element-hq · MadLittleMods · Jun 4, 2025 · May 7, 2025 · Jun 4, 2025 · Jun 4, 2025
@@ -0,0 +1 @@
+Propose CAP_NET_BIND_SERVICE instead running synapse with root. There are alternative ways to use low numbered ports besides root. Users might be misleaded thinking they should run synapse with root privileges.
@@ -5,10 +5,10 @@ It is recommended to put a reverse proxy such as
 [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
 [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
 [HAProxy](https://www.haproxy.org/) or
-[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
-of doing so is that it means that you can expose the default https port
-(443) to Matrix clients without needing to run Synapse with root
-privileges.
+[relayd](https://man.openbsd.org/relayd.8) in front of Synapse.
+This has the advantage of being able to expose the default HTTPS port (443) to Matrix
+clients without requiring Synapse to bind to a privileged port (port numbers less than
+1024), avoiding the need for `CAP_NET_BIND_SERVICE` or running as root.
 
 You should configure your reverse proxy to forward requests to `/_matrix` or
 `/_synapse/client` to Synapse, and have it set the `X-Forwarded-For` and
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Propose CAP_NET_BIND_SERVICE instead running synapse with root. There are alternative ways to use low numbered ports besides root. Users might be misleaded thinking they should run synapse with root privileges.
MadLittleMods marked this conversation as resolved. Outdated Show resolved Hide resolved