Do not expose /_synapse/admin publicly by default

Fixes #685 (Github Issue).
This commit is contained in:
Slavi Pantaleev 2020-10-26 10:36:38 +02:00
parent 24c6d7e81f
commit 63a49bb2dc
5 changed files with 48 additions and 27 deletions

View file

@ -1,3 +1,19 @@
# 2020-10-26
## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default
We used to expose the Synapse Admin APIs publicly (at `https://matrix.DOMAIN/_synapse/admin`).
These APIs require authentication with a valid access token, so it's not that big a deal to expose them.
However, following [official Synapse's reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints), we're no longer exposing `/_synapse/admin` by default.
If you'd like to restore restore the old behavior and expose `/_synapse/admin` publicly, you can use the following configuration (in your `vars.yml`):
```yaml
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
```
# 2020-10-02 # 2020-10-02
## Minimum Ansible version raised to v2.7.0 ## Minimum Ansible version raised to v2.7.0

View file

@ -43,6 +43,8 @@
AllowEncodedSlashes NoDecode AllowEncodedSlashes NoDecode
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
# Map /.well-known/matrix/client for client discovery # Map /.well-known/matrix/client for client discovery
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client

View file

@ -21,9 +21,11 @@ https://matrix.DOMAIN {
} }
# Synapse Client<>Server API # Synapse Client<>Server API
proxy / matrix-synapse:8008 { proxy /_matrix matrix-synapse:8008 {
transparent
except /_matrix/identity/ /_matrix/client/r0/user_directory/search
}
proxy /_synapse/client matrix-synapse:8008 {
transparent transparent
except /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search
} }
} }

View file

@ -149,6 +149,26 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
# This needs to be equal or higher than the maximum upload size accepted by Synapse. # This needs to be equal or higher than the maximum upload size accepted by Synapse.
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
# Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
# Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server.
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
# the location prefixes that get forwarded to the Matrix Client API server.
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
{{
(['/_matrix'])
+
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
+
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
}}
# Controls whether proxying for the Matrix Federation API should be done. # Controls whether proxying for the Matrix Federation API should be done.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"

View file

@ -105,29 +105,6 @@
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}
{#
This handles the Matrix Client API only.
The Matrix Federation API is handled by a separate vhost.
#}
location /_matrix {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
proxy_max_temp_file_size 0;
}
{% if matrix_nginx_proxy_proxy_synapse_metrics %} {% if matrix_nginx_proxy_proxy_synapse_metrics %}
location /_synapse/metrics { location /_synapse/metrics {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
@ -150,7 +127,11 @@
} }
{% endif %} {% endif %}
location /_synapse { {#
This handles the Matrix Client API only.
The Matrix Federation API is handled by a separate vhost.
#}
location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #} {# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s; resolver 127.0.0.11 valid=5s;