- Replace “esko@esko.bar” with desired email address for Let's Encrypt notifications.
- Replace “esko.bar” with your domain.
_matrix._tcp.esko.bar SRV 10 0 8448 matrix.esko.bar.matrix.esko.bar A 165.227.138.149
ssh root@matrix.esko.bar
dpkg-reconfigure --priority=low unattended-upgrades
apt update && apt -y upgrade
reboot
ssh root@matrix.esko.barapt install -y nginxStart this now to save time, or use the alternative quicker way.
tmux
openssl dhparam -out /etc/nginx/dhparam.pem 4096- Press Control–B + C to create and open new virtual terminal.
- Press Control–B + D to detach from Tmux and return to shell.
- Run
tmux ato reattach to Tmux.
https://security.stackexchange.com/a/95184
openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096apt-add-repository -y https://matrix.org/packages/debian/
wget https://matrix.org/packages/debian/repo-key.asc -O matrix-repo-key.asc
apt-key add - < matrix-repo-key.ascapt update
apt install -y matrix-synapse- Enter server name: esko.bar
- Decide about sending usage data.
synapse_registration_shared_secret=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
sed -i'' "s/^\(# registration_shared_secret: <PRIVATE STRING>\)$/\1\nregistration_shared_secret: \"${synapse_registration_shared_secret}\"/" /etc/matrix-synapse/homeserver.yaml
synapse_public_baseurl="https://matrix.esko.bar/"
sed -i'' "s%^\(# public_baseurl: https:\/\/example.com:8448\/\)$%\1\npublic_baseurl: \"${synapse_public_baseurl}\"%" /etc/matrix-synapse/homeserver.yaml
sed -i'' "s%^\(allow_guest_access: \)False$%\1True%" /etc/matrix-synapse/homeserver.yaml
vim /etc/matrix-synapse/homeserver.yamlSet bind_addresses: ['127.0.0.1'] and x_forwarded: true for port 8008 in homeserver.yaml.
sed -i'' "s%^\(url_preview_enabled: \)False$%\1True%" /etc/matrix-synapse/homeserver.yamlSet blacklist for url_preview using suggestion in comments.
ufw allow ssh/tcp
ufw allow 8448/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw statusapt-add-repository -y ppa:certbot/certbot
apt update
apt install -y python-certbot-nginxrm /etc/nginx/sites-enabled/defaultAdd matrix.esko.bar.conf to /etc/nginx/conf.d
server {
server_name chat.nubits.com;
listen 80;
listen [::]:80;
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
server_name chat.nubits.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx >= 1.3.7
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options DENY;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location /_matrix {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}apt install -y nginx-extrasAdd to Nginx configuration:
server_tokens off;
more_clear_headers 'Server';
more_clear_headers 'X-Powered-By';
nginx -tsystemctl enable nginx
systemctl start nginxcertbot -n --nginx --agree-tos --no-eff-email --rsa-key-size 4096 --redirect --email esko@esko.bar -d matrix.esko.barcrontab -eInsert:
15 3 * * * /usr/bin/certbot renew --quiet
sudo systemctl enable matrix-synapse.service
sudo systemctl start matrix-synapse.serviceregister_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml https://localhostcurl https://matrix.esko.bar/_matrix/key/v2/server/autohttps://matrix.org/federationtester/api/report?server_name=esko.bar