Do not expose /_synapse/admin publicly by default

Fixes #685 (Github Issue).
пре 5 година · 63a49bb2dc
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
 # 2020-10-26

 ## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default

 We used to expose the Synapse Admin APIs publicly (at `https://matrix.DOMAIN/_synapse/admin`).
 These APIs require authentication with a valid access token, so it's not that big a deal to expose them.

 However, following [official Synapse's reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints), we're no longer exposing `/_synapse/admin` by default.

 If you'd like to restore restore the old behavior and expose `/_synapse/admin` publicly, you can use the following configuration (in your `vars.yml`):

 ```yaml
 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
 ```


 # 2020-10-02

 ## Minimum Ansible version raised to v2.7.0
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@@ -43,6 +43,8 @@
 	AllowEncodedSlashes NoDecode
 	ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
 	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
 	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
 	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client

 	# Map /.well-known/matrix/client for client discovery
 	Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client
--- a/examples/caddy/matrix-synapse
+++ b/examples/caddy/matrix-synapse
@@ -21,9 +21,11 @@ https://matrix.DOMAIN {
 	}

 	# Synapse Client<>Server API
 	proxy / matrix-synapse:8008 {
 	proxy /_matrix matrix-synapse:8008 {
 		transparent
 		except /_matrix/identity/ /_matrix/client/r0/user_directory/search
 	}
 	proxy /_synapse/client matrix-synapse:8008 {
 		transparent
 		except /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search
 	}

 }
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -149,6 +149,26 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
 # This needs to be equal or higher than the maximum upload size accepted by Synapse.
 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25


 # Tells wheter `/_synapse/client` is forwarded to the Matrix Client API server.
 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true

 # Tells wheter `/_synapse/admin` is forwarded to the Matrix Client API server.
 # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false

 # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
 # the location prefixes that get forwarded to the Matrix Client API server.
 # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
  {{
    (['/_matrix'])
    +
    (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
    +
    (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
  }}

 # Controls whether proxying for the Matrix Federation API should be done.
 matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -105,29 +105,6 @@
 		{{- configuration_block }}
 	{% endfor %}

 	{#
 		This handles the Matrix Client API only.
 		The Matrix Federation API is handled by a separate vhost.
 	#}
 	location /_matrix {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
 		{% endif %}

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $remote_addr;

 		client_body_buffer_size 25M;
 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
 		proxy_max_temp_file_size 0;
 	}

 	{% if matrix_nginx_proxy_proxy_synapse_metrics %}
 	location /_synapse/metrics {
 		{% if matrix_nginx_proxy_enabled %}
@@ -150,7 +127,11 @@
 	}
 	{% endif %}

 	location /_synapse {
 	{#
 		This handles the Matrix Client API only.
 		The Matrix Federation API is handled by a separate vhost.
 	#}
 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;