mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-14 02:33:47 +01:00
Add warnings to ip_range_blacklist usage with proxies (#10129)
Per issue #9812 using `url_preview_ip_range_blacklist` with a proxy via `HTTPS_PROXY` or `HTTP_PROXY` environment variables has some inconsistent bahavior than mentioned. This PR changes the following: - Changes the Sample Config file to include a note mentioning that `url_preview_ip_range_blacklist` and `ip_range_blacklist` is ignored when using a proxy - Changes some logic in synapse/config/repository.py to send a warning when both `*ip_range_blacklist` configs and a proxy environment variable are set and but no longer throws an error. Signed-off-by: Kento Okamoto <kentokamoto@protonmail.com>
This commit is contained in:
parent
951648f26a
commit
72935b7c50
4 changed files with 26 additions and 5 deletions
1
changelog.d/10129.bugfix
Normal file
1
changelog.d/10129.bugfix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Add some clarification to the sample config file. Contributed by @Kentokamoto.
|
|
@ -210,6 +210,8 @@ presence:
|
||||||
#
|
#
|
||||||
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
||||||
#
|
#
|
||||||
|
# Note: The value is ignored when an HTTP proxy is in use
|
||||||
|
#
|
||||||
#ip_range_blacklist:
|
#ip_range_blacklist:
|
||||||
# - '127.0.0.0/8'
|
# - '127.0.0.0/8'
|
||||||
# - '10.0.0.0/8'
|
# - '10.0.0.0/8'
|
||||||
|
@ -972,6 +974,8 @@ media_store_path: "DATADIR/media_store"
|
||||||
# This must be specified if url_preview_enabled is set. It is recommended that
|
# This must be specified if url_preview_enabled is set. It is recommended that
|
||||||
# you uncomment the following list as a starting point.
|
# you uncomment the following list as a starting point.
|
||||||
#
|
#
|
||||||
|
# Note: The value is ignored when an HTTP proxy is in use
|
||||||
|
#
|
||||||
#url_preview_ip_range_blacklist:
|
#url_preview_ip_range_blacklist:
|
||||||
# - '127.0.0.0/8'
|
# - '127.0.0.0/8'
|
||||||
# - '10.0.0.0/8'
|
# - '10.0.0.0/8'
|
||||||
|
|
|
@ -12,9 +12,11 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
import logging
|
||||||
import os
|
import os
|
||||||
from collections import namedtuple
|
from collections import namedtuple
|
||||||
from typing import Dict, List
|
from typing import Dict, List
|
||||||
|
from urllib.request import getproxies_environment # type: ignore
|
||||||
|
|
||||||
from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
|
from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
|
||||||
from synapse.python_dependencies import DependencyException, check_requirements
|
from synapse.python_dependencies import DependencyException, check_requirements
|
||||||
|
@ -22,6 +24,8 @@ from synapse.util.module_loader import load_module
|
||||||
|
|
||||||
from ._base import Config, ConfigError
|
from ._base import Config, ConfigError
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
DEFAULT_THUMBNAIL_SIZES = [
|
DEFAULT_THUMBNAIL_SIZES = [
|
||||||
{"width": 32, "height": 32, "method": "crop"},
|
{"width": 32, "height": 32, "method": "crop"},
|
||||||
{"width": 96, "height": 96, "method": "crop"},
|
{"width": 96, "height": 96, "method": "crop"},
|
||||||
|
@ -36,6 +40,9 @@ THUMBNAIL_SIZE_YAML = """\
|
||||||
# method: %(method)s
|
# method: %(method)s
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
HTTP_PROXY_SET_WARNING = """\
|
||||||
|
The Synapse config url_preview_ip_range_blacklist will be ignored as an HTTP(s) proxy is configured."""
|
||||||
|
|
||||||
ThumbnailRequirement = namedtuple(
|
ThumbnailRequirement = namedtuple(
|
||||||
"ThumbnailRequirement", ["width", "height", "method", "media_type"]
|
"ThumbnailRequirement", ["width", "height", "method", "media_type"]
|
||||||
)
|
)
|
||||||
|
@ -180,12 +187,17 @@ class ContentRepositoryConfig(Config):
|
||||||
e.message # noqa: B306, DependencyException.message is a property
|
e.message # noqa: B306, DependencyException.message is a property
|
||||||
)
|
)
|
||||||
|
|
||||||
|
proxy_env = getproxies_environment()
|
||||||
if "url_preview_ip_range_blacklist" not in config:
|
if "url_preview_ip_range_blacklist" not in config:
|
||||||
|
if "http" not in proxy_env or "https" not in proxy_env:
|
||||||
raise ConfigError(
|
raise ConfigError(
|
||||||
"For security, you must specify an explicit target IP address "
|
"For security, you must specify an explicit target IP address "
|
||||||
"blacklist in url_preview_ip_range_blacklist for url previewing "
|
"blacklist in url_preview_ip_range_blacklist for url previewing "
|
||||||
"to work"
|
"to work"
|
||||||
)
|
)
|
||||||
|
else:
|
||||||
|
if "http" in proxy_env or "https" in proxy_env:
|
||||||
|
logger.warning("".join(HTTP_PROXY_SET_WARNING))
|
||||||
|
|
||||||
# we always blacklist '0.0.0.0' and '::', which are supposed to be
|
# we always blacklist '0.0.0.0' and '::', which are supposed to be
|
||||||
# unroutable addresses.
|
# unroutable addresses.
|
||||||
|
@ -292,6 +304,8 @@ class ContentRepositoryConfig(Config):
|
||||||
# This must be specified if url_preview_enabled is set. It is recommended that
|
# This must be specified if url_preview_enabled is set. It is recommended that
|
||||||
# you uncomment the following list as a starting point.
|
# you uncomment the following list as a starting point.
|
||||||
#
|
#
|
||||||
|
# Note: The value is ignored when an HTTP proxy is in use
|
||||||
|
#
|
||||||
#url_preview_ip_range_blacklist:
|
#url_preview_ip_range_blacklist:
|
||||||
%(ip_range_blacklist)s
|
%(ip_range_blacklist)s
|
||||||
|
|
||||||
|
|
|
@ -960,6 +960,8 @@ class ServerConfig(Config):
|
||||||
#
|
#
|
||||||
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
|
||||||
#
|
#
|
||||||
|
# Note: The value is ignored when an HTTP proxy is in use
|
||||||
|
#
|
||||||
#ip_range_blacklist:
|
#ip_range_blacklist:
|
||||||
%(ip_range_blacklist)s
|
%(ip_range_blacklist)s
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue