mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-15 00:33:50 +01:00
Add documentation for configuring a forward proxy. (#10443)
This commit is contained in:
parent
e33f14e8d5
commit
834cdc3606
3 changed files with 76 additions and 0 deletions
1
changelog.d/10443.doc
Normal file
1
changelog.d/10443.doc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Add documentation for configuration a forward proxy.
|
|
@ -7,6 +7,7 @@
|
||||||
- [Installation](setup/installation.md)
|
- [Installation](setup/installation.md)
|
||||||
- [Using Postgres](postgres.md)
|
- [Using Postgres](postgres.md)
|
||||||
- [Configuring a Reverse Proxy](reverse_proxy.md)
|
- [Configuring a Reverse Proxy](reverse_proxy.md)
|
||||||
|
- [Configuring a Forward/Outbound Proxy](setup/forward_proxy.md)
|
||||||
- [Configuring a Turn Server](turn-howto.md)
|
- [Configuring a Turn Server](turn-howto.md)
|
||||||
- [Delegation](delegate.md)
|
- [Delegation](delegate.md)
|
||||||
|
|
||||||
|
|
74
docs/setup/forward_proxy.md
Normal file
74
docs/setup/forward_proxy.md
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
# Using a forward proxy with Synapse
|
||||||
|
|
||||||
|
You can use Synapse with a forward or outbound proxy. An example of when
|
||||||
|
this is necessary is in corporate environments behind a DMZ (demilitarized zone).
|
||||||
|
Synapse supports routing outbound HTTP(S) requests via a proxy. Only HTTP(S)
|
||||||
|
proxy is supported, not SOCKS proxy or anything else.
|
||||||
|
|
||||||
|
## Configure
|
||||||
|
|
||||||
|
The `http_proxy`, `https_proxy`, `no_proxy` environment variables are used to
|
||||||
|
specify proxy settings. The environment variable is not case sensitive.
|
||||||
|
- `http_proxy`: Proxy server to use for HTTP requests.
|
||||||
|
- `https_proxy`: Proxy server to use for HTTPS requests.
|
||||||
|
- `no_proxy`: Comma-separated list of hosts, IP addresses, or IP ranges in CIDR
|
||||||
|
format which should not use the proxy. Synapse will directly connect to these hosts.
|
||||||
|
|
||||||
|
The `http_proxy` and `https_proxy` environment variables have the form: `[scheme://][<username>:<password>@]<host>[:<port>]`
|
||||||
|
- Supported schemes are `http://` and `https://`. The default scheme is `http://`
|
||||||
|
for compatibility reasons; it is recommended to set a scheme. If scheme is set
|
||||||
|
to `https://` the connection uses TLS between Synapse and the proxy.
|
||||||
|
|
||||||
|
**NOTE**: Synapse validates the certificates. If the certificate is not
|
||||||
|
valid, then the connection is dropped.
|
||||||
|
- Default port if not given is `1080`.
|
||||||
|
- Username and password are optional and will be used to authenticate against
|
||||||
|
the proxy.
|
||||||
|
|
||||||
|
**Examples**
|
||||||
|
- HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/
|
||||||
|
- HTTPS_PROXY=http://USERNAME:PASSWORD@proxy.example.com:8080/
|
||||||
|
- NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16
|
||||||
|
|
||||||
|
**NOTE**:
|
||||||
|
Synapse does not apply the IP blacklist to connections through the proxy (since
|
||||||
|
the DNS resolution is done by the proxy). It is expected that the proxy or firewall
|
||||||
|
will apply blacklisting of IP addresses.
|
||||||
|
|
||||||
|
## Connection types
|
||||||
|
|
||||||
|
The proxy will be **used** for:
|
||||||
|
|
||||||
|
- push
|
||||||
|
- url previews
|
||||||
|
- phone-home stats
|
||||||
|
- recaptcha validation
|
||||||
|
- CAS auth validation
|
||||||
|
- OpenID Connect
|
||||||
|
- Federation (checking public key revocation)
|
||||||
|
|
||||||
|
It will **not be used** for:
|
||||||
|
|
||||||
|
- Application Services
|
||||||
|
- Identity servers
|
||||||
|
- Outbound federation
|
||||||
|
- In worker configurations
|
||||||
|
- connections between workers
|
||||||
|
- connections from workers to Redis
|
||||||
|
- Fetching public keys of other servers
|
||||||
|
- Downloading remote media
|
||||||
|
|
||||||
|
## Troubleshooting
|
||||||
|
|
||||||
|
If a proxy server is used with TLS (HTTPS) and no connections are established,
|
||||||
|
it is most likely due to the proxy's certificates. To test this, the validation
|
||||||
|
in Synapse can be deactivated.
|
||||||
|
|
||||||
|
**NOTE**: This has an impact on security and is for testing purposes only!
|
||||||
|
|
||||||
|
To deactivate the certificate validation, the following setting must be made in
|
||||||
|
[homserver.yaml](../usage/configuration/homeserver_sample_config.md).
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
use_insecure_ssl_client_just_for_testing_do_not_use: true
|
||||||
|
```
|
Loading…
Reference in a new issue