. Range requests are used
# by clients when they only need part of a file, such as a video or audio element. Note that
# the entire file will still be cached (if enabled), but only part of it will be returned.
# If the client requests a larger or smaller range, that will be honoured.
defaultRangeChunkSizeBytes: 10485760 # 10MB default
# URL Preview settings
urlPreviews:
enabled: true # If enabled, the preview_url routes will be accessible
maxPageSizeBytes: 10485760 # 10MB default, 0 to disable
# If true, the media repository will try to provide previews for URLs with invalid or unsafe
# certificates. If false (the default), the media repo will fail requests to said URLs.
previewUnsafeCertificates: false
# Note: URL previews are limited to a given number of words, which are then limited to a number
# of characters, taking off the last word if it needs to. This also applies for the title.
numWords: 50 # The number of words to include in a preview (maximum)
maxLength: 200 # The maximum number of characters for a description
numTitleWords: 30 # The maximum number of words to include in a preview's title
maxTitleLength: 150 # The maximum number of characters for a title
# The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are
# calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be
# an image and the image's type must be allowed by the thumbnailer.
filePreviewTypes:
- "image/*"
# The number of workers to use when generating url previews. Raise this number if url
# previews are slow or timing out.
#
# Maximum memory usage = numWorkers multiplied by the maximum page size
# Average memory usage is dependent on how many concurrent urls your users are previewing.
numWorkers: 10
# Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they
# will be merged. URL previews will be disabled if neither is supplied. Each entry must be
# a CIDR range.
disallowedNetworks:
- "127.0.0.1/8"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- "100.64.0.0/10"
- "169.254.0.0/16"
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
allowedNetworks:
- "0.0.0.0/0" # "Everything". The blacklist will help limit this.
# This is the default value for this field.
# How many days after a preview is generated before it expires and is deleted. The preview
# can be regenerated safely - this just helps free up some space in your database. Set to
# zero or negative to disable. Defaults to disabled.
expireAfterDays: 91
# Defaults to disabled.
oEmbed: false
# The thumbnail configuration for the media repository.
thumbnails:
# The maximum number of bytes an image can be before the thumbnailer refuses.
maxSourceBytes: 10485760 # 10MB default, 0 to disable
# The maximum number of pixels an image can have before the thumbnailer refuses. Note that
# this only applies to image types: file types like audio and video are affected solely by
# the maxSourceBytes.
maxPixels: 32000000 # 32M default
# The number of workers to use when generating thumbnails. Raise this number if thumbnails
# are slow to generate or timing out.
#
# Maximum memory usage = numWorkers multiplied by the maximum image source size
# Average memory usage is dependent on how many thumbnails are being generated by your users
numWorkers: 100
# All thumbnails are generated into one of the sizes listed here. The first size is used as
# the default for when no width or height is requested. The media repository will return
# either an exact match or the next largest size of thumbnail.
sizes:
- width: 32
height: 32
- width: 96
height: 96
- width: 320
height: 240
- width: 640
height: 480
- width: 768 # This size is primarily used for audio thumbnailing.
height: 240
- width: 800
height: 600
# To allow for thumbnails to be any size, not just in the sizes specified above, set this to
# true (default false). When enabled, whatever size requested by the client will be generated
# up to a maximum of the largest possible dimensions in the `sizes` list. For best results,
# specify only one size in the `sizes` list when this option is enabled.
dynamicSizing: false
# The content types to thumbnail when requested. Types that are not supported by the media repo
# will not be thumbnailed (adding application/json here won't work). Clients may still not request
# thumbnails for these types - this won't make clients automatically thumbnail these file types.
types:
- "image/jpeg"
- "image/jpg"
- "image/png"
- "image/apng"
- "image/gif"
- "image/heif"
- "image/webp"
#- "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files
- "audio/mpeg"
- "audio/ogg"
- "audio/wav"
- "audio/flac"
#- "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files
# Animated thumbnails can be CPU intensive to generate. To disable the generation of animated
# thumbnails, set this to false. If disabled, regular thumbnails will be returned.
allowAnimated: true
# Default to animated thumbnails, if available
defaultAnimated: false
# The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image
# is larger than this, the thumbnail will be generated as a static image.
maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable
# On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try
# and thumbnail animated content? Defaults to 0.5 (middle of animation).
stillFrame: 0.5
# How many days after a thumbnail is generated before it expires and is deleted. The thumbnail
# can be regenerated safely - this just helps free up some space in your datastores. Set to
# zero or negative to disable. Defaults to disabled.
expireAfterDays: 91
# Identicons are generated avatars for a given username. Some clients use these to give users a
# default avatar after signing up. Identicons are not part of the official matrix spec, therefore
# this feature is completely optional.
identicons:
enabled: true
5. Prepare nginx configuration file
代码: 全选
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream monolith {
server 127.0.0.1:18008 fail_timeout=0;
}
upstream dendrite_media_repo {
server 127.0.0.1:10803 fail_timeout=0;
}
server {
listen 80;
listen [::]:80;
server_name xxxxxxxxxxx;
location /.well-known/acme-challenge/ { allow all; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xxxxxxxxxxx;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/dhparam
ssl_dhparam /etc/nginx/dhparam;
# Uncomment these lines once you acquire a certificate:
ssl_certificate /etc/nginx/ssl/xxxxxxxxxxx.cert.pem;
ssl_certificate_key /etc/nginx/ssl/xxxxxxxxxxx.key.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/xxxxxxxxxxx.cert.pem;
resolver 127.0.0.1 1.1.1.1;
keepalive_timeout 70;
sendfile on;
client_max_body_size 100m;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=31536000";
## well-known
location /.well-known/matrix/server {
# Allow access from *
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.server": "xxxxxxxxxxx:443" }';
}
location /.well-known/matrix/client {
# Allow access from *
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://xxxxxxxxxxx/" } }';
}
## Matrix reverse proxy
## Matrix HomeServer
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://monolith;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 100M;
proxy_http_version 1.1;
}
## Matrix Media API
location ^~ /_matrix/media {
proxy_read_timeout 60s;
# Make sure this matches your homeserver in media-repo.yaml
# You may have to manually specify it if using delegation or the
# incoming Host doesn't match.
proxy_set_header Host xxxxxxxxxxx;
if ($request_method = OPTIONS) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
return 200;
}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://dendrite_media_repo; # Point this towards media-repo
}
}
6. launch the server
test if there are some errors occur
代码: 全选
docker compose upCTRL+C, then
代码: 全选
docker compose up -d