matrix.org: more secure reverse proxy

howto/matrix-element/README.md

@@ -346,10 +346,18 @@ server {
         try_files /matrix.html /matrix.html;
     }
 
-    location /_matrix {
+    location ~ ^(/_matrix|/_synapse/client) {
         proxy_pass http://127.0.0.1:8008;
         proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
     }
+    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+    proxy_http_version 1.1;
 }
 EOF
 
@@ -358,6 +366,8 @@ certbot certonly -n --keep --agree-tos --email ${matrix_email} --webroot -w /var
 service nginx reload
 ```
 
+src https://matrix-org.github.io/synapse/latest/reverse_proxy.html
+
 ### use reverse proxy server (nginx) as the endpoint for federation
 
 you need to specify where is the federation port, by default seems to be looking for the 8448 matrix server port, to override it, add this (with your matrix URL):