74 lines
3.0 KiB
YAML
74 lines
3.0 KiB
YAML
# ACME support: This will configure Synapse to request a valid TLS certificate
|
|
# for your configured `server_name` via Let's Encrypt.
|
|
#
|
|
# Note that ACME v1 is now deprecated, and Synapse currently doesn't support
|
|
# ACME v2. This means that this feature currently won't work with installs set
|
|
# up after November 2019. For more info, and alternative solutions, see
|
|
# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
|
|
#
|
|
# Note that provisioning a certificate in this way requires port 80 to be
|
|
# routed to Synapse so that it can complete the http-01 ACME challenge.
|
|
# By default, if you enable ACME support, Synapse will attempt to listen on
|
|
# port 80 for incoming http-01 challenges - however, this will likely fail
|
|
# with 'Permission denied' or a similar error.
|
|
#
|
|
# There are a couple of potential solutions to this:
|
|
#
|
|
# * If you already have an Apache, Nginx, or similar listening on port 80,
|
|
# you can configure Synapse to use an alternate port, and have your web
|
|
# server forward the requests. For example, assuming you set 'port: 8009'
|
|
# below, on Apache, you would write:
|
|
#
|
|
# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge
|
|
#
|
|
# * Alternatively, you can use something like `authbind` to give Synapse
|
|
# permission to listen on port 80.
|
|
#
|
|
acme:
|
|
# ACME support is disabled by default. Set this to `true` and uncomment
|
|
# tls_certificate_path and tls_private_key_path above to enable it.
|
|
#
|
|
enabled: false
|
|
|
|
# Endpoint to use to request certificates. If you only want to test,
|
|
# use Let's Encrypt's staging url:
|
|
# https://acme-staging.api.letsencrypt.org/directory
|
|
#
|
|
#url: https://acme-v01.api.letsencrypt.org/directory
|
|
|
|
# Port number to listen on for the HTTP-01 challenge. Change this if
|
|
# you are forwarding connections through Apache/Nginx/etc.
|
|
#
|
|
port: 80
|
|
|
|
# Local addresses to listen on for incoming connections.
|
|
# Again, you may want to change this if you are forwarding connections
|
|
# through Apache/Nginx/etc.
|
|
#
|
|
bind_addresses: ['::', '0.0.0.0']
|
|
|
|
# How many days remaining on a certificate before it is renewed.
|
|
#
|
|
reprovision_threshold: 30
|
|
|
|
# The domain that the certificate should be for. Normally this
|
|
# should be the same as your Matrix domain (i.e., 'server_name'), but,
|
|
# by putting a file at 'https://<server_name>/.well-known/matrix/server',
|
|
# you can delegate incoming traffic to another server. If you do that,
|
|
# you should give the target of the delegation here.
|
|
#
|
|
# For example: if your 'server_name' is 'example.com', but
|
|
# 'https://example.com/.well-known/matrix/server' delegates to
|
|
# 'matrix.example.com', you should put 'matrix.example.com' here.
|
|
#
|
|
# If not set, defaults to your 'server_name'.
|
|
#
|
|
domain: matrix.example.com
|
|
|
|
# file to use for the account key. This will be generated if it doesn't
|
|
# exist.
|
|
#
|
|
# If unspecified, we will use CONFDIR/client.key.
|
|
#
|
|
account_key_file: /etc/matrix/synapse/acme_account.key
|