# This is a sample file demonstrating how to set up reverse-proxy for matrix.DOMAIN

<VirtualHost *:80>
	ServerName matrix.DOMAIN

	ProxyVia On

	# Map /.well-known/acme-challenge to the certbot server
	# If you manage SSL certificates by yourself, this will differ.
	<Location /.well-known/acme-challenge>
		ProxyPreserveHost On
		ProxyPass http://127.0.0.1:2402/.well-known/acme-challenge
	</Location>

	Redirect permanent / https://matrix.DOMAIN/
</VirtualHost>

# Client-Server API
<VirtualHost *:443>
	ServerName matrix.DOMAIN

	SSLEngine On

	# If you manage SSL certificates by yourself, these paths will differ.
	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

	SSLProxyEngine on
	SSLProxyProtocol +TLSv1.2 +TLSv1.3
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

	ProxyPreserveHost On
	ProxyRequests Off
	ProxyVia On
	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

	# Keep some URIs free for different proxy/location
	ProxyPassMatch ^/.well-known/matrix/client !
	ProxyPassMatch ^/.well-known/matrix/server !
	ProxyPassMatch ^/_matrix/identity !
	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !

	# Proxy all remaining traffic to Synapse
	AllowEncodedSlashes NoDecode
	ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
	
	# Proxy Admin API (necessary for Synapse-Admin)
	# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
	# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
	
	# Proxy Synapse-Admin
	# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
	# ProxyPassReverse /synapse-admin http://127.0.0.1:8766

	# Map /.well-known/matrix/client for client discovery
	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
	<Files "/matrix/static-files/.well-known/matrix/client">
		Require all granted
	</Files>
	<Location "/.well-known/matrix/client">
		Header always set Content-Type "application/json"
		Header always set Access-Control-Allow-Origin "*"
	</Location>
	# Map /.well-known/matrix/server for server discovery
	Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
	<Files "/matrix/static-files/.well-known/matrix/server">
		Require all granted
	</Files>
	<Location "/.well-known/matrix/server">
		Header always set Content-Type "application/json"
	</Location>
	<Directory /matrix/static-files/.well-known/matrix/>
		AllowOverride All
		# Apache 2.4:
		Require all granted
		# Or for Apache 2.2:
		#order allow,deny
	</Directory>

	# Map /_matrix/identity to the identity server
	<Location /_matrix/identity>
		ProxyPass http://127.0.0.1:8090/_matrix/identity nocanon
	</Location>

	# Map /_matrix/client/r0/user_directory/search to the identity server
	<Location /_matrix/client/r0/user_directory/search>
		ProxyPass http://127.0.0.1:8090/_matrix/client/r0/user_directory/search nocanon
	</Location>

	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>

# Server-Server (federation) API
# Use this apache reverse proxy template to enable matrix server-to-server federation traffic
# Be sure that network traffic on port 8448 is possible
#
# You can check your federation config at https://federationtester.matrix.org/
# Enter there your base DOMAIN address, NOT your matrix.DOMAIN address, ex. https://DOMAIN
#
# In this example we use all services on the same machine (127.0.0.1) but you can do this with different machines.
# If you do so be sure to reach the destinated IPADRESS and the correspondending port. Check this with netstat, nmap or your favourite tool.
Listen 8448
<VirtualHost *:8448>
	ServerName matrix.DOMAIN

	SSLEngine On

	# If you manage SSL certificates by yourself, these paths will differ.
	SSLCertificateFile /matrix/ssl/config/live/matrix.DOMAIN/fullchain.pem
	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

	SSLProxyEngine on
	SSLProxyProtocol +TLSv1.2 +TLSv1.3
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

	ProxyPreserveHost On
	ProxyRequests Off
	ProxyVia On
	RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

	# Proxy all remaining traffic to the Synapse port
	# Beware: In this example the local traffic goes to the local synapse server at 127.0.0.1
	# Of course you can use another IPADRESS in case of using other synapse servers in your network
	AllowEncodedSlashes NoDecode
	ProxyPass /_matrix http://127.0.0.1:8048/_matrix retry=0 nocanon
	ProxyPassReverse /_matrix http://127.0.0.1:8048/_matrix

	ErrorLog ${APACHE_LOG_DIR}/matrix.DOMAIN-error.log
	CustomLog ${APACHE_LOG_DIR}/matrix.DOMAIN-access.log combined
</VirtualHost>