Setting up Conduit – A Few Clarifications
I had some spare cores on my proxmox server and I decided that I wanted to self host my own matrix server again. When I had gone to the official matrix-synapse page, I found that a lot had changed and, unfortunately, there install instructions are quite complicated unless you have a deep understanding of their system.
So! I decided to put together my own, little tutorial and some of the hurdles that I ran into and what wasn't clear to me.
Installing was the easy part. You can easily follow the tutorial that conduit has right here. Here are some of the hurdles I ran into
Reverse Proxy is a Little Finicky
I am using a reverse proxy where I have one machine taking all the connections and sending the traffic to a cluster of machines that I have in the backend. The Reverse proxy was not as easy as I thought it would be. I had decided to set mine up on port 8448 to receive the federated traffic while conduit itself ran on port 6167. When I initially setup my server config (I am using NGINX) I had the first server config grab the traffic and send it directly to 6167. It did NOT like that.
Let's say the internal IP address of my DMZ server is 192.168.10.1 and the machine that conduit is running on is 192.168.10.2. What I had to do was send the traffic from 192.168.10.1:8448 to 192.168.10.2:8448 and then the server config on 10.2 then had to be sent to 6167. I tried a few different ways and this was the only one I got to work. Maybe it's my lack of experience?
Also! One of the other quirks of this program is that it doesn't like http in any part of the flow. If you have your SSL certificates on the DMZ machine for 8448 and you're sending traffic to the internal 8448, conduit expects there to be certificates there too, even if the traffic is already being encrypted as the DMZ and the internal server is not at risk. It can even be different certificates. They just have to be there. If you don't do this you'll get a message along the lines of “Received an HTTP request when it should have been HTTPS” even though the entry server is SSL secured.
Here are the nginx config examples:
DMZ Server (192.168.10.1)
server {
listen 8448;
server_name WEBSITE.NAME;
ssl_certificate /path/to/ssl/certificates/fullchain.pem;
ssl_certificate_key /path/to/ssl/certificates/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Ensure these protocols are enabled
ssl_ciphers 'HIGH:!aNULL:!MD5'; # Use strong cipher
location / {
proxy_pass http://192.168.10.2:8448; #Not real. Just used for example.
proxy_set_header X-Forwarded-For $remote_addr;
}
Conduit Server (192.168.10.2)
server {
listen 8448 ssl;
listen [::]:8448 ssl;
server_name WEBSITE.NAME
merge_slashes off;
# Nginx defaults to only allow 1MB uploads
# Increase this to allow posting large files such as videos
client_max_body_size 20M;
ssl_certificate /path/to/ssl/certificates/fullchain.pem;
ssl_certificate_key /path/to/ssl/certificates/privkey.pem;
location /_matrix/ {
proxy_pass http://192.168.10.2:6167$request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_read_timeout 5m;
}
}
Getting Admin Privileges for your new Server
If you have used Matrix Synapse in the past, you are probably used to being able to generate an admin user right up front with the CLI. This is not possible with conduit and it took me awhile (plus with some help from the users over at # conduit:fachschaften.org to get me on the right direction.
Once you are certain your server is up and running and the federation is working on 8448, you'll need to register an account with your new server first. This means going to a place that you can sign up for a server and go through the registration steps. I went to element.io, selected register, entered my own server's domain name, and then went through the registration process. You will need to give the registration code that you setup in conduit-example.toml and once it's done registering, you will then need to login with the said username and password. Again, I used Element. Once you do that, the very first account that logs in will be granted admin rights and it will generate a room named @conduit: and there you will be able to issue admin commands.
And that's it!
I hope this helps anyone else who was stumbling over Conduit and if this was obvious, well...I then have a lot more to learn.
© Jonathan Snyder. All Rights Reserved. Fediverse