diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index f9bdcb5e3d..9f2b900ffa 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -642,20 +642,19 @@ acme: # - nyc.example.com # - syd.example.com -# Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. If this option is not specified, or -# specified with an empty list, no ip range blacklist will be enforced. +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified, or specified with an empty list, +# no IP range blacklist will be enforced. # -# As of Synapse v1.4.0 this option also affects any outbound requests to identity -# servers provided by user input. -# -# As of Synapse v1.24.0 this option also affects any outbound requests to push -# servers provided by user input and to key revocation requests. +# The outbound requests for federation, identity servers, push servers, and for +# checking key validitity for third-party invite events # # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly # listed here, since they correspond to unroutable addresses.) # -federation_ip_range_blacklist: +# This option replaces federation_ip_range_blacklist in Synapse v1.24.0. +# +ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' diff --git a/synapse/config/federation.py b/synapse/config/federation.py index e3b9a4a858..2b002f19ad 100644 --- a/synapse/config/federation.py +++ b/synapse/config/federation.py @@ -36,22 +36,34 @@ class FederationConfig(Config): for domain in federation_domain_whitelist: self.federation_domain_whitelist[domain] = True - self.federation_ip_range_blacklist = config.get( - "federation_ip_range_blacklist", [] + ip_range_blacklist = config.get( + "ip_range_blacklist", [] ) # Attempt to create an IPSet from the given ranges try: - self.federation_ip_range_blacklist = IPSet( - self.federation_ip_range_blacklist + self.ip_range_blacklist = IPSet(ip_range_blacklist) + except Exception as e: + raise ConfigError( + "Invalid range(s) provided in ip_range_blacklist: %s" % e ) + # Always blacklist 0.0.0.0, :: + self.ip_range_blacklist.update(["0.0.0.0", "::"]) - # Always blacklist 0.0.0.0, :: - self.federation_ip_range_blacklist.update(["0.0.0.0", "::"]) + # The federation_ip_range_blacklist is used for backwards-compatibility + # and only applies ot federation and identity servers. If it is not given, + # default to ip_range_blacklist. + federation_ip_range_blacklist = config.get( + "federation_ip_range_blacklist", ip_range_blacklist + ) + try: + self.federation_ip_range_blacklist = IPSet(federation_ip_range_blacklist) except Exception as e: raise ConfigError( "Invalid range(s) provided in federation_ip_range_blacklist: %s" % e ) + # Always blacklist 0.0.0.0, :: + self.federation_ip_range_blacklist.update(["0.0.0.0", "::"]) federation_metrics_domains = config.get("federation_metrics_domains") or [] validate_config( @@ -76,20 +88,19 @@ class FederationConfig(Config): # - nyc.example.com # - syd.example.com - # Prevent federation requests from being sent to the following - # blacklist IP address CIDR ranges. If this option is not specified, or - # specified with an empty list, no ip range blacklist will be enforced. + # Prevent outgoing requests from being sent to the following blacklisted IP address + # CIDR ranges. If this option is not specified, or specified with an empty list, + # no IP range blacklist will be enforced. # - # As of Synapse v1.4.0 this option also affects any outbound requests to identity - # servers provided by user input. - # - # As of Synapse v1.24.0 this option also affects any outbound requests to push - # servers provided by user input and to key revocation requests. + # The outbound requests for federation, identity servers, push servers, and for + # checking key validitity for third-party invite events # # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly # listed here, since they correspond to unroutable addresses.) # - federation_ip_range_blacklist: + # This option replaces federation_ip_range_blacklist in Synapse v1.24.0. + # + ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' diff --git a/synapse/handlers/identity.py b/synapse/handlers/identity.py index f7e6779a73..8633af9810 100644 --- a/synapse/handlers/identity.py +++ b/synapse/handlers/identity.py @@ -46,10 +46,12 @@ class IdentityHandler(BaseHandler): def __init__(self, hs): super().__init__(hs) - # An HTTP client to contact trusted URLs. + # An HTTP client for contacting trusted URLs. self.http_client = SimpleHttpClient(hs) # An HTTP client for contacting identity servers specified by clients. - self.blacklisting_http_client = hs.get_proxied_blacklisted_http_client() + self.blacklisting_http_client = SimpleHttpClient( + hs, ip_blacklist=hs.config.federation_ip_range_blacklist + ) self.federation_http_client = hs.get_federation_http_client() self.hs = hs diff --git a/synapse/server.py b/synapse/server.py index ca27a052db..ce63979d46 100644 --- a/synapse/server.py +++ b/synapse/server.py @@ -371,11 +371,11 @@ class HomeServer(metaclass=abc.ABCMeta): def get_proxied_blacklisted_http_client(self) -> SimpleHttpClient: """ An HTTP client that uses configured HTTP(S) proxies and blacklists IPs - based on the federation IP range blacklist. + based on the IP range blacklist. """ return SimpleHttpClient( self, - ip_blacklist=self.config.federation_ip_range_blacklist, + ip_blacklist=self.config.ip_range_blacklist, http_proxy=os.getenvb(b"http_proxy"), https_proxy=os.getenvb(b"HTTPS_PROXY"), )