Add federation_domain_whitelist option #2820
Conversation
gives a way to restrict which domains your HS is allowed to federate with. useful mainly for gracefully preventing a private but internet-connected HS from trying to federate to the wider public Matrix network
| @@ -266,6 +266,9 @@ def get_pdu(self, destinations, event_id, outlier=False, timeout=None): | |||
| except NotRetryingDestination as e: | |||
| logger.info(e.message) | |||
| continue | |||
| except FederationDeniedError as e: | |||
| logger.debug(e.message) | |||
There was a problem hiding this comment.
Is there a reason to log these at debug rather than info? Debug logging is normally disabled, so I'm worried that people will get obscure failure modes due to lack of logging
There was a problem hiding this comment.
this was a thinko which i forgot to fully fix - thanks.
synapse/config/server.py
Outdated
| @@ -55,6 +55,15 @@ def read_config(self, config): | |||
| "block_non_admin_invites", False, | |||
| ) | |||
|
|
|||
| federation_domain_whitelist = config.get( | |||
There was a problem hiding this comment.
It feels very odd that you can whitelist everything by having an empty whitelist. I wonder if it would be better to make an empty whitelist actually mean that nothing is allowed, and have the default be *
| @@ -41,15 +43,17 @@ def setUp(self): | |||
| self.event_id = 0 | |||
|
|
|||
| server_factory = ReplicationStreamProtocolFactory(self.hs) | |||
| listener = reactor.listenUNIX("\0xxx", server_factory) | |||
| # XXX: mktemp is unsafe and should never be used. but we're just a test. | |||
| path = tempfile.mktemp(prefix="base_slaved_store_test_case_socket") | |||
There was a problem hiding this comment.
This looks unrelated. Can you make it a separate PR please
There was a problem hiding this comment.
yes, it is unrelated, other than being pulled in to fix the tests whilst doing this PR. given it's trivial, i'd prefer to not burn the time splitting it out at this point.
There was a problem hiding this comment.
Keeping unrelated things in separate PRs makes it easier to review them, helps with bisecting, and makes it easier to back things out separately if they turn out to be ill-advised. It being trivial means it's all the easier to separate out.
I've done it for you: c776c52 backs out the changes; #2821 is the new PR.
|
@erikjohnston (or @richvdh, but i'd have thought rich would rather snowboard) can you PTAL again? |
synapse/config/server.py
Outdated
| @@ -222,7 +224,8 @@ def default_config(self, server_name, **kwargs): | |||
| # Restrict federation to the following whitelist of domains. | |||
| # N.B. we recommend also firewalling your federation listener to limit | |||
| # inbound federation traffic as early as possible, rather than relying | |||
| # purely on this application-layer restriction. | |||
| # purely on this application-layer restriction. If not specified, the | |||
| # default is to whitelist nothing. | |||
| logger.debug(e) | ||
| raise SynapseError(403, e.message) | ||
| logger.info(e) | ||
| raise e |
There was a problem hiding this comment.
this should probably be raise rather than raise e, unless there is a good reason to throw a new exception annd hence swallow the original stack trace.
Although, looking at it, I don't think you'll ever get here, because FederationDeniedError is a subclass of SynapseError so the clause at line 382 will get taken instead. I think you might as well remove the whole thing
| @@ -41,15 +43,17 @@ def setUp(self): | |||
| self.event_id = 0 | |||
|
|
|||
| server_factory = ReplicationStreamProtocolFactory(self.hs) | |||
| listener = reactor.listenUNIX("\0xxx", server_factory) | |||
| # XXX: mktemp is unsafe and should never be used. but we're just a test. | |||
| path = tempfile.mktemp(prefix="base_slaved_store_test_case_socket") | |||
There was a problem hiding this comment.
Keeping unrelated things in separate PRs makes it easier to review them, helps with bisecting, and makes it easier to back things out separately if they turn out to be ill-advised. It being trivial means it's all the easier to separate out.
I've done it for you: c776c52 backs out the changes; #2821 is the new PR.
|
ok. have pushed remaining PR fixes. |
|
It'd be really nice to have some logging for the 403 (deny) so that homeserver operators can add inbound addresses that are constantly retrying. |
|
@storrgie That should be possible when you have your server logs set to INFO. |
|
Is there a way to wildcard name servers in order to disable the federation entirely ? |
|
There doesn't appear to be wildcard support, but setting it to an empty array looks to be a way to disable it. As per the sample configuration, it's probably best to firewall it though (both inbound and outbound). |
|
AFAIK when the federation whitelist is unset all federation is allowed. In short: Add to your config and remove your federation listener do disable all federation //EDIT: Extended with more explicit HowTo |
I would love to be able to use a wildcard to build a closed matrix subnet. Is there any way to do it without every server knowing all other participating servers? |
Gives a way to restrict which domains your HS is allowed to federate with.
Useful mainly for gracefully preventing a private but internet-connected HS from trying to federate outbound to the wider public Matrix network.
For symmetry, we also try to block inbound federation from non-whitelisted domains, but this should also be done at the IP or HTTP level rather than relying purely on Synapse's application-level filtering at this point.