Propose CAP_NET_BIND_SERVICE instead running Synapse with root (#18408)
There are alternative ways to use low numbered ports besides root. Users might be mislead into thinking they should run Synapse with root privileges.
This commit is contained in:
Mateusz Reszka
1
changelog.d/18408.doc
Normal file
1
changelog.d/18408.doc
Normal file
@@ -0,0 +1 @@
|
|||||||
|
Mention `CAP_NET_BIND_SERVICE` as an alternative to running Synapse as root in order to bind to a privileged port.
|
||||||
@@ -5,10 +5,10 @@ It is recommended to put a reverse proxy such as
|
|||||||
[Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
|
[Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
|
||||||
[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
|
[Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
|
||||||
[HAProxy](https://www.haproxy.org/) or
|
[HAProxy](https://www.haproxy.org/) or
|
||||||
[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
|
[relayd](https://man.openbsd.org/relayd.8) in front of Synapse.
|
||||||
of doing so is that it means that you can expose the default https port
|
This has the advantage of being able to expose the default HTTPS port (443) to Matrix
|
||||||
(443) to Matrix clients without needing to run Synapse with root
|
clients without requiring Synapse to bind to a privileged port (port numbers less than
|
||||||
privileges.
|
1024), avoiding the need for `CAP_NET_BIND_SERVICE` or running as root.
|
||||||
|
|
||||||
You should configure your reverse proxy to forward requests to `/_matrix` or
|
You should configure your reverse proxy to forward requests to `/_matrix` or
|
||||||
`/_synapse/client` to Synapse, and have it set the `X-Forwarded-For` and
|
`/_synapse/client` to Synapse, and have it set the `X-Forwarded-For` and
|
||||||
|
|||||||
Reference in New Issue
Block a user