Merge branch 'master' into pub.solar

2020-10-31 14:35:47 +01:00 · 2020-10-31 14:35:47 +01:00 · 43e7e646b6
parent 19b691f194 5c91e56898
commit 43e7e646b6
13 changed files with 92 additions and 41 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,33 @@
+# 2020-10-28
+
+## (Compatibility Break) https://matrix.DOMAIN/ now redirects to https://element.DOMAIN/
+
+Until now, we used to serve a static page coming from Synapse at `https://matrix.DOMAIN/`. This page was not very useful to anyone.
+
+Since `matrix.DOMAIN` may be accessed by regular users in certain conditions, it's probably better to redirect them to a better place (e.g. to the [Element](docs/configuring-playbook-client-element.md) client).
+
+If Element is installed (`matrix_client_element_enabled: true`, which it is by default), we now redirect people to it, instead of showing them a Synapse static page.
+
+If you'd like to control where the redirect goes, use the `matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain` variable.
+To restore the old behavior of not redirecting anywhere and serving the Synapse static page, set it to an empty value (`matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""`).
+
+
+# 2020-10-26
+
+## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default
+
+We used to expose the Synapse Admin APIs publicly (at `https://matrix.DOMAIN/_synapse/admin`).
+These APIs require authentication with a valid access token, so it's not that big a deal to expose them.
+
+However, following [official Synapse's reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints), we're no longer exposing `/_synapse/admin` by default.
+
+If you'd like to restore restore the old behavior and expose `/_synapse/admin` publicly, you can use the following configuration (in your `vars.yml`):
+
+```yaml
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
+```
+
+
 # 2020-10-02

 ## Minimum Ansible version raised to v2.7.0
--- a/README.md
+++ b/README.md
@ -128,7 +128,7 @@ This playbook sets up your server using the following Docker images:

 - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)

- [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Element](https://element.io/) web client (optional)
+- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)

 - [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)

--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@ -34,7 +34,7 @@ DNS records marked with `(*)` above are optional. They refer to services that wi

 As the table above illustrates, you need to create 2 subdomains (`matrix.<your-domain>` and `element.<your-domain>`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine).

-The `element.<your-domain>` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/riot-web) web client for you.
+The `element.<your-domain>` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you.
 If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.<your-domain>` DNS record.

 The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record.
--- a/docs/configuring-playbook-client-element.md
+++ b/docs/configuring-playbook-client-element.md
@ -1,6 +1,6 @@
 # Configuring Element (optional)

-By default, this playbook installs the [Element](https://github.com/vector-im/riot-web) Matrix client web application.
+By default, this playbook installs the [Element](https://github.com/vector-im/element-web) Matrix client web application.
 If that's okay, you can skip this document.


--- a/docs/configuring-playbook-synapse-admin.md
+++ b/docs/configuring-playbook-synapse-admin.md
@ -15,6 +15,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 matrix_synapse_admin_enabled: true
 ```

+**Note**: Synapse Admin requires Synapse's [Admin APIs](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`).
+

 ## Installing

--- a/docs/howto-server-delegation.md
+++ b/docs/howto-server-delegation.md
@ -89,7 +89,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/
 If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container:

 ```yaml
-matrix_synapse_container_extra_arguments:
+matrix_nginx_proxy_container_extra_arguments:
  - "--mount type=bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro"
 ```

--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -43,6 +43,8 @@
 	AllowEncodedSlashes NoDecode
 	ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
 	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
+	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
+	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client

 	# Map /.well-known/matrix/client for client discovery
 	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
--- a/examples/caddy/matrix-synapse
+++ b/examples/caddy/matrix-synapse
@ -21,9 +21,11 @@ https://matrix.DOMAIN {
 	}

 	# Synapse Client<>Server API
-	proxy / matrix-synapse:8008 {
+	proxy /_matrix matrix-synapse:8008 {
+		transparent
+		except /_matrix/identity/ /_matrix/client/r0/user_directory/search
+	}
+	proxy /_synapse/client matrix-synapse:8008 {
 		transparent
-		except /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search
 	}
-
 }
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -769,6 +769,10 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corp
 matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}"
 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"

+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}"
+
+matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}"
+
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
 matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
@ -917,7 +921,7 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
 #
 ######################################################################

-matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"
+matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}"

 # When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
 # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -2,7 +2,7 @@ matrix_client_element_enabled: true

 matrix_client_element_container_image_self_build: false

-matrix_client_element_docker_image: "vectorim/riot-web:v1.7.10"
+matrix_client_element_docker_image: "vectorim/element-web:v1.7.12"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

 matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -147,7 +147,33 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
 matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
-matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
+matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
+
+
+# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server.
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
+
+# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server.
+# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
+
+# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
+# the location prefixes that get forwarded to the Matrix Client API server.
+# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
+matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
+  {{
+    (['/_matrix'])
+    +
+    (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
+    +
+    (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
+  }}
+
+# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
+# If this has an empty value, they're just passed to the homeserver, which serves a static page.
+# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
+# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
+matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""

 # Controls whether proxying for the Matrix Federation API should be done.
 matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@ -34,7 +34,7 @@
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
-	location /_matrix/corporal {
+	location ^~ /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
@ -51,7 +51,7 @@
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
-	location /_matrix/identity {
+	location ^~ /_matrix/identity {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
@ -68,7 +68,7 @@
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
-	location /_matrix/client/r0/user_directory/search {
+	location ^~ /_matrix/client/r0/user_directory/search {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
@ -105,29 +105,6 @@
 		{{- configuration_block }}
 	{% endfor %}

-	{#
-		This handles the Matrix Client API only.
-		The Matrix Federation API is handled by a separate vhost.
-	#}
-	location /_matrix {
-		{% if matrix_nginx_proxy_enabled %}
-			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
-			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
-			proxy_pass http://$backend;
-		{% else %}
-			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
-		{% endif %}
-
-		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
-
-		client_body_buffer_size 25M;
-		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
-		proxy_max_temp_file_size 0;
-	}
-
 	{% if matrix_nginx_proxy_proxy_synapse_metrics %}
 	location /_synapse/metrics {
 		{% if matrix_nginx_proxy_enabled %}
@ -150,7 +127,11 @@
 	}
 	{% endif %}

-	location /_synapse {
+	{#
+		This handles the Matrix Client API only.
+		The Matrix Federation API is handled by a separate vhost.
+	#}
+	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
@ -170,7 +151,11 @@
 	}

 	location / {
-		rewrite ^/$ /_matrix/static/ last;
+		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
+			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
+		{% else %}
+			rewrite ^/$ /_matrix/static/ last;
+		{% endif %}
 	}
 {% endmacro %}

--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -5,7 +5,7 @@ matrix_synapse_enabled: true

 matrix_synapse_container_image_self_build: false

-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.2"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.22.1"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -73,7 +73,7 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke
 matrix_synapse_allow_guest_access: false
 matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"

-matrix_synapse_max_upload_size_mb: 10
+matrix_synapse_max_upload_size_mb: 50

 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}"
@ -349,7 +349,7 @@ matrix_synapse_room_list_publication_rules:
    room_id: "*"
    action: allow

-matrix_synapse_default_room_version: "5"
+matrix_synapse_default_room_version: "6"

 # Controls the Synapse `spam_checker` setting.
 #