3 files changed, 71 insertions, 4 deletions
diff --git a/changelog.d/5478.misc b/changelog.d/5478.misc
new file mode 100644
index 0000000000..829bb1e521
--- /dev/null
+++ b/changelog.d/5478.misc
@@ -0,0 +1 @@
+The demo servers talk to each other again.
diff --git a/demo/README b/demo/README
index 0b584ceb15..0bec820ad6 100644
--- a/demo/README
+++ b/demo/README
@@ -1,9 +1,13 @@
+DO NOT USE THESE DEMO SERVERS IN PRODUCTION
+
Requires you to have done:
python setup.py develop
-The demo start.sh will start three synapse servers on ports 8080, 8081 and 8082, with host names localhost:$port. This can be easily changed to `hostname`:$port in start.sh if required.
-It will also start a web server on port 8000 pointed at the webclient.
+The demo start.sh will start three synapse servers on ports 8080, 8081 and 8082, with host names localhost:$port. This can be easily changed to `hostname`:$port in start.sh if required.
+
+To enable the servers to communicate untrusted ssl certs are used. In order to do this the servers do not check the certs
+and are configured in a highly insecure way. Do not use these configuration files in production.
stop.sh will stop the synapse servers and the webclient.
diff --git a/demo/start.sh b/demo/start.sh
index 5c3a8fe61f..1c4f12d0bb 100755
--- a/demo/start.sh
+++ b/demo/start.sh
@@ -27,8 +27,70 @@ for port in 8080 8081 8082; do
--config-path "$DIR/etc/$port.config" \
--report-stats no
- printf '\n\n# Customisation made by demo/start.sh\n' >> $DIR/etc/$port.config
- echo 'enable_registration: true' >> $DIR/etc/$port.config
+ if ! grep -F "Customisation made by demo/start.sh" -q $DIR/etc/$port.config; then
+ printf '\n\n# Customisation made by demo/start.sh\n' >> $DIR/etc/$port.config
+
+ echo 'enable_registration: true' >> $DIR/etc/$port.config
+
+ # Warning, this heredoc depends on the interaction of tabs and spaces. Please don't
+ # accidentaly bork me with your fancy settings.
+ listeners=$(cat <<-PORTLISTENERS
+ # Configure server to listen on both $https_port and $port
+ # This overides some of the default settings above
+ listeners:
+ - port: $https_port
+ type: http
+ tls: true
+ resources:
+ - names: [client, federation]
+
+ - port: $port
+ tls: false
+ bind_addresses: ['::1', '127.0.0.1']
+ type: http
+ x_forwarded: true
+ resources:
+ - names: [client, federation]
+ compress: false
+ PORTLISTENERS
+ )
+ echo "${listeners}" >> $DIR/etc/$port.config
+
+ # Disable tls for the servers
+ printf '\n\n# Disable tls on the servers.' >> $DIR/etc/$port.config
+ echo '# DO NOT USE IN PRODUCTION' >> $DIR/etc/$port.config
+ echo 'use_insecure_ssl_client_just_for_testing_do_not_use: true' >> $DIR/etc/$port.config
+ echo 'federation_verify_certificates: false' >> $DIR/etc/$port.config
+
+ # Set tls paths
+ echo "tls_certificate_path: \"$DIR/etc/localhost:$https_port.tls.crt\"" >> $DIR/etc/$port.config
+ echo "tls_private_key_path: \"$DIR/etc/localhost:$https_port.tls.key\"" >> $DIR/etc/$port.config
+
+ # Generate tls keys
+ openssl req -x509 -newkey rsa:4096 -keyout $DIR/etc/localhost\:$https_port.tls.key -out $DIR/etc/localhost\:$https_port.tls.crt -days 365 -nodes -subj "/O=matrix"
+
+ # Ignore keys from the trusted keys server
+ echo '# Ignore keys from the trusted keys server' >> $DIR/etc/$port.config
+ echo 'trusted_key_servers:' >> $DIR/etc/$port.config
+ echo ' - server_name: "matrix.org"' >> $DIR/etc/$port.config
+ echo ' accept_keys_insecurely: true' >> $DIR/etc/$port.config
+
+ # Reduce the blacklist
+ blacklist=$(cat <<-BLACK
+ # Set the blacklist so that it doesn't include 127.0.0.1
+ federation_ip_range_blacklist:
+ - '10.0.0.0/8'
+ - '172.16.0.0/12'
+ - '192.168.0.0/16'
+ - '100.64.0.0/10'
+ - '169.254.0.0/16'
+ - '::1/128'
+ - 'fe80::/64'
+ - 'fc00::/7'
+ BLACK
+ )
+ echo "${blacklist}" >> $DIR/etc/$port.config
+ fi
# Check script parameters
if [ $# -eq 1 ]; then
|