Fix 'ip_range_whitelist' not working for federation servers #10115

mikure · 2021-06-03T07:20:40Z

This fixes #9569, which prevented 'ip_range_whitelist' from working for federation servers.

This implements the changes already suggested by @clokep to still provide backwards-compatibility, if 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used.
I hopefully got the idea right. But some tests showed the expected results.

Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers.

mikure · 2021-06-03T07:27:55Z

I just realized, that I the wrong named changelog file was accidentally added. I hope, it is correct now.

richvdh

Thanks for the contribution! A few suggestions below.

changelog.d/10115.bugfix

synapse/config/server.py

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

richvdh · 2021-06-10T16:32:25Z

synapse/config/server.py

+        # The federation_ip_range_whitelist is used for backwards-compatibility
+        # and will always be None, as it was never set in any configuration files.
+        # If no backwards-compatibility is required, i.e. the configuration file
+        # doesn't set federation_ip_range_blacklist, use ip_range_whitelist instead.


Hrm yes, this is still a bit confusing.

How about something like this:

# federation_ip_range_blacklist is used for backwards-compatibility # and only applies to federation and identity servers. if "federation_ip_range_blacklist" in config: # Always blacklist 0.0.0.0, :: self.federation_ip_range_blacklist = generate_ip_set( config["federation_ip_range_blacklist"], ["0.0.0.0", "::"], config_path=("federation_ip_range_blacklist",), ) # 'federation_ip_range_whitelist' was never a supported configuration option. self.federation_ip_range_whitelist = None else: # federation_ip_range_blacklist is not given. # Default to ip_range_blacklist and ip_range_whitelist. self.federation_ip_range_blacklist = self.ip_range_blacklist self.federation_ip_range_whitelist = self.ip_range_whitelist

To me, that feels like makes the logic clear without needing any extra explanation. @mikure , @clokep wdyt?

That seems quite a bit more explicit, I think it is clearer. 👍

I agree. That makes is much clearer. I'll test and update later, when I have more time.

I just finished testing and I couldn't find any combinations, that didn't work as I expected.
It's also easier to not miss any combinations, as the code is much clearer now. Thank you for this suggestion, @richvdh.

richvdh

looks great. thanks very much!

richvdh

sorry, one last thing. We need your agreement to include this in Synapse.

Please could you add a comment to the PR with the contents:

Signed-off-by: Your Name <your@email.example.org>

... as per https://github.com/matrix-org/synapse/blob/develop/CONTRIBUTING.md#sign-off ?

mikure · 2021-06-14T19:52:52Z

I'm sorry. I think, I misread that section and assumed it would be added automatically.

Signed-off-by: Michael Kutzner 1mikure@gmail.com

richvdh · 2021-06-15T07:53:36Z

great, thank you!

@Sorunome

Synapse 1.37.0rc1 (2021-06-24) ============================== This release deprecates the current spam checker interface. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new generic module interface. This release also removes support for fetching and renewing TLS certificates using the ACME v1 protocol, which has been fully decommissioned by Let's Encrypt on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. Features -------- - Implement "room knocking" as per [MSC2403](matrix-org/matrix-spec-proposals#2403). Contributed by @Sorunome and anoa. ([\#6739](#6739), [\#9359](#9359), [\#10167](#10167), [\#10212](#10212), [\#10227](#10227)) - Add experimental support for backfilling history into rooms ([MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#9247](#9247)) - Implement a generic interface for third-party plugin modules. ([\#10062](#10062), [\#10206](#10206)) - Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported. ([\#10108](#10108)) - Ensure that errors during startup are written to the logs and the console. ([\#10191](#10191)) Bugfixes -------- - Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. ([\#10115](#10115)) - Remove a broken import line in Synapse's `admin_cmd` worker. Broke in Synapse v1.33.0. ([\#10154](#10154)) - Fix a bug introduced in Synapse v1.21.0 which could cause `/sync` to return immediately with an empty response. ([\#10157](#10157), [\#10158](#10158)) - Fix a minor bug in the response to `/_matrix/client/r0/user/{user}/openid/request_token` causing `expires_in` to be a float instead of an integer. Contributed by @lukaslihotzki. ([\#10175](#10175)) - Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs. ([\#10184](#10184)) - Fix a bug introduced in Synpase v1.7.2 where remote server count metrics collection would be incorrectly delayed on startup. Found by @heftig. ([\#10195](#10195)) - Fix a bug introduced in Synapse v1.35.1 where an `allow` key of a `m.room.join_rules` event could be applied for incorrect room versions and configurations. ([\#10208](#10208)) - Fix performance regression in responding to user key requests over federation. Introduced in Synapse v1.34.0rc1. ([\#10221](#10221)) Improved Documentation ---------------------- - Add a new guide to decoding request logs. ([\#8436](#8436)) - Mention in the sample homeserver config that you may need to configure max upload size in your reverse proxy. Contributed by @aaronraimist. ([\#10122](#10122)) - Fix broken links in documentation. ([\#10180](#10180)) - Deploy a snapshot of the documentation website upon each new Synapse release. ([\#10198](#10198)) Deprecations and Removals ------------------------- - The current spam checker interface is deprecated in favour of a new generic modules system. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new system. ([\#10062](#10062), [\#10210](#10210), [\#10238](#10238)) - Stop supporting the unstable spaces prefixes from MSC1772. ([\#10161](#10161)) - Remove Synapse's support for automatically fetching and renewing certificates using the ACME v1 protocol. This protocol has been fully turned off by Let's Encrypt for existing installations on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. ([\#10194](#10194)) Internal Changes ---------------- - Update the database schema versioning to support gradual migration away from legacy tables. ([\#9933](#9933)) - Add type hints to the federation servlets. ([\#10080](#10080)) - Improve OpenTracing for event persistence. ([\#10134](#10134), [\#10193](#10193)) - Clean up the interface for injecting OpenTracing over HTTP. ([\#10143](#10143)) - Limit the number of in-flight `/keys/query` requests from a single device. ([\#10144](#10144)) - Refactor EventPersistenceQueue. ([\#10145](#10145)) - Document `SYNAPSE_TEST_LOG_LEVEL` to see the logger output when running tests. ([\#10148](#10148)) - Update the Complement build tags in GitHub Actions to test currently experimental features. ([\#10155](#10155)) - Add a `synapse_federation_soft_failed_events_total` metric to track how often events are soft failed. ([\#10156](#10156)) - Fetch the corresponding complement branch when performing CI. ([\#10160](#10160)) - Add some developer documentation about boolean columns in database schemas. ([\#10164](#10164)) - Add extra logging fields to better debug where events are being soft failed. ([\#10168](#10168)) - Add debug logging for when we enter and exit `Measure` blocks. ([\#10183](#10183)) - Improve comments in structured logging code. ([\#10188](#10188)) - Update [MSC3083](matrix-org/matrix-spec-proposals#3083) support with modifications from the MSC. ([\#10189](#10189)) - Remove redundant DNS lookup limiter. ([\#10190](#10190)) - Upgrade `black` linting tool to 21.6b0. ([\#10197](#10197)) - Expose OpenTracing trace id in response headers. ([\#10199](#10199))

@Sorunome

Synapse 1.37.0rc1 (2021-06-24) ============================== This release deprecates the current spam checker interface. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new generic module interface. This release also removes support for fetching and renewing TLS certificates using the ACME v1 protocol, which has been fully decommissioned by Let's Encrypt on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. Features -------- - Implement "room knocking" as per [MSC2403](matrix-org/matrix-spec-proposals#2403). Contributed by @Sorunome and anoa. ([\#6739](#6739), [\#9359](#9359), [\#10167](#10167), [\#10212](#10212), [\#10227](#10227)) - Add experimental support for backfilling history into rooms ([MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#9247](#9247)) - Implement a generic interface for third-party plugin modules. ([\#10062](#10062), [\#10206](#10206)) - Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported. ([\#10108](#10108)) - Ensure that errors during startup are written to the logs and the console. ([\#10191](#10191)) Bugfixes -------- - Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. ([\#10115](#10115)) - Remove a broken import line in Synapse's `admin_cmd` worker. Broke in Synapse v1.33.0. ([\#10154](#10154)) - Fix a bug introduced in Synapse v1.21.0 which could cause `/sync` to return immediately with an empty response. ([\#10157](#10157), [\#10158](#10158)) - Fix a minor bug in the response to `/_matrix/client/r0/user/{user}/openid/request_token` causing `expires_in` to be a float instead of an integer. Contributed by @lukaslihotzki. ([\#10175](#10175)) - Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs. ([\#10184](#10184)) - Fix a bug introduced in Synpase v1.7.2 where remote server count metrics collection would be incorrectly delayed on startup. Found by @heftig. ([\#10195](#10195)) - Fix a bug introduced in Synapse v1.35.1 where an `allow` key of a `m.room.join_rules` event could be applied for incorrect room versions and configurations. ([\#10208](#10208)) - Fix performance regression in responding to user key requests over federation. Introduced in Synapse v1.34.0rc1. ([\#10221](#10221)) Improved Documentation ---------------------- - Add a new guide to decoding request logs. ([\#8436](#8436)) - Mention in the sample homeserver config that you may need to configure max upload size in your reverse proxy. Contributed by @aaronraimist. ([\#10122](#10122)) - Fix broken links in documentation. ([\#10180](#10180)) - Deploy a snapshot of the documentation website upon each new Synapse release. ([\#10198](#10198)) Deprecations and Removals ------------------------- - The current spam checker interface is deprecated in favour of a new generic modules system. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new system. ([\#10062](#10062), [\#10210](#10210), [\#10238](#10238)) - Stop supporting the unstable spaces prefixes from MSC1772. ([\#10161](#10161)) - Remove Synapse's support for automatically fetching and renewing certificates using the ACME v1 protocol. This protocol has been fully turned off by Let's Encrypt for existing installations on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. ([\#10194](#10194)) Internal Changes ---------------- - Update the database schema versioning to support gradual migration away from legacy tables. ([\#9933](#9933)) - Add type hints to the federation servlets. ([\#10080](#10080)) - Improve OpenTracing for event persistence. ([\#10134](#10134), [\#10193](#10193)) - Clean up the interface for injecting OpenTracing over HTTP. ([\#10143](#10143)) - Limit the number of in-flight `/keys/query` requests from a single device. ([\#10144](#10144)) - Refactor EventPersistenceQueue. ([\#10145](#10145)) - Document `SYNAPSE_TEST_LOG_LEVEL` to see the logger output when running tests. ([\#10148](#10148)) - Update the Complement build tags in GitHub Actions to test currently experimental features. ([\#10155](#10155)) - Add a `synapse_federation_soft_failed_events_total` metric to track how often events are soft failed. ([\#10156](#10156)) - Fetch the corresponding complement branch when performing CI. ([\#10160](#10160)) - Add some developer documentation about boolean columns in database schemas. ([\#10164](#10164)) - Add extra logging fields to better debug where events are being soft failed. ([\#10168](#10168)) - Add debug logging for when we enter and exit `Measure` blocks. ([\#10183](#10183)) - Improve comments in structured logging code. ([\#10188](#10188)) - Update [MSC3083](matrix-org/matrix-spec-proposals#3083) support with modifications from the MSC. ([\#10189](#10189)) - Remove redundant DNS lookup limiter. ([\#10190](#10190)) - Upgrade `black` linting tool to 21.6b0. ([\#10197](#10197)) - Expose OpenTracing trace id in response headers. ([\#10199](#10199))

@Sorunome

Synapse 1.37.0 (2021-06-29) =========================== This release deprecates the current spam checker interface. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new generic module interface. This release also removes support for fetching and renewing TLS certificates using the ACME v1 protocol, which has been fully decommissioned by Let's Encrypt on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. Synapse 1.37.0rc1 (2021-06-24) ============================== Features -------- - Implement "room knocking" as per [MSC2403](matrix-org/matrix-spec-proposals#2403). Contributed by @Sorunome and anoa. ([\#6739](matrix-org/synapse#6739), [\#9359](matrix-org/synapse#9359), [\#10167](matrix-org/synapse#10167), [\#10212](matrix-org/synapse#10212), [\#10227](matrix-org/synapse#10227)) - Add experimental support for backfilling history into rooms ([MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#9247](matrix-org/synapse#9247)) - Implement a generic interface for third-party plugin modules. ([\#10062](matrix-org/synapse#10062), [\#10206](matrix-org/synapse#10206)) - Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported. ([\#10108](matrix-org/synapse#10108)) - Ensure that errors during startup are written to the logs and the console. ([\#10191](matrix-org/synapse#10191)) Bugfixes -------- - Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. ([\#10115](matrix-org/synapse#10115)) - Remove a broken import line in Synapse's `admin_cmd` worker. Broke in Synapse v1.33.0. ([\#10154](matrix-org/synapse#10154)) - Fix a bug introduced in Synapse v1.21.0 which could cause `/sync` to return immediately with an empty response. ([\#10157](matrix-org/synapse#10157), [\#10158](matrix-org/synapse#10158)) - Fix a minor bug in the response to `/_matrix/client/r0/user/{user}/openid/request_token` causing `expires_in` to be a float instead of an integer. Contributed by @lukaslihotzki. ([\#10175](matrix-org/synapse#10175)) - Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs. ([\#10184](matrix-org/synapse#10184)) - Fix a bug introduced in Synpase v1.7.2 where remote server count metrics collection would be incorrectly delayed on startup. Found by @heftig. ([\#10195](matrix-org/synapse#10195)) - Fix a bug introduced in Synapse v1.35.1 where an `allow` key of a `m.room.join_rules` event could be applied for incorrect room versions and configurations. ([\#10208](matrix-org/synapse#10208)) - Fix performance regression in responding to user key requests over federation. Introduced in Synapse v1.34.0rc1. ([\#10221](matrix-org/synapse#10221)) Improved Documentation ---------------------- - Add a new guide to decoding request logs. ([\#8436](matrix-org/synapse#8436)) - Mention in the sample homeserver config that you may need to configure max upload size in your reverse proxy. Contributed by @aaronraimist. ([\#10122](matrix-org/synapse#10122)) - Fix broken links in documentation. ([\#10180](matrix-org/synapse#10180)) - Deploy a snapshot of the documentation website upon each new Synapse release. ([\#10198](matrix-org/synapse#10198)) Deprecations and Removals ------------------------- - The current spam checker interface is deprecated in favour of a new generic modules system. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new system. ([\#10062](matrix-org/synapse#10062), [\#10210](matrix-org/synapse#10210), [\#10238](matrix-org/synapse#10238)) - Stop supporting the unstable spaces prefixes from MSC1772. ([\#10161](matrix-org/synapse#10161)) - Remove Synapse's support for automatically fetching and renewing certificates using the ACME v1 protocol. This protocol has been fully turned off by Let's Encrypt for existing installations on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. ([\#10194](matrix-org/synapse#10194)) Internal Changes ---------------- - Update the database schema versioning to support gradual migration away from legacy tables. ([\#9933](matrix-org/synapse#9933)) - Add type hints to the federation servlets. ([\#10080](matrix-org/synapse#10080)) - Improve OpenTracing for event persistence. ([\#10134](matrix-org/synapse#10134), [\#10193](matrix-org/synapse#10193)) - Clean up the interface for injecting OpenTracing over HTTP. ([\#10143](matrix-org/synapse#10143)) - Limit the number of in-flight `/keys/query` requests from a single device. ([\#10144](matrix-org/synapse#10144)) - Refactor EventPersistenceQueue. ([\#10145](matrix-org/synapse#10145)) - Document `SYNAPSE_TEST_LOG_LEVEL` to see the logger output when running tests. ([\#10148](matrix-org/synapse#10148)) - Update the Complement build tags in GitHub Actions to test currently experimental features. ([\#10155](matrix-org/synapse#10155)) - Add a `synapse_federation_soft_failed_events_total` metric to track how often events are soft failed. ([\#10156](matrix-org/synapse#10156)) - Fetch the corresponding complement branch when performing CI. ([\#10160](matrix-org/synapse#10160)) - Add some developer documentation about boolean columns in database schemas. ([\#10164](matrix-org/synapse#10164)) - Add extra logging fields to better debug where events are being soft failed. ([\#10168](matrix-org/synapse#10168)) - Add debug logging for when we enter and exit `Measure` blocks. ([\#10183](matrix-org/synapse#10183)) - Improve comments in structured logging code. ([\#10188](matrix-org/synapse#10188)) - Update [MSC3083](matrix-org/matrix-spec-proposals#3083) support with modifications from the MSC. ([\#10189](matrix-org/synapse#10189)) - Remove redundant DNS lookup limiter. ([\#10190](matrix-org/synapse#10190)) - Upgrade `black` linting tool to 21.6b0. ([\#10197](matrix-org/synapse#10197)) - Expose OpenTracing trace id in response headers. ([\#10199](matrix-org/synapse#10199)) Synapse 1.36.0 (2021-06-15) =========================== No significant changes. Synapse 1.36.0rc2 (2021-06-11) ============================== Bugfixes -------- - Fix a bug which caused presence updates to stop working some time after a restart, when using a presence writer worker. Broke in v1.33.0. ([\#10149](matrix-org/synapse#10149)) - Fix a bug when using federation sender worker where it would send out more presence updates than necessary, leading to high resource usage. Broke in v1.33.0. ([\#10163](matrix-org/synapse#10163)) - Fix a bug where Synapse could send the same presence update to a remote twice. ([\#10165](matrix-org/synapse#10165)) Synapse 1.36.0rc1 (2021-06-08) ============================== Features -------- - Add new endpoint `/_matrix/client/r0/rooms/{roomId}/aliases` from Client-Server API r0.6.1 (previously [MSC2432](matrix-org/matrix-spec-proposals#2432)). ([\#9224](matrix-org/synapse#9224)) - Improve performance of incoming federation transactions in large rooms. ([\#9953](matrix-org/synapse#9953), [\#9973](matrix-org/synapse#9973)) - Rewrite logic around verifying JSON object and fetching server keys to be more performant and use less memory. ([\#10035](matrix-org/synapse#10035)) - Add new admin APIs for unprotecting local media from quarantine. Contributed by @dklimpel. ([\#10040](matrix-org/synapse#10040)) - Add new admin APIs to remove media by media ID from quarantine. Contributed by @dklimpel. ([\#10044](matrix-org/synapse#10044)) - Make reason and score parameters optional for reporting content. Implements [MSC2414](matrix-org/matrix-spec-proposals#2414). Contributed by Callum Brown. ([\#10077](matrix-org/synapse#10077)) - Add support for routing more requests to workers. ([\#10084](matrix-org/synapse#10084)) - Report OpenTracing spans for database activity. ([\#10113](matrix-org/synapse#10113), [\#10136](matrix-org/synapse#10136), [\#10141](matrix-org/synapse#10141)) - Significantly reduce memory usage of joining large remote rooms. ([\#10117](matrix-org/synapse#10117)) Bugfixes -------- - Fixed a bug causing replication requests to fail when receiving a lot of events via federation. ([\#10082](matrix-org/synapse#10082)) - Fix a bug in the `force_tracing_for_users` option introduced in Synapse v1.35 which meant that the OpenTracing spans produced were missing most tags. ([\#10092](matrix-org/synapse#10092)) - Fixed a bug that could cause Synapse to stop notifying application services. Contributed by Willem Mulder. ([\#10107](matrix-org/synapse#10107)) - Fix bug where the server would attempt to fetch the same history in the room from a remote server multiple times in parallel. ([\#10116](matrix-org/synapse#10116)) - Fix a bug introduced in Synapse 1.33.0 which caused replication requests to fail when receiving a lot of very large events via federation. ([\#10118](matrix-org/synapse#10118)) - Fix bug when using workers where pagination requests failed if a remote server returned zero events from `/backfill`. Introduced in 1.35.0. ([\#10133](matrix-org/synapse#10133)) Improved Documentation ---------------------- - Clarify security note regarding hosting Synapse on the same domain as other web applications. ([\#9221](matrix-org/synapse#9221)) - Update CAPTCHA documentation to mention turning off the verify origin feature. Contributed by @aaronraimist. ([\#10046](matrix-org/synapse#10046)) - Tweak wording of database recommendation in `INSTALL.md`. Contributed by @aaronraimist. ([\#10057](matrix-org/synapse#10057)) - Add initial infrastructure for rendering Synapse documentation with mdbook. ([\#10086](matrix-org/synapse#10086)) - Convert the remaining Admin API documentation files to markdown. ([\#10089](matrix-org/synapse#10089)) - Make a link in docs use HTTPS. Contributed by @RhnSharma. ([\#10130](matrix-org/synapse#10130)) - Fix broken link in Docker docs. ([\#10132](matrix-org/synapse#10132)) Deprecations and Removals ------------------------- - Remove the experimental `spaces_enabled` flag. The spaces features are always available now. ([\#10063](matrix-org/synapse#10063)) Internal Changes ---------------- - Tell CircleCI to build Docker images from `main` branch. ([\#9906](matrix-org/synapse#9906)) - Simplify naming convention for release branches to only include the major and minor version numbers. ([\#10013](matrix-org/synapse#10013)) - Add `parse_strings_from_args` for parsing an array from query parameters. ([\#10048](matrix-org/synapse#10048), [\#10137](matrix-org/synapse#10137)) - Remove some dead code regarding TLS certificate handling. ([\#10054](matrix-org/synapse#10054)) - Remove redundant, unmaintained `convert_server_keys` script. ([\#10055](matrix-org/synapse#10055)) - Improve the error message printed by synctl when synapse fails to start. ([\#10059](matrix-org/synapse#10059)) - Fix GitHub Actions lint for newsfragments. ([\#10069](matrix-org/synapse#10069)) - Update opentracing to inject the right context into the carrier. ([\#10074](matrix-org/synapse#10074)) - Fix up `BatchingQueue` implementation. ([\#10078](matrix-org/synapse#10078)) - Log method and path when dropping request due to size limit. ([\#10091](matrix-org/synapse#10091)) - In Github Actions workflows, summarize the Sytest results in an easy-to-read format. ([\#10094](matrix-org/synapse#10094)) - Make `/sync` do fewer state resolutions. ([\#10102](matrix-org/synapse#10102)) - Add missing type hints to the admin API servlets. ([\#10105](matrix-org/synapse#10105)) - Improve opentracing annotations for `Notifier`. ([\#10111](matrix-org/synapse#10111)) - Enable Prometheus metrics for the jaeger client library. ([\#10112](matrix-org/synapse#10112)) - Work to improve the responsiveness of `/sync` requests. ([\#10124](matrix-org/synapse#10124)) - OpenTracing: use a consistent name for background processes. ([\#10135](matrix-org/synapse#10135))

@Sorunome

Synapse 1.37.0 (2021-06-29) =========================== This release deprecates the current spam checker interface. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new generic module interface. This release also removes support for fetching and renewing TLS certificates using the ACME v1 protocol, which has been fully decommissioned by Let's Encrypt on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. Synapse 1.37.0rc1 (2021-06-24) ============================== Features -------- - Implement "room knocking" as per [MSC2403](matrix-org/matrix-spec-proposals#2403). Contributed by @Sorunome and anoa. ([\#6739](matrix-org/synapse#6739), [\#9359](matrix-org/synapse#9359), [\#10167](matrix-org/synapse#10167), [\#10212](matrix-org/synapse#10212), [\#10227](matrix-org/synapse#10227)) - Add experimental support for backfilling history into rooms ([MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#9247](matrix-org/synapse#9247)) - Implement a generic interface for third-party plugin modules. ([\#10062](matrix-org/synapse#10062), [\#10206](matrix-org/synapse#10206)) - Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported. ([\#10108](matrix-org/synapse#10108)) - Ensure that errors during startup are written to the logs and the console. ([\#10191](matrix-org/synapse#10191)) Bugfixes -------- - Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. ([\#10115](matrix-org/synapse#10115)) - Remove a broken import line in Synapse's `admin_cmd` worker. Broke in Synapse v1.33.0. ([\#10154](matrix-org/synapse#10154)) - Fix a bug introduced in Synapse v1.21.0 which could cause `/sync` to return immediately with an empty response. ([\#10157](matrix-org/synapse#10157), [\#10158](matrix-org/synapse#10158)) - Fix a minor bug in the response to `/_matrix/client/r0/user/{user}/openid/request_token` causing `expires_in` to be a float instead of an integer. Contributed by @lukaslihotzki. ([\#10175](matrix-org/synapse#10175)) - Always require users to re-authenticate for dangerous operations: deactivating an account, modifying an account password, and adding 3PIDs. ([\#10184](matrix-org/synapse#10184)) - Fix a bug introduced in Synpase v1.7.2 where remote server count metrics collection would be incorrectly delayed on startup. Found by @heftig. ([\#10195](matrix-org/synapse#10195)) - Fix a bug introduced in Synapse v1.35.1 where an `allow` key of a `m.room.join_rules` event could be applied for incorrect room versions and configurations. ([\#10208](matrix-org/synapse#10208)) - Fix performance regression in responding to user key requests over federation. Introduced in Synapse v1.34.0rc1. ([\#10221](matrix-org/synapse#10221)) Improved Documentation ---------------------- - Add a new guide to decoding request logs. ([\#8436](matrix-org/synapse#8436)) - Mention in the sample homeserver config that you may need to configure max upload size in your reverse proxy. Contributed by @aaronraimist. ([\#10122](matrix-org/synapse#10122)) - Fix broken links in documentation. ([\#10180](matrix-org/synapse#10180)) - Deploy a snapshot of the documentation website upon each new Synapse release. ([\#10198](matrix-org/synapse#10198)) Deprecations and Removals ------------------------- - The current spam checker interface is deprecated in favour of a new generic modules system. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#deprecation-of-the-current-spam-checker-interface) for more information on how to update to the new system. ([\#10062](matrix-org/synapse#10062), [\#10210](matrix-org/synapse#10210), [\#10238](matrix-org/synapse#10238)) - Stop supporting the unstable spaces prefixes from MSC1772. ([\#10161](matrix-org/synapse#10161)) - Remove Synapse's support for automatically fetching and renewing certificates using the ACME v1 protocol. This protocol has been fully turned off by Let's Encrypt for existing installations on June 1st 2021. Admins previously using this feature should use a [reverse proxy](https://matrix-org.github.io/synapse/develop/reverse_proxy.html) to handle TLS termination, or use an external ACME client (such as [certbot](https://certbot.eff.org/)) to retrieve a certificate and key and provide them to Synapse using the `tls_certificate_path` and `tls_private_key_path` configuration settings. ([\#10194](matrix-org/synapse#10194)) Internal Changes ---------------- - Update the database schema versioning to support gradual migration away from legacy tables. ([\#9933](matrix-org/synapse#9933)) - Add type hints to the federation servlets. ([\#10080](matrix-org/synapse#10080)) - Improve OpenTracing for event persistence. ([\#10134](matrix-org/synapse#10134), [\#10193](matrix-org/synapse#10193)) - Clean up the interface for injecting OpenTracing over HTTP. ([\#10143](matrix-org/synapse#10143)) - Limit the number of in-flight `/keys/query` requests from a single device. ([\#10144](matrix-org/synapse#10144)) - Refactor EventPersistenceQueue. ([\#10145](matrix-org/synapse#10145)) - Document `SYNAPSE_TEST_LOG_LEVEL` to see the logger output when running tests. ([\#10148](matrix-org/synapse#10148)) - Update the Complement build tags in GitHub Actions to test currently experimental features. ([\#10155](matrix-org/synapse#10155)) - Add a `synapse_federation_soft_failed_events_total` metric to track how often events are soft failed. ([\#10156](matrix-org/synapse#10156)) - Fetch the corresponding complement branch when performing CI. ([\#10160](matrix-org/synapse#10160)) - Add some developer documentation about boolean columns in database schemas. ([\#10164](matrix-org/synapse#10164)) - Add extra logging fields to better debug where events are being soft failed. ([\#10168](matrix-org/synapse#10168)) - Add debug logging for when we enter and exit `Measure` blocks. ([\#10183](matrix-org/synapse#10183)) - Improve comments in structured logging code. ([\#10188](matrix-org/synapse#10188)) - Update [MSC3083](matrix-org/matrix-spec-proposals#3083) support with modifications from the MSC. ([\#10189](matrix-org/synapse#10189)) - Remove redundant DNS lookup limiter. ([\#10190](matrix-org/synapse#10190)) - Upgrade `black` linting tool to 21.6b0. ([\#10197](matrix-org/synapse#10197)) - Expose OpenTracing trace id in response headers. ([\#10199](matrix-org/synapse#10199))

mikure added 3 commits June 3, 2021 06:42

Create 9569.bugfix

d0d833d

Fix 'ip_range_whitelist' not working for federation servers

21b7e77

Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers.

Remove incorrect named changelog file

86010c4

clokep requested a review from a team June 3, 2021 11:23

richvdh suggested changes Jun 7, 2021

View reviewed changes

changelog.d/10115.bugfix Outdated Show resolved Hide resolved

changelog.d/10115.bugfix Outdated Show resolved Hide resolved

synapse/config/server.py Outdated Show resolved Hide resolved

mikure and others added 3 commits June 10, 2021 05:31

Update changelog.d/10115.bugfix

1dc53bf

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

Update changelog.d/10115.bugfix

c821203

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

Add explanation about backwards-compatibiliy check

fc202ea

richvdh self-requested a review June 10, 2021 11:20

richvdh reviewed Jun 10, 2021

View reviewed changes

erikjohnston mentioned this pull request Jun 11, 2021

Synapse fails to make DNS query for its own hostname when attempting invite via 3PID #9475

Closed

mikure added 2 commits June 13, 2021 11:23

Restructure code for readability

604a7ed

Merge branch 'matrix-org:develop' into fix9569-merged

31b1cb7

richvdh self-requested a review June 14, 2021 09:02

richvdh approved these changes Jun 14, 2021

View reviewed changes

richvdh suggested changes Jun 14, 2021

View reviewed changes

richvdh merged commit aac2c49 into matrix-org:develop Jun 15, 2021

mikure deleted the fix9569-merged branch June 21, 2021 15:50

richvdh mentioned this pull request Jun 24, 2021

Confusing error when Synapse fails to connect to a domain due to it being on the blacklist #10224

Open

DMRobertson mentioned this pull request Oct 19, 2021

Consider IP whitelist for identity server resolution #11120

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix 'ip_range_whitelist' not working for federation servers #10115

Fix 'ip_range_whitelist' not working for federation servers #10115

mikure commented Jun 3, 2021

mikure commented Jun 3, 2021

richvdh left a comment

richvdh Jun 10, 2021

clokep Jun 10, 2021

mikure Jun 11, 2021

mikure Jun 13, 2021

richvdh left a comment

richvdh left a comment

mikure commented Jun 14, 2021

richvdh commented Jun 15, 2021

Fix 'ip_range_whitelist' not working for federation servers #10115

Fix 'ip_range_whitelist' not working for federation servers #10115

Conversation

mikure commented Jun 3, 2021

mikure commented Jun 3, 2021

richvdh left a comment

Choose a reason for hiding this comment

richvdh Jun 10, 2021

Choose a reason for hiding this comment

clokep Jun 10, 2021

Choose a reason for hiding this comment

mikure Jun 11, 2021

Choose a reason for hiding this comment

mikure Jun 13, 2021

Choose a reason for hiding this comment

richvdh left a comment

Choose a reason for hiding this comment

richvdh left a comment

Choose a reason for hiding this comment

mikure commented Jun 14, 2021

richvdh commented Jun 15, 2021