Add support for reverse-proxying /_synapse/oidc

This broke in 63a49bb2dc.

Proxying the OpenID Connect endpoints is now possible,
but needs to be enabled explicitly now.

Supersedes #702 (Github Pull Request).

This patch builds up on the idea from that Pull Request,
but does things in a cleaner way.
This commit is contained in:
Slavi Pantaleev 2020-11-02 11:10:03 +02:00
parent 5c91e56898
commit ef68d3d296
3 changed files with 21 additions and 2 deletions

View file

@ -23,3 +23,12 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 8.8.8.8
- 1.1.1.1
```
## Synapse + OpenID Connect for Single-Sign-On
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
```yaml
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
```

View file

@ -21,3 +21,8 @@ Alternatively, **if there is no pre-defined variable** for a Synapse setting you
## Synapse Admin
Certain Synapse administration tasks (managing users and rooms, etc.) can be performed via a web user-interace, if you install [Synapse Admin](configuring-playbook-synapse-admin.md).
## Synapse + OpenID Connect for Single-Sign-On
If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)).

View file

@ -150,10 +150,13 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server.
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server.
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
@ -166,6 +169,8 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
+
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
+
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
+
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
}}