From 6fefb8642cd1a35058e8a4eac96e7374fac679a2 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 1 Sep 2020 18:49:15 +0100 Subject: [PATCH 1/7] Update reverse proxy docs to talk about /_synapse/* endpoints --- docs/reverse_proxy.md | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index fd48ba0874c2..6291383afd2e 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -11,7 +11,7 @@ privileges. **NOTE**: Your reverse proxy must not `canonicalise` or `normalise` the requested URI in any way (for example, by decoding `%xx` escapes). -Beware that Apache *will* canonicalise URIs unless you specifify +Beware that Apache *will* canonicalise URIs unless you specify `nocanon`. When setting up a reverse proxy, remember that Matrix clients and other @@ -23,6 +23,10 @@ specification](https://matrix.org/docs/spec/server_server/latest#resolving-serve for more details of the algorithm used for federation connections, and [delegate.md]() for instructions on setting up delegation. +Endpoints that are part of the standardised Matrix specification are +located under `/_matrix`, whereas endpoints specific to Synapse are +located under `/_synapse`. + Let's assume that we expect clients to connect to our server at `https://matrix.example.com`, and other servers to connect at `https://example.com:8448`. The following sections detail the configuration of @@ -45,7 +49,7 @@ server { server_name matrix.example.com; - location /_matrix { + location ~* ^(\/_matrix|\/_synapse\/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; # Nginx by default only allows file uploads up to 1M in size @@ -65,6 +69,10 @@ matrix.example.com { proxy /_matrix http://localhost:8008 { transparent } + + proxy /_synapse/client http://localhost:8008 { + transparent + } } example.com:8448 { @@ -79,6 +87,7 @@ example.com:8448 { ``` matrix.example.com { reverse_proxy /_matrix/* http://localhost:8008 + reverse_proxy /_synapse/client/* http://localhost:8008 } example.com:8448 { @@ -96,6 +105,8 @@ example.com:8448 { AllowEncodedSlashes NoDecode ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix + ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client nocanon + ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client @@ -119,8 +130,9 @@ frontend https # Matrix client traffic acl matrix-host hdr(host) -i matrix.example.com acl matrix-path path_beg /_matrix + acl synapse-client-path path_beg /_matrix - use_backend matrix if matrix-host matrix-path + use_backend matrix if matrix-host matrix-path || matrix-host synapse-client-path frontend matrix-federation bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1 @@ -146,3 +158,10 @@ connecting to Synapse from a client. Synapse exposes a health check endpoint for use by reverse proxies. Each configured HTTP listener has a `/health` endpoint which always returns 200 OK (and doesn't get logged). + +## Synapse administration endpoints + +Endpoints for administering your Synapse instance are placed under +`/_synapse/admin`. These require authentication through an access token of an +admin user. Nevertheless, it is not advised to expose these ports to the public +internet. From f5cb0e75fb174e6b64a50be61b348aa5cb2ba37d Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 1 Sep 2020 18:53:23 +0100 Subject: [PATCH 2/7] Update UPGRADE.rst to warn about reverse proxy configurations --- UPGRADE.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/UPGRADE.rst b/UPGRADE.rst index 6492fa011f4a..00fe93a02e94 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -75,6 +75,18 @@ for example: wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb +Upgrading to v1.20.0 +==================== + +Forwarding ``/_synapse/client`` through your reverse proxy +---------------------------------------------------------- + +The `reverse proxy documentation +`_ has been updated +to include reverse proxy directives for ``/_synapse/client/*`` endpoints. As the user password +reset flow now uses endpoints under this prefix, **you must update your reverse proxy +configurations for user password reset to work**. + Upgrading to v1.18.0 ==================== From 7cf983cfa896291238364d1c912f64b3a9c76ffa Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 1 Sep 2020 18:58:30 +0100 Subject: [PATCH 3/7] Changelog --- changelog.d/8227.doc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/8227.doc diff --git a/changelog.d/8227.doc b/changelog.d/8227.doc new file mode 100644 index 000000000000..094fd720ac67 --- /dev/null +++ b/changelog.d/8227.doc @@ -0,0 +1 @@ +Add `/synapse/client` to the reverse proxy documentation. \ No newline at end of file From 23ee46f7da24a3da02dc07b2d4ef843ba8fa83d0 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 3 Sep 2020 12:17:18 +0100 Subject: [PATCH 4/7] Incorporate review feedback --- docs/reverse_proxy.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index 6291383afd2e..edd109fa7b2b 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -25,7 +25,7 @@ for more details of the algorithm used for federation connections, and Endpoints that are part of the standardised Matrix specification are located under `/_matrix`, whereas endpoints specific to Synapse are -located under `/_synapse`. +located under `/_synapse/client`. Let's assume that we expect clients to connect to our server at `https://matrix.example.com`, and other servers to connect at @@ -130,9 +130,9 @@ frontend https # Matrix client traffic acl matrix-host hdr(host) -i matrix.example.com acl matrix-path path_beg /_matrix - acl synapse-client-path path_beg /_matrix + acl matrix-path path_beg /_synapse/client - use_backend matrix if matrix-host matrix-path || matrix-host synapse-client-path + use_backend matrix if matrix-host matrix-path frontend matrix-federation bind :::8448 v4v6 ssl crt /etc/ssl/haproxy/synapse.pem alpn h2,http/1.1 @@ -163,5 +163,5 @@ Each configured HTTP listener has a `/health` endpoint which always returns Endpoints for administering your Synapse instance are placed under `/_synapse/admin`. These require authentication through an access token of an -admin user. Nevertheless, it is not advised to expose these ports to the public -internet. +admin user. However as access to these endpoints grants the caller a lot of power, +we do not recommend exposing them to the public internet without good reason. From ad35abeaa553ec4db351cb56c4cea516bb69e71f Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Thu, 3 Sep 2020 13:05:36 +0100 Subject: [PATCH 5/7] Update changelog.d/8227.doc Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- changelog.d/8227.doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/8227.doc b/changelog.d/8227.doc index 094fd720ac67..4a43015a8306 100644 --- a/changelog.d/8227.doc +++ b/changelog.d/8227.doc @@ -1 +1 @@ -Add `/synapse/client` to the reverse proxy documentation. \ No newline at end of file +Add `/_synapse/client` to the reverse proxy documentation. From ff57df22b184f37bcea695ce174951b9d872e754 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 3 Sep 2020 15:54:47 +0100 Subject: [PATCH 6/7] Add new endpoint to worker documentation, note update in UPGRADE.rst --- UPGRADE.rst | 6 ++++++ docs/workers.md | 1 + 2 files changed, 7 insertions(+) diff --git a/UPGRADE.rst b/UPGRADE.rst index 00fe93a02e94..7e5bb71b14eb 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -87,6 +87,12 @@ to include reverse proxy directives for ``/_synapse/client/*`` endpoints. As the reset flow now uses endpoints under this prefix, **you must update your reverse proxy configurations for user password reset to work**. +Additionally, note that the `Synapse worker documentation +`_ has been updated to + state that the ``/_synapse/client/password_reset/email/submit_token`` endpoint can be handled +by all workers. If you make use of Synapse's worker feature, please update your reverse proxy +configuration to reflect this change. + Upgrading to v1.18.0 ==================== diff --git a/docs/workers.md b/docs/workers.md index bfec745897c2..df0ac84d9466 100644 --- a/docs/workers.md +++ b/docs/workers.md @@ -217,6 +217,7 @@ expressions: ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$ ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$ ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ + ^/_synapse/client/password_reset/email/submit_token$ # Registration/login requests ^/_matrix/client/(api/v1|r0|unstable)/login$ From 8b58e3d835dac3638b6718ef1d4cae97192685d6 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Wed, 9 Sep 2020 14:23:14 +0100 Subject: [PATCH 7/7] v1.20.0 -> v1.21.0 --- UPGRADE.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/UPGRADE.rst b/UPGRADE.rst index 7e5bb71b14eb..6e8a47ad8147 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -75,7 +75,7 @@ for example: wget https://packages.matrix.org/debian/pool/main/m/matrix-synapse-py3/matrix-synapse-py3_1.3.0+stretch1_amd64.deb dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb -Upgrading to v1.20.0 +Upgrading to v1.21.0 ==================== Forwarding ``/_synapse/client`` through your reverse proxy