docker-compose部署matrix-synapse并配置apache反代
有了rocketchat还不够吗?
确实不大够诶。
RC两个比较大的问题,用户没有自定义表情并且没有voice call.
总之rocketchat应该是带大多数朋友搬家的希望不大,所以我也一直在找别的选择,这次试着部署了一下matirx。
docker部署和反代的docs有点乱,但是毕竟是和RC部署在同一个机器,还是希望可以用docker来部署,走了不少弯路,记一下步骤。
docker-compose.yml
按照docs中提供的模板修改:
# This compose file is compatible with Compose itself, it might need some
# adjustments to run properly with stack.
version: '3'
services:
synapse:
#build:
#context: ../..
#dockerfile: docker/Dockerfile
image: docker.io/matrixdotorg/synapse:latest
# Since synapse does not retry to connect to the database, restart upon
# failure
restart: unless-stopped
# See the readme for a full documentation of the environment settings
environment:
- SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
volumes:
# You may either store all the files in a local folder
- ./data:/data
# .. or you may split this between different storage points
# - ./files:/data
# - /path/to/ssd:/data/uploads
# - /path/to/large_hdd:/data/media
depends_on:
- db
# In order to expose Synapse, remove one of the following, you might for
# instance expose the TLS port directly:
ports:
- 8008:8008
# ... or use a reverse proxy, here is an example for traefik:
#labels:
# The following lines are valid for Traefik version 1.x:
#- traefik.enable=true
#- traefik.frontend.rule=Host:my.matrix.Host
#- traefik.port=8008
# Alternatively, for Traefik version 2.0:
#- traefik.enable=true
#- traefik.http.routers.http-synapse.entryPoints=http
#- traefik.http.routers.http-synapse.rule=Host(`my.matrix.host`)
#- traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
#- traefik.http.middlewares.https_redirect.redirectscheme.permanent=true
#- traefik.http.routers.http-synapse.middlewares=https_redirect
#- traefik.http.routers.https-synapse.entryPoints=https
#- traefik.http.routers.https-synapse.rule=Host(`my.matrix.host`)
#- traefik.http.routers.https-synapse.service=synapse
#- traefik.http.routers.https-synapse.tls=true
#- traefik.http.services.synapse.loadbalancer.server.port=8008
#- traefik.http.routers.https-synapse.tls.certResolver=le-ssl
db:
image: docker.io/postgres:12-alpine
# Change that password, of course!
environment:
- POSTGRES_USER=synapse_user
- POSTGRES_PASSWORD=xxxxxxxxxxx
- POSTGRES_DB=synapse
# ensure the database gets created correctly
# https://matrix-org.github.io/synapse/latest/postgres.html#set-up-database
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C --username=synapse_user
- POSTGRES_HOST_AUTH_METHOD=md5
volumes:
# You may store the database tables in a local folder..
- ./schemas:/var/lib/postgresql/data
# .. or store them on some high performance storage for better results
# - /path/to/ssd/storage:/var/lib/postgresql/data首先是把build部分注释掉,因为过后要配置反代,用http端口就可以,ports改成8008,Traefik相关也可以全部注释掉了。
数据库的话可以直接把初始化参数全设好,省得手动去初始化数据库了。
docker环境变量相关可以参考官方Readme,其中也有下一步创建配置文件的内容。
创建配置文件
运行docker-compose run --rm -e SYNAPSE_SERVER_NAME=matrix.stsecurity.moe -e SYNAPSE_REPORT_STATS=yes -e TZ=HK synapse generate生成配置文件。
然后编辑生成的homeserver.yaml,按需要修改public_baseurl、database、stmp、trusted_key_servers、url_preview_enabled等项目。
public_baseurl在开启smtp的情况下必须设置,trusted_key_servers可以填认识的其他实例,如果保持默认的话suppress_key_server_warning要设置成true。
database配置:
database:
name: psycopg2
args:
user: synapse_user
password: xxxxxxxxxxx
database: synapse
host: matrix_db_1
port: 5432
cp_min: 5
cp_max: 10
keepalives_idle: 30
keepalives_interval: 10
keepalives_count: 3基本按照docker-compose.yml来即可,host要填db容器的名字。
配置完就可以docker-compose up -d启动了,用docker logs matrix_synapse_1检查有无报错。
配置反代
反代配置非常坑,尤其是要考虑ssl证书更新的情况下。
如果需要跟其他服务共用域名,可以配置Delegation,我没有这个需求,就不多说了。
基本上还是按照官方docs修改。
我的apache配置:
<VirtualHost *:443>
SSLEngine on
ServerName matrix.stsecurity.moe
DocumentRoot /var/www/html/
SSLCertificateFile /etc/apache2/ssl/matrixcert.cer
SSLCertificateKeyFile /etc/apache2/ssl/matrixkey.key
SSLCertificateChainFile /etc/apache2/ssl/matrixfullchain.cer
SSLCACertificatePath /etc/apache2/ssl/
SSLCACertificateFile /etc/apache2/ssl/matrixca.cer
ErrorLog ${APACHE_LOG_DIR}/matrix-error.log
CustomLog ${APACHE_LOG_DIR}/matrix-access.log combined
Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
AllowEncodedSlashes NoDecode
ProxyPreserveHost on
ProxyPass / http://localhost:8008/ nocanon
ProxyPassReverse / http://localhost:8008/
ProxyPass /_matrix http://localhost:8008/_matrix nocanon
ProxyPassReverse /_matrix http://localhost:8008/_matrix
ProxyPass /_synapse/client http://localhost:8008/_synapse/client nocanon
ProxyPassReverse /_synapse/client http://localhost:8008/_synapse/client
<Location />
</Location>
<Location /.well-known/acme-challenge/>
ProxyPass !
AllowOverride None
Require all granted
</Location>
<IfModule security2_module>
SecRuleEngine off
</IfModule>
</VirtualHost>
Listen 8448
<VirtualHost *:8448>
SSLEngine on
ServerName matrix.stsecurity.moe
SSLCertificateFile /etc/apache2/ssl/matrixcert.cer
SSLCertificateKeyFile /etc/apache2/ssl/matrixkey.key
SSLCertificateChainFile /etc/apache2/ssl/matrixfullchain.cer
SSLCACertificatePath /etc/apache2/ssl/
SSLCACertificateFile /etc/apache2/ssl/matrixca.cer
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
AllowEncodedSlashes NoDecode
ProxyPreserveHost on
ProxyPass /_matrix http://localhost:8008/_matrix nocanon
ProxyPassReverse /_matrix http://localhost:8008/_matrix
ErrorLog ${APACHE_LOG_DIR}/matrixfed-error.log
CustomLog ${APACHE_LOG_DIR}/matrixfed-access.log combined
<IfModule security2_module>
SecRuleEngine off
</IfModule>
</VirtualHost>稍微有点冗余设置应该,基本上是把官方配置和以前给RC写的配置缝合了一下,丑陋归丑陋,至少能用。
配置完过后用Matrix Federation Tester检查一下配置,直接访问主地址应该也有一个显示正常运行的网页。
创建用户
终于来到最后一步,运行docker exec -it matrix_synapse_1 register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml -u username -p xxxxxxxxxx -a创建管理员用户。
创建完用户就可以下载客户端尝试登陆了,国内似乎是墙了matrix.org,真的恶心。
参考资料
本文链接:https://blog.stsecurity.moe/archives/240/
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
专门整了个3核4G内存的VPS,部署体验了一下。日志里时不时出现大量警告多的看不过来,实际使用体验也很一般。已经开发好几年了,这样的发展速度前景堪忧呀!
我都没有注意过日志,matrix部署之后除了voicecall也没用过别的功能,刚看了一下发现经常会有GET /notifications/hub的404错误,可能确实有点问题