coop-cloud/matrix-synapse
coop-cloud/matrix-synapse
4
0
Fork 2
Code Issues 4 Pull Requests 1 Releases Wiki Activity

Running synapse without nginx #47

New Issue
Open
opened 2025-05-23 16:45:32 +00:00 by mac-chaffee · 4 comments
mac-chaffee commented 2025-05-23 16:45:32 +00:00
Owner
Copy Link

Hello, I'm new to the coop-cloud ecosystem but was surprised to see this recipe includes an nginx container by default.

Looking at nginx.conf.tmpl, it seems like the nginx container does the following:

  1. Sets client_max_body_size=50M
  2. Serves the files .well-known/matrix/server and .well-known/matrix/client which are used for delegation

Number 1 can be implemented with traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000: https://doc.traefik.io/traefik/middlewares/http/buffering/

And number 2 only seems to be required in some edge cases. Sounds like you only need to serve those .well-known files if 1) synapse is hosted on a subdomain, 2) your coop-cloud server is hosted on the root domain, and 3) you want usernames to reference the root domain and not the subdomain. EDIT: Using a different server_name hasn't been supported since the .well-known files nginx serves are never served from a different domain.

If any of those three things are untrue, then it seems like the nginx container wouldn't be necessary. Is that common enough to be the default rather than in a separate compose.delegation.yaml file?

Or if we don't want to change the defaults, should we add a compose.no-nginx.yaml file which uses !reset to remove the nginx service and sets the required labels to send traffic directly to synapse?

Interested in your thoughts!

Hello, I'm new to the coop-cloud ecosystem but was surprised to see this recipe includes an nginx container by default. Looking at [`nginx.conf.tmpl`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/src/branch/main/nginx.conf.tmpl), it seems like the nginx container does the following: 1. Sets `client_max_body_size=50M` 2. Serves the files `.well-known/matrix/server` and `.well-known/matrix/client` which are used for [delegation](https://element-hq.github.io/synapse/latest/delegate.html) Number 1 can be implemented with `traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=50000000`: https://doc.traefik.io/traefik/middlewares/http/buffering/ ~~And number 2 only seems to be required in some edge cases. Sounds like you only need to serve those `.well-known` files if 1) synapse is hosted on a subdomain, 2) your coop-cloud server is hosted on the root domain, and 3) you want usernames to reference the root domain and not the subdomain.~~ EDIT: Using a different server_name hasn't been supported since the .well-known files nginx serves are never served from a different domain. If any of those three things are untrue, then it seems like the nginx container wouldn't be necessary. Is that common enough to be the default rather than in a separate `compose.delegation.yaml` file? Or if we don't want to change the defaults, should we add a `compose.no-nginx.yaml` file which uses [`!reset`](https://docs.docker.com/reference/compose-file/merge/#reset-value) to remove the nginx service and sets the required labels to send traffic directly to synapse? Interested in your thoughts!
decentral1se commented 2025-05-23 17:17:43 +00:00
Owner
Copy Link

hey @mac-chaffee, you're most welcome and thanks for opening this issue! I originally implemented this without nginx but ended up including it because "privacy" #38 I would totally support the no-nginx version config (let's see if it complicates things tho) but it would be nice to have this warning about the IP tracking.

hey @mac-chaffee, you're most welcome and thanks for opening this issue! I originally implemented this without nginx but ended up including it because "privacy" https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/38 I would totally support the no-nginx version config (let's see if it complicates things tho) but it would be nice to have this warning about the IP tracking.
mac-chaffee commented 2025-05-23 17:37:20 +00:00
Author
Owner
Copy Link

Hmm I did see that issue and was confused. All coop-cloud instances use traefik, right? Traefik indeed seems to send the x-forwarded-for header to backends by default, so if you can't make synapse stop saving those IPs, then that would be a problem. But I think we can tell traefik to stop setting that header like this:

- "traefik.http.middlewares.remove-xff.headers.customrequestheaders.X-Forwarded-For="
- "traefik.http.routers.${STACK_NAME}.middlewares=remove-xff"

There was some confusion online about whether this was possible, but seems like it should work as of traefik v2.10: https://github.com/traefik/traefik/pull/10132

Hmm I did see that issue and was confused. All coop-cloud instances use traefik, right? Traefik indeed seems to send the x-forwarded-for header to backends by default, so if you can't make synapse stop saving those IPs, then that would be a problem. But I think we can tell traefik to stop setting that header like this: ``` - "traefik.http.middlewares.remove-xff.headers.customrequestheaders.X-Forwarded-For=" - "traefik.http.routers.${STACK_NAME}.middlewares=remove-xff" ``` There was some confusion online about whether this was possible, but seems like it should work as of traefik v2.10: https://github.com/traefik/traefik/pull/10132
mac-chaffee commented 2025-05-23 17:40:19 +00:00
Author
Owner
Copy Link

Checking the dates on #38 and that v2.10 PR, I see that the feature was super new, maybe not even released yet. So I guess only now do we possibly have the powers to remove nginx, but we didn't back then!

Checking the dates on #38 and that v2.10 PR, I see that the feature was super new, maybe not even released yet. So I guess only now do we possibly have the powers to remove nginx, but we didn't back then!
decentral1se commented 2025-05-24 19:26:38 +00:00
Owner
Copy Link

@mac-chaffee nice detective work! If you wanna brave effort which can maintain functionality without nginx, be my guest! I imagine it might even be a backwards compatible with existing deployments if you manage to do it well? You'd need to test it quite a bit tho. I don't maintain a synapse install anymore but I imagine other maintainers might have something to say here or could lend a ahnd. I'm not sure who that is atm but maybe the git log will show you and you can ping them.

@mac-chaffee nice detective work! If you wanna brave effort which can maintain functionality without nginx, be my guest! I imagine it might even be a backwards compatible with existing deployments if you manage to do it well? You'd need to test it quite a bit tho. I don't maintain a synapse install anymore but I imagine other maintainers might have something to say here or could lend a ahnd. I'm not sure who that is atm but maybe the `git log` will show you and you can ping them.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud decentral1se fauno flancian Frando iexos javielico kawaiipunk knoflook lambdabundesverband mac-chaffee marlon mayel mirsal moritz nicksellen notplants p4u1 pau renovate-bot rix sef simon stevensting tobias trav val virtualboys wolcen wykwit xynosis yksflip
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/matrix-synapse#47
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?