overmind
/
matrix-docker-ansible-deploy
şunun yansıması https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Çatalla 0
Kod Konular 0 Sürümler 0 Wiki Aktivite
Kaynağa Gözat

Add matrix_tuwunel_config_ip_range_denylist (mirrors tuwunel's upstream default) 

As of tuwunel v1.8.0, the ip_range_denylist applies to push gateway
delivery as well, so surface it as an Ansible variable using the
default/auto/custom merge pattern. The default mirrors tuwunel's own
upstream denylist (RFC1918, loopback, multicast, and other unroutable
ranges), matching the identical list already used for Synapse's
matrix_synapse_url_preview_ip_range_blacklist.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
baibot-add-venice-wiring
Slavi Pantaleev 2 gün önce
ebeveyn
129d4e74b4
işleme
e43add179b
2 değiştirilmiş dosya ile 38 ekleme ve 0 silme
Görünümü Böl
Diff Seçenekleri
İstatistikleri Göster Yama Dosyasını İndir Diff Dosyasını İndir
  1. +37
    -0
      roles/custom/matrix-tuwunel/defaults/main.yml
  2. +1
    -0
      roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2

+ 37
- 0
roles/custom/matrix-tuwunel/defaults/main.yml Dosyayı Görüntüle

@@ -177,6 +177,43 @@ matrix_tuwunel_config_forbidden_remote_server_names: []
matrix_tuwunel_config_forbidden_remote_room_directory_server_names: []
matrix_tuwunel_config_prevent_media_downloads_from: []

# List of IPv4/IPv6 CIDR ranges tuwunel refuses to send outbound requests to (SSRF protection).
# This applies to push gateway delivery, URL previews, and remote media fetches.
# Bridges/appservices use a separate resolver and are not affected.
#
# The default mirrors tuwunel's own upstream default, which denies RFC1918,
# loopback, multicast, and other unroutable/testnet ranges.
#
# To deny additional ranges, append to `matrix_tuwunel_config_ip_range_denylist_custom`.
# To permit a range that the default denies (e.g. if you run a push gateway like a
# localhost Sygnal or a LAN ntfy/UnifiedPush server on a private/loopback address, to
# which push delivery would otherwise be silently blocked), override
# `matrix_tuwunel_config_ip_range_denylist_default` with a trimmed list.
# Set the whole list to `[]` to disable denylisting entirely.
matrix_tuwunel_config_ip_range_denylist: "{{ matrix_tuwunel_config_ip_range_denylist_default + matrix_tuwunel_config_ip_range_denylist_auto + matrix_tuwunel_config_ip_range_denylist_custom }}"
matrix_tuwunel_config_ip_range_denylist_default:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
matrix_tuwunel_config_ip_range_denylist_auto: []
matrix_tuwunel_config_ip_range_denylist_custom: []

# MSC4284 policy server enforcement.
# When enabled, rooms with a valid `m.room.policy` state event will have
# outgoing events signed by the configured policy server before federation.


+ 1
- 0
roles/custom/matrix-tuwunel/templates/tuwunel.toml.j2 Dosyayı Görüntüle

@@ -56,6 +56,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_tuwunel_config_forbidde
{% if matrix_tuwunel_config_prevent_media_downloads_from | length > 0 %}
prevent_media_downloads_from = {{ matrix_tuwunel_config_prevent_media_downloads_from | to_json }}
{% endif %}
ip_range_denylist = {{ matrix_tuwunel_config_ip_range_denylist | to_json }}

enable_policy_servers = {{ matrix_tuwunel_config_enable_policy_servers | to_json }}
policy_server_request_timeout = {{ matrix_tuwunel_config_policy_server_request_timeout }}


Yaz Önizleme
Yükleniyor…
İptal
Kaydet