forked from MirrorHub/synapse
Infer no_tls from presence of TLS listeners
Rather than have to specify `no_tls` explicitly, infer whether we need to load the TLS keys etc from whether we have any TLS-enabled listeners.
This commit is contained in:
parent
15272f837c
commit
4fddf8fc77
10 changed files with 27 additions and 20 deletions
1
changelog.d/4613.feature
Normal file
1
changelog.d/4613.feature
Normal file
|
@ -0,0 +1 @@
|
||||||
|
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners
|
1
changelog.d/4615.feature
Normal file
1
changelog.d/4615.feature
Normal file
|
@ -0,0 +1 @@
|
||||||
|
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners
|
|
@ -1 +0,0 @@
|
||||||
Logging improvements around TLS certs
|
|
1
changelog.d/4617.feature
Normal file
1
changelog.d/4617.feature
Normal file
|
@ -0,0 +1 @@
|
||||||
|
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners
|
|
@ -1 +0,0 @@
|
||||||
Don't create server contexts when TLS is disabled
|
|
|
@ -215,7 +215,7 @@ def refresh_certificate(hs):
|
||||||
"""
|
"""
|
||||||
hs.config.read_certificate_from_disk()
|
hs.config.read_certificate_from_disk()
|
||||||
|
|
||||||
if hs.config.no_tls:
|
if not hs.config.has_tls_listener():
|
||||||
# nothing else to do here
|
# nothing else to do here
|
||||||
return
|
return
|
||||||
|
|
||||||
|
|
|
@ -90,11 +90,6 @@ class SynapseHomeServer(HomeServer):
|
||||||
tls = listener_config.get("tls", False)
|
tls = listener_config.get("tls", False)
|
||||||
site_tag = listener_config.get("tag", port)
|
site_tag = listener_config.get("tag", port)
|
||||||
|
|
||||||
if tls and config.no_tls:
|
|
||||||
raise ConfigError(
|
|
||||||
"Listener on port %i has TLS enabled, but no_tls is set" % (port,),
|
|
||||||
)
|
|
||||||
|
|
||||||
resources = {}
|
resources = {}
|
||||||
for res in listener_config["resources"]:
|
for res in listener_config["resources"]:
|
||||||
for name in res["names"]:
|
for name in res["names"]:
|
||||||
|
|
|
@ -42,7 +42,7 @@ from .voip import VoipConfig
|
||||||
from .workers import WorkerConfig
|
from .workers import WorkerConfig
|
||||||
|
|
||||||
|
|
||||||
class HomeServerConfig(TlsConfig, ServerConfig, DatabaseConfig, LoggingConfig,
|
class HomeServerConfig(ServerConfig, TlsConfig, DatabaseConfig, LoggingConfig,
|
||||||
RatelimitConfig, ContentRepositoryConfig, CaptchaConfig,
|
RatelimitConfig, ContentRepositoryConfig, CaptchaConfig,
|
||||||
VoipConfig, RegistrationConfig, MetricsConfig, ApiConfig,
|
VoipConfig, RegistrationConfig, MetricsConfig, ApiConfig,
|
||||||
AppServiceConfig, KeyConfig, SAML2Config, CasConfig,
|
AppServiceConfig, KeyConfig, SAML2Config, CasConfig,
|
||||||
|
|
|
@ -126,14 +126,22 @@ class ServerConfig(Config):
|
||||||
self.public_baseurl += '/'
|
self.public_baseurl += '/'
|
||||||
self.start_pushers = config.get("start_pushers", True)
|
self.start_pushers = config.get("start_pushers", True)
|
||||||
|
|
||||||
self.listeners = config.get("listeners", [])
|
self.listeners = []
|
||||||
|
for listener in config.get("listeners", []):
|
||||||
for listener in self.listeners:
|
|
||||||
if not isinstance(listener.get("port", None), int):
|
if not isinstance(listener.get("port", None), int):
|
||||||
raise ConfigError(
|
raise ConfigError(
|
||||||
"Listener configuration is lacking a valid 'port' option"
|
"Listener configuration is lacking a valid 'port' option"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if listener.setdefault("tls", False):
|
||||||
|
# no_tls is not really supported any more, but let's grandfather it in
|
||||||
|
# here.
|
||||||
|
if config.get("no_tls", False):
|
||||||
|
logger.info(
|
||||||
|
"Ignoring TLS-enabled listener on port %i due to no_tls"
|
||||||
|
)
|
||||||
|
continue
|
||||||
|
|
||||||
bind_address = listener.pop("bind_address", None)
|
bind_address = listener.pop("bind_address", None)
|
||||||
bind_addresses = listener.setdefault("bind_addresses", [])
|
bind_addresses = listener.setdefault("bind_addresses", [])
|
||||||
|
|
||||||
|
@ -145,6 +153,8 @@ class ServerConfig(Config):
|
||||||
if not bind_addresses:
|
if not bind_addresses:
|
||||||
bind_addresses.extend(DEFAULT_BIND_ADDRESSES)
|
bind_addresses.extend(DEFAULT_BIND_ADDRESSES)
|
||||||
|
|
||||||
|
self.listeners.append(listener)
|
||||||
|
|
||||||
if not self.web_client_location:
|
if not self.web_client_location:
|
||||||
_warn_if_webclient_configured(self.listeners)
|
_warn_if_webclient_configured(self.listeners)
|
||||||
|
|
||||||
|
@ -152,6 +162,9 @@ class ServerConfig(Config):
|
||||||
|
|
||||||
bind_port = config.get("bind_port")
|
bind_port = config.get("bind_port")
|
||||||
if bind_port:
|
if bind_port:
|
||||||
|
if config.get("no_tls", False):
|
||||||
|
raise ConfigError("no_tls is incompatible with bind_port")
|
||||||
|
|
||||||
self.listeners = []
|
self.listeners = []
|
||||||
bind_host = config.get("bind_host", "")
|
bind_host = config.get("bind_host", "")
|
||||||
gzip_responses = config.get("gzip_responses", True)
|
gzip_responses = config.get("gzip_responses", True)
|
||||||
|
@ -198,6 +211,7 @@ class ServerConfig(Config):
|
||||||
"port": manhole,
|
"port": manhole,
|
||||||
"bind_addresses": ["127.0.0.1"],
|
"bind_addresses": ["127.0.0.1"],
|
||||||
"type": "manhole",
|
"type": "manhole",
|
||||||
|
"tls": False,
|
||||||
})
|
})
|
||||||
|
|
||||||
metrics_port = config.get("metrics_port")
|
metrics_port = config.get("metrics_port")
|
||||||
|
@ -223,6 +237,9 @@ class ServerConfig(Config):
|
||||||
|
|
||||||
_check_resource_config(self.listeners)
|
_check_resource_config(self.listeners)
|
||||||
|
|
||||||
|
def has_tls_listener(self):
|
||||||
|
return any(l["tls"] for l in self.listeners)
|
||||||
|
|
||||||
def default_config(self, server_name, data_dir_path, **kwargs):
|
def default_config(self, server_name, data_dir_path, **kwargs):
|
||||||
_, bind_port = parse_and_validate_server_name(server_name)
|
_, bind_port = parse_and_validate_server_name(server_name)
|
||||||
if bind_port is not None:
|
if bind_port is not None:
|
||||||
|
|
|
@ -51,7 +51,6 @@ class TlsConfig(Config):
|
||||||
self._original_tls_fingerprints = []
|
self._original_tls_fingerprints = []
|
||||||
|
|
||||||
self.tls_fingerprints = list(self._original_tls_fingerprints)
|
self.tls_fingerprints = list(self._original_tls_fingerprints)
|
||||||
self.no_tls = config.get("no_tls", False)
|
|
||||||
|
|
||||||
# This config option applies to non-federation HTTP clients
|
# This config option applies to non-federation HTTP clients
|
||||||
# (e.g. for talking to recaptcha, identity servers, and such)
|
# (e.g. for talking to recaptcha, identity servers, and such)
|
||||||
|
@ -141,6 +140,8 @@ class TlsConfig(Config):
|
||||||
|
|
||||||
return (
|
return (
|
||||||
"""\
|
"""\
|
||||||
|
## TLS ##
|
||||||
|
|
||||||
# PEM-encoded X509 certificate for TLS.
|
# PEM-encoded X509 certificate for TLS.
|
||||||
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
|
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
|
||||||
# certificate, signed by a recognised Certificate Authority.
|
# certificate, signed by a recognised Certificate Authority.
|
||||||
|
@ -201,13 +202,6 @@ class TlsConfig(Config):
|
||||||
#
|
#
|
||||||
# reprovision_threshold: 30
|
# reprovision_threshold: 30
|
||||||
|
|
||||||
# If your server runs behind a reverse-proxy which terminates TLS connections
|
|
||||||
# (for both client and federation connections), it may be useful to disable
|
|
||||||
# All TLS support for incoming connections. Setting no_tls to True will
|
|
||||||
# do so (and avoid the need to give synapse a TLS private key).
|
|
||||||
#
|
|
||||||
# no_tls: True
|
|
||||||
|
|
||||||
# List of allowed TLS fingerprints for this server to publish along
|
# List of allowed TLS fingerprints for this server to publish along
|
||||||
# with the signing keys for this server. Other matrix servers that
|
# with the signing keys for this server. Other matrix servers that
|
||||||
# make HTTPS requests to this server will check that the TLS
|
# make HTTPS requests to this server will check that the TLS
|
||||||
|
|
Loading…
Reference in a new issue