The Secure Border Gateway

The Secure Border Gateway (SBG) is an HTTP proxy designed to filter and analyze Matrix traffic between both clients and the homeserver, as well as between the homeserver and other federating homeservers. This guide outlines the key functionalities and configuration you need to be aware of when using the SBG.

Enable the Secure Border Gateway

Screenshot of the Integrations page in the ESS Admin Console with the Install button next to the Secure Border Gateway highlighted

On the Integrations page, locate the Secure Border Gateway add-on and select Install. Once installed, you can access its configuration.


Required Client Headers

Screenshot of the required client headers config check filled out with two header entries

A set of headers can be configured such that a Matrix client must supply at least one of in order to access the homeserver.

For each header, enter the name of the header (case-insensitive) and a regular expression pattern that the header's value must match.

If a client does not supply the appropriate headers in a request, that request will be rejected with HTTP status code 403, and a standard Matrix error response with errcode field M_FORBIDDEN.

A header name that is stripped by the SBG should not be used as a required client header. Otherwise no client will be able to access the service. For example, an Element Web client that does not supply the appropriate headers will see the following when attempting to log in: