Untitled

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name matrix.harpocrates.club;

    access_log /var/log/nginx/nginx.matrix.harpocrates.club.access.log;
    error_log /var/log/nginx/nginx.matrix.harpocrates.club.error.log;

    location / {
      root   /var/www/matrix.harpocrates.club/html;
      index  index.html;
    }

    ssl_certificate /etc/letsencrypt/live/harpocrates.club/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/harpocrates.club/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/certs/dhparams.pem;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/harpocrates.club/fullchain.pem;

    # Required for LE certificate enrollment using certbot
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/html;
    }

    # Dendrite
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_read_timeout         600;

    location /.well-known/matrix/server {
        return 200 '{ "m.server": "matrix.harpocrates.club:443" }';
    }

    location /.well-known/matrix/client {
        return 200 '{ "m.homeserver": { "base_url": "https://matrix.harpocrates.club" } }';
    }

    location /_matrix {
        proxy_pass https://localhost:8448;
        #proxy_set_header X-Forwarded-For $remote_addr;
    }
}


Ports locally:
drpaneas@debian-s-1vcpu-1gb-fra1-01:/etc/nginx/sites-available$ sudo lsof -i:8008
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dendrite- 21301 root   17u  IPv6 222175      0t0  TCP *:8008 (LISTEN)
drpaneas@debian-s-1vcpu-1gb-fra1-01:/etc/nginx/sites-available$ sudo lsof -i:8448
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dendrite- 21301 root   16u  IPv6 222173      0t0  TCP *:8448 (LISTEN)


Firewall:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
4444/tcp                   LIMIT IN    Anywhere
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
8448/tcp                   ALLOW IN    Anywhere                   # Dendrite with SSL
8008/tcp                   ALLOW IN    Anywhere                   # Dendrite without SSL
4444/tcp (v6)              LIMIT IN    Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)
8448/tcp (v6)              ALLOW IN    Anywhere (v6)              # Dendrite with SSL
8008/tcp (v6)              ALLOW IN    Anywhere (v6)              # Dendrite without SSL


Monolith.logs:
$ sudo tail -f /var/log/dendrite/Monolith.log
time="2021-01-04T16:53:42.007654330Z" level=info msg="Enabled perspective key fetcher" func=github.com/matrix-org/dendrite/signingkeyserver.NewInternalAPI file="github.com/matrix-org/dendrite/signingkeyserver/signingkeyserver.go:103" num_public_keys=2 server_name=matrix.org
time="2021-01-04T16:53:42.409032016Z" level=info msg="Starting external Monolith listener on :8008" func="github.com/matrix-org/dendrite/setup.(*BaseDendrite).SetupAndServeHTTP.func2" file="github.com/matrix-org/dendrite/setup/base.go:344"
time="2021-01-04T17:17:38.724164175Z" level=info msg="Dendrite version 0.3.4+05324b68" func=github.com/matrix-org/dendrite/setup.NewBaseDendrite file="github.com/matrix-org/dendrite/setup/base.go:102"
time="2021-01-04T17:17:38.769834726Z" level=info msg="Enabled perspective key fetcher" func=github.com/matrix-org/dendrite/signingkeyserver.NewInternalAPI file="github.com/matrix-org/dendrite/signingkeyserver/signingkeyserver.go:103" num_public_keys=2 server_name=matrix.org
time="2021-01-04T17:17:38.926458692Z" level=info msg="Starting external Monolith listener on :8448" func="github.com/matrix-org/dendrite/setup.(*BaseDendrite).SetupAndServeHTTP.func2" file="github.com/matrix-org/dendrite/setup/base.go:344"
time="2021-01-04T17:17:38.927320682Z" level=info msg="Starting external Monolith listener on :8008" func="github.com/matrix-org/dendrite/setup.(*BaseDendrite).SetupAndServeHTTP.func2" file="github.com/matrix-org/dendrite/setup/base.go:344"
time="2021-01-04T18:27:13.301542019Z" level=info msg="Dendrite version 0.3.4+05324b68" func=github.com/matrix-org/dendrite/setup.NewBaseDendrite file="github.com/matrix-org/dendrite/setup/base.go:102"
time="2021-01-04T18:27:13.344276591Z" level=info msg="Enabled perspective key fetcher" func=github.com/matrix-org/dendrite/signingkeyserver.NewInternalAPI file="github.com/matrix-org/dendrite/signingkeyserver/signingkeyserver.go:103" num_public_keys=2 server_name=matrix.org
time="2021-01-04T18:27:13.524455173Z" level=info msg="Starting external Monolith listener on :8448" func="github.com/matrix-org/dendrite/setup.(*BaseDendrite).SetupAndServeHTTP.func2" file="github.com/matrix-org/dendrite/setup/base.go:344"
time="2021-01-04T18:27:13.525375566Z" level=info msg="Starting external Monolith listener on :8008" func="github.com/matrix-org/dendrite/setup.(*BaseDendrite).SetupAndServeHTTP.func2" file="github.com/matrix-org/dendrite/setup/base.go:344"