server { # TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport` #listen 443 quic reuseport; listen 443 quic; listen 443 ssl; # TODO: if you replaced the line above for port 443 and IPv4, you probably want to do the same for port 443 IPv6 by switching the two lines below #listen [::]:443 quic reuseport; listen [::]:443 quic; listen [::]:443 ssl; http2 on; http3 on; # TODO: add/remove services and their subdomains if you use/don't use them # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com # if you don't use those, you can remove them # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list server_name example.com matrix.example.com element.example.com; location / { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise, nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://localhost:81; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; access_log /var/log/nginx/matrix.access.log; error_log /var/log/nginx/matrix.error.log; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # required for browsers to direct them to quic port add_header Alt-Svc 'h3=":443"; ma=86400'; } # TODO: adapt the path to your ssl certificate for the domains listed on server_name ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot # TODO: adapt the path to your ssl certificate for the domains listed on server_name ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } # settings for Matrix federation server { # For the federation port # TODO: once per IP and port you should add `reuseport`, if you don't have that in any other nginx config file, add it here by uncommenting the lines below and commenting the one after with `quic` but without `reuseport` #listen 8448 quic reuseport; listen 8448 quic; listen 8448 ssl default_server; # TODO: if you replaced the line above for port 8448 and IPv4, you probably want to do the same for port 8448 IPv6 by switching the two lines below #listen [::]:8448 quic reuseport; listen [::]:8448 quic; listen [::]:8448 ssl default_server; http2 on; http3 on; server_name matrix.example.com; location / { proxy_pass http://localhost:8449; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; access_log /var/log/nginx/matrix.access.log; error_log /var/log/nginx/matrix.error.log; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # required for browsers to direct them to quic port add_header Alt-Svc 'h3=":8448"; ma=86400'; } # TODO: adapt the path to your ssl certificate for the domains listed on server_name ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot # TODO: adapt the path to your ssl certificate for the domains listed on server_name ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } # ensure using https # TODO: remove server blocks that you don't use / add server blocks for domains you do use server { if ($host = example.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name example.com; listen 80; return 404; # managed by Certbot } server { if ($host = matrix.example.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name matrix.example.com; listen 80; return 404; # managed by Certbot } server { if ($host = element.example.com) { return 301 https://$host$request_uri; } # managed by Certbot server_name element.example.com; listen 80; return 404; # managed by Certbot }