0

I have a question regarding setting up an identity server. I already set up matrix synapse behind a nginx reverse proxy on one server and now i want to configure sydent on another server.

On the matrix server I did the following:

I put into my homeserver.yaml file:

trusted_third_party_id_servers:
            - [FQDN of my identity server]

and for my nginx reverse proxy:

       location / {
                try_files $uri $uri/ =404;
       }


        location /_matrix/identity {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass http://[FQDN of my identity server]:8090/_matrix/identity;
        }

        location /_matrix {
                proxy_pass http://localhost:8008/_matrix;
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $remote_addr;

        }

I also edited the config file of element:

"m.identity_server": {
            "base_url": "http://[FQDN of my identity server]",
 }

Now for the sydent.conf file on my identity server, I am not really sure what to put.

For now it looks like this:

[DEFAULT]
server.name = 
log.path =
log.level = INFO
pidfile.path = sydent.pid
terms.path =
address_lookup_limit = 10000
enable_v1_associations = true
delete_tokens_on_bind = true
db.file = sydent.db
clientapi.http.bind_address = ::
clientapi.http.port = 8090
internalapi.http.bind_address = ::1
internalapi.http.port =
replication.https.certfile =
replication.https.cacert =
replication.https.bind_address = ::
replication.https.port = 4434
obey_x_forwarded_for = False
federation.verifycerts = True
verify_response_template =
client_http_base =
email.template = res/email.template
email.invite_template = res/invite.template
email.from = Sydent Validation <noreply@{hostname}>
email.subject = Your Validation Token
email.invite.subject = %(sender_display_name)s has invited you to chat
email.smtphost = localhost
email.smtpport = 25
email.smtpusername =
email.smtppassword =
email.hostname =
email.tlsmode = 0
email.third_party_invite_username_obfuscate_characters = 3
email.third_party_invite_domain_obfuscate_characters = 3
bodytemplate = Your code is {token}
username =
password =
ed25519.signingkey =

[general]
server.name = [FQDN of my identity server]

[db]

[http]

[email]
email.tlsmode = 0
email.template = res/email.template
email.smtppassword =
email.smtphost = localhost
email.default_web_client_location = https://app.element.io
email.from = Sydent Validation <noreply@{hostname}>
email.invite_template = res/invite.template
email.invite.subject = %(sender_display_name)s has invited you to chat
email.smtpusername =
email.smtpport = 25
email.subject = Your Validation Token
email.hostname =
email.third_party_invite_domain_obfuscate_characters = 3
email.third_party_invite_username_obfuscate_characters = 3

[sms]

[crypto]
ed25519.signingkey = [key]

When I start sydent on the identity server I am able to connect to it (via the 8090 port) from the matrix server. So this shouldn't be a problem regarding closed ports but rather I misconfiguration on one of the two servers?

If so is there something I misconfigured or forgot to do?

backsteincoding
  • 3
  • 2

1 Answers1

0

In your Nginx reverse proxy, you should write:

proxy_pass http://localhost:8090/_matrix/identity;

Since there is no webserver serving port 8090 of your FQDN. Even if there was any, you do want to request the identity server locally.

Danial Behzadi
  • 161
  • 1
  • 10
  • Thank you for the reply. My identity server is serving this port though. Although I can't seem to reach it, if I request it locally. Is it necessary to setup HTTPS for the id server? – backsteincoding Jan 28 '21 at 07:40
  • You got the idea wrong. The `proxy_pass` should always use the local host, not the FQDN. If you can't access it locally on port 9080, there's something wrong with your idserver setup then. – Danial Behzadi Jan 29 '21 at 11:36
  • Ok, I agree. I am trying to use sydent for the identity server. It looks like I need TLS in order for it to properly run. But I am not sure what the problem is. The only thing I have changed in the config file so far was to put the FQDN of my identity server for 'server.name' and at the private key and the cert file. But sydent can't read the private key. I checked the permissions for the key but everything seems fine. – backsteincoding Jan 29 '21 at 14:37
  • No. You don't need TLS if Sydent is on the same machine as the Synapse. TLS is just for your Nginx site, which proxies the `/_matrix/identity/` through itself via a local http connection. You never connect to Sydent directly from the Internet. it's always proxied via Nginx. – Danial Behzadi Jan 30 '21 at 15:13
  • Ah ok. That explains a lot. I really got it wrong :|. Thank you for the help and the patience. It works now. – backsteincoding Feb 04 '21 at 15:00