From 778c35f2bc975153ce5a52bd0cce9c7b53eea71e Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Wed, 12 Nov 2025 20:30:45 -0800
Subject: [PATCH] matrixsynapse: Update apache config to proxy Synapse client
 API

- Use the recommended configuration from Matrix Synapse documentation.

  - Preserve Host: header.

  - Set the X-Forwarded-Proto header.

  - Don't decode encoded slashes in the URLs during proxying.

- Also proxy Synapse client API.

Tests:

- Web app at app.element.io is able to connect to a local server using browser.
Two client can chat with each other.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 .../conf-available/matrix-synapse-plinth.conf | 29 ++++++++++++++-----
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/plinth/modules/matrixsynapse/data/usr/share/freedombox/etc/apache2/conf-available/matrix-synapse-plinth.conf b/plinth/modules/matrixsynapse/data/usr/share/freedombox/etc/apache2/conf-available/matrix-synapse-plinth.conf
index de4b878b5..4852e71bf 100644
--- a/plinth/modules/matrixsynapse/data/usr/share/freedombox/etc/apache2/conf-available/matrix-synapse-plinth.conf
+++ b/plinth/modules/matrixsynapse/data/usr/share/freedombox/etc/apache2/conf-available/matrix-synapse-plinth.conf
@@ -1,9 +1,24 @@
 ##
-## On all sites, provide Matrix Synapse on a default path: /_matrix. This is
-## only useful for clients to login without specifying a server port. This is
-## not useful for federation which requires SRV record or listening on port
-## 8448. Further, federation requires same TLS public key to be provided to
-## Apache and Matrix Synapse server.
+## On all sites, provide Matrix API on a default path: /_matrix and Synapse
+## Client API on path: /_synapse/client. This configuration as recommended at
+## https://element-hq.github.io/synapse/latest/reverse_proxy.html . This is
+## useful for clients to login without specifying a server port. This is not
+## useful for federation which requires SRV record or listening on port 8448.
+## Further, federation requires same TLS public key to be provided to Apache and
+## Matrix Synapse server.
 ##
-ProxyPass /_matrix http://localhost:8008/_matrix nocanon
-ProxyPassReverse /_matrix http://localhost:8008/_matrix
+AllowEncodedSlashes NoDecode
+
+<Location /_matrix>
+    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+    ProxyPreserveHost on
+    ProxyPass http://127.0.0.1:8008/_matrix nocanon
+    ProxyPassReverse http://127.0.0.1:8008/_matrix
+</Location>
+
+<Location /_synapse/client>
+    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+    ProxyPreserveHost on
+    ProxyPass http://127.0.0.1:8008/_synapse/client nocanon
+    ProxyPassReverse http://127.0.0.1:8008/_synapse/client
+</Location>