Do not expose /_synapse/admin publicly by default
Fixes #685 (Github Issue).
This commit is contained in:
parent
24c6d7e81f
commit
63a49bb2dc
16
CHANGELOG.md
16
CHANGELOG.md
|
@ -1,3 +1,19 @@
|
||||||
|
# 2020-10-26
|
||||||
|
|
||||||
|
## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default
|
||||||
|
|
||||||
|
We used to expose the Synapse Admin APIs publicly (at `https://matrix.DOMAIN/_synapse/admin`).
|
||||||
|
These APIs require authentication with a valid access token, so it's not that big a deal to expose them.
|
||||||
|
|
||||||
|
However, following [official Synapse's reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints), we're no longer exposing `/_synapse/admin` by default.
|
||||||
|
|
||||||
|
If you'd like to restore restore the old behavior and expose `/_synapse/admin` publicly, you can use the following configuration (in your `vars.yml`):
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
# 2020-10-02
|
# 2020-10-02
|
||||||
|
|
||||||
## Minimum Ansible version raised to v2.7.0
|
## Minimum Ansible version raised to v2.7.0
|
||||||
|
|
|
@ -43,6 +43,8 @@
|
||||||
AllowEncodedSlashes NoDecode
|
AllowEncodedSlashes NoDecode
|
||||||
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
|
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
|
||||||
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
|
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
|
||||||
|
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
|
||||||
|
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
|
||||||
|
|
||||||
# Map /.well-known/matrix/client for client discovery
|
# Map /.well-known/matrix/client for client discovery
|
||||||
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
|
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
|
||||||
|
|
|
@ -21,9 +21,11 @@ https://matrix.DOMAIN {
|
||||||
}
|
}
|
||||||
|
|
||||||
# Synapse Client<>Server API
|
# Synapse Client<>Server API
|
||||||
proxy / matrix-synapse:8008 {
|
proxy /_matrix matrix-synapse:8008 {
|
||||||
|
transparent
|
||||||
|
except /_matrix/identity/ /_matrix/client/r0/user_directory/search
|
||||||
|
}
|
||||||
|
proxy /_synapse/client matrix-synapse:8008 {
|
||||||
transparent
|
transparent
|
||||||
except /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -149,6 +149,26 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
|
||||||
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
||||||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
|
||||||
|
|
||||||
|
|
||||||
|
# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server.
|
||||||
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
||||||
|
|
||||||
|
# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server.
|
||||||
|
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||||||
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
||||||
|
|
||||||
|
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
||||||
|
# the location prefixes that get forwarded to the Matrix Client API server.
|
||||||
|
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
||||||
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||||||
|
{{
|
||||||
|
(['/_matrix'])
|
||||||
|
+
|
||||||
|
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
||||||
|
+
|
||||||
|
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||||||
|
}}
|
||||||
|
|
||||||
# Controls whether proxying for the Matrix Federation API should be done.
|
# Controls whether proxying for the Matrix Federation API should be done.
|
||||||
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
||||||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
||||||
|
|
|
@ -105,29 +105,6 @@
|
||||||
{{- configuration_block }}
|
{{- configuration_block }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{#
|
|
||||||
This handles the Matrix Client API only.
|
|
||||||
The Matrix Federation API is handled by a separate vhost.
|
|
||||||
#}
|
|
||||||
location /_matrix {
|
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
||||||
resolver 127.0.0.11 valid=5s;
|
|
||||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
|
|
||||||
proxy_pass http://$backend;
|
|
||||||
{% else %}
|
|
||||||
{# Generic configuration for use outside of our container setup #}
|
|
||||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
|
|
||||||
client_body_buffer_size 25M;
|
|
||||||
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
|
|
||||||
proxy_max_temp_file_size 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
{% if matrix_nginx_proxy_proxy_synapse_metrics %}
|
{% if matrix_nginx_proxy_proxy_synapse_metrics %}
|
||||||
location /_synapse/metrics {
|
location /_synapse/metrics {
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
|
@ -150,7 +127,11 @@
|
||||||
}
|
}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
location /_synapse {
|
{#
|
||||||
|
This handles the Matrix Client API only.
|
||||||
|
The Matrix Federation API is handled by a separate vhost.
|
||||||
|
#}
|
||||||
|
location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
|
||||||
{% if matrix_nginx_proxy_enabled %}
|
{% if matrix_nginx_proxy_enabled %}
|
||||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||||
resolver 127.0.0.11 valid=5s;
|
resolver 127.0.0.11 valid=5s;
|
||||||
|
|
Loading…
Reference in a new issue