From ea829bb918401b9c2ce1ff0be432a38158a9da81 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sat, 18 Dec 2021 13:26:31 +0200
Subject: [PATCH] Add support for not serving Dendrite federation APIs on the
 client port

Seems like Dendrite encourages serving both the Client and Federation
API at the same port.

Coming from Synapse and how things are done there, we have separate
ports. Using separate ports probably makes matrix-corporal (etc.)
integration easier, so separating the APIs by default probably makes
sense.
---
 roles/matrix-nginx-proxy/defaults/main.yml             |  3 +++
 .../templates/nginx/conf.d/matrix-dendrite.conf.j2     | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index ea19d4fe9..fa83aa8bf 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -128,6 +128,9 @@ matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
 matrix_nginx_proxy_proxy_dendrite_enabled: false
 matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"
 matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
+# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.
+# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.
+matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true
 # The addresses where the Matrix Client API is, when using Dendrite.
 matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""
 matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2
index 9776085e1..939156a31 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2
@@ -14,6 +14,16 @@ server {
 		{{- configuration_block }}
 	{% endfor %}
 
+	{% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %}
+	location /_matrix/federation {
+		{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %}
+			return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}';
+		{% else %}
+			return 404 'This Matrix server is running with federation disabled';
+		{% endif %}
+	}
+	{% endif %}
+
 	{# Everything else just goes to the API server ##}
 	location / {
 		{% if matrix_nginx_proxy_enabled %}