diff --git a/latest/print.html b/latest/print.html
index d540eab919..565af5df9d 100644
--- a/latest/print.html
+++ b/latest/print.html
@@ -77,7 +77,7 @@
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<div class="sidebar-scrollbox">
- <ol class="chapter"><li class="chapter-item expanded affix "><li class="part-title">Introduction</li><li class="chapter-item expanded "><a href="welcome_and_overview.html">Welcome and Overview</a></li><li class="chapter-item expanded affix "><li class="part-title">Setup</li><li class="chapter-item expanded "><a href="setup/installation.html">Installation</a></li><li class="chapter-item expanded "><a href="postgres.html">Using Postgres</a></li><li class="chapter-item expanded "><a href="reverse_proxy.html">Configuring a Reverse Proxy</a></li><li class="chapter-item expanded "><a href="setup/forward_proxy.html">Configuring a Forward/Outbound Proxy</a></li><li class="chapter-item expanded "><a href="turn-howto.html">Configuring a Turn Server</a></li><li class="chapter-item expanded "><a href="delegate.html">Delegation</a></li><li class="chapter-item expanded affix "><li class="part-title">Upgrading</li><li class="chapter-item expanded "><a href="upgrade.html">Upgrading between Synapse Versions</a></li><li class="chapter-item expanded affix "><li class="part-title">Usage</li><li class="chapter-item expanded "><a href="federate.html">Federation</a></li><li class="chapter-item expanded "><a href="usage/configuration/index.html">Configuration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/config_documentation.html">Configuration Manual</a></li><li class="chapter-item expanded "><a href="usage/configuration/homeserver_sample_config.html">Homeserver Sample Config File</a></li><li class="chapter-item expanded "><a href="usage/configuration/logging_sample_config.html">Logging Sample Config File</a></li><li class="chapter-item expanded "><a href="structured_logging.html">Structured Logging</a></li><li class="chapter-item expanded "><a href="templates.html">Templates</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/index.html">User Authentication</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/index.html">Single-Sign On</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="openid.html">OpenID Connect</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/cas.html">CAS</a></li><li class="chapter-item expanded "><a href="sso_mapping_providers.html">SSO Mapping Providers</a></li></ol></li><li class="chapter-item expanded "><a href="password_auth_providers.html">Password Auth Providers</a></li><li class="chapter-item expanded "><a href="jwt.html">JSON Web Tokens</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/refresh_tokens.html">Refresh Tokens</a></li></ol></li><li class="chapter-item expanded "><a href="CAPTCHA_SETUP.html">Registration Captcha</a></li><li class="chapter-item expanded "><a href="application_services.html">Application Services</a></li><li class="chapter-item expanded "><a href="server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="consent_tracking.html">Consent Tracking</a></li><li class="chapter-item expanded "><a href="user_directory.html">User Directory</a></li><li class="chapter-item expanded "><a href="message_retention_policies.html">Message Retention Policies</a></li><li class="chapter-item expanded "><a href="modules/index.html">Pluggable Modules</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/writing_a_module.html">Writing a module</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/spam_checker_callbacks.html">Spam checker callbacks</a></li><li class="chapter-item expanded "><a href="modules/third_party_rules_callbacks.html">Third-party rules callbacks</a></li><li class="chapter-item expanded "><a href="modules/presence_router_callbacks.html">Presence router callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_validity_callbacks.html">Account validity callbacks</a></li><li class="chapter-item expanded "><a href="modules/password_auth_provider_callbacks.html">Password auth provider callbacks</a></li><li class="chapter-item expanded "><a href="modules/background_update_controller_callbacks.html">Background update controller callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_data_callbacks.html">Account data callbacks</a></li><li class="chapter-item expanded "><a href="modules/porting_legacy_module.html">Porting a legacy module to the new interface</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="workers.html">Workers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="synctl_workers.html">Using synctl with Workers</a></li><li class="chapter-item expanded "><a href="systemd-with-workers/index.html">Systemd</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/index.html">Administration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/admin_api/index.html">Admin API</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="admin_api/account_validity.html">Account Validity</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/background_updates.html">Background Updates</a></li><li class="chapter-item expanded "><a href="admin_api/event_reports.html">Event Reports</a></li><li class="chapter-item expanded "><a href="admin_api/media_admin_api.html">Media</a></li><li class="chapter-item expanded "><a href="admin_api/purge_history_api.html">Purge History</a></li><li class="chapter-item expanded "><a href="admin_api/register_api.html">Register Users</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/registration_tokens.html">Registration Tokens</a></li><li class="chapter-item expanded "><a href="admin_api/room_membership.html">Manipulate Room Membership</a></li><li class="chapter-item expanded "><a href="admin_api/rooms.html">Rooms</a></li><li class="chapter-item expanded "><a href="admin_api/server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="admin_api/statistics.html">Statistics</a></li><li class="chapter-item expanded "><a href="admin_api/user_admin_api.html">Users</a></li><li class="chapter-item expanded "><a href="admin_api/version_api.html">Server Version</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/federation.html">Federation</a></li></ol></li><li class="chapter-item expanded "><a href="manhole.html">Manhole</a></li><li class="chapter-item expanded "><a href="metrics-howto.html">Monitoring</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/monitoring/reporting_homeserver_usage_statistics.html">Reporting Homeserver Usage Statistics</a></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/monthly_active_users.html">Monthly Active Users</a></li><li class="chapter-item expanded "><a href="usage/administration/understanding_synapse_through_grafana_graphs.html">Understanding Synapse Through Grafana Graphs</a></li><li class="chapter-item expanded "><a href="usage/administration/useful_sql_for_admins.html">Useful SQL for Admins</a></li><li class="chapter-item expanded "><a href="usage/administration/database_maintenance_tools.html">Database Maintenance Tools</a></li><li class="chapter-item expanded "><a href="usage/administration/state_groups.html">State Groups</a></li><li class="chapter-item expanded "><a href="usage/administration/request_log.html">Request log format</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_faq.html">Admin FAQ</a></li><li class="chapter-item expanded "><div>Scripts</div></li></ol></li><li class="chapter-item expanded "><li class="part-title">Development</li><li class="chapter-item expanded "><a href="development/contributing_guide.html">Contributing Guide</a></li><li class="chapter-item expanded "><a href="code_style.html">Code Style</a></li><li class="chapter-item expanded "><a href="development/reviews.html">Reviewing Code</a></li><li class="chapter-item expanded "><a href="development/releases.html">Release Cycle</a></li><li class="chapter-item expanded "><a href="development/git.html">Git Usage</a></li><li class="chapter-item expanded "><div>Testing</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/demo.html">Demo scripts</a></li></ol></li><li class="chapter-item expanded "><a href="opentracing.html">OpenTracing</a></li><li class="chapter-item expanded "><a href="development/database_schema.html">Database Schemas</a></li><li class="chapter-item expanded "><a href="development/experimental_features.html">Experimental features</a></li><li class="chapter-item expanded "><a href="development/dependencies.html">Dependency management</a></li><li class="chapter-item expanded "><div>Synapse Architecture</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/synapse_architecture/cancellation.html">Cancellation</a></li><li class="chapter-item expanded "><a href="log_contexts.html">Log Contexts</a></li><li class="chapter-item expanded "><a href="replication.html">Replication</a></li><li class="chapter-item expanded "><a href="tcp_replication.html">TCP Replication</a></li></ol></li><li class="chapter-item expanded "><a href="development/internal_documentation/index.html">Internal Documentation</a></li><li><ol class="section"><li class="chapter-item expanded "><div>Single Sign-On</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="development/cas.html">CAS</a></li></ol></li><li class="chapter-item expanded "><a href="development/room-dag-concepts.html">Room DAG concepts</a></li><li class="chapter-item expanded "><div>State Resolution</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="auth_chain_difference_algorithm.html">The Auth Chain Difference Algorithm</a></li></ol></li><li class="chapter-item expanded "><a href="media_repository.html">Media Repository</a></li><li class="chapter-item expanded "><a href="room_and_user_statistics.html">Room and User Statistics</a></li></ol></li><li class="chapter-item expanded "><div>Scripts</div></li><li class="chapter-item expanded affix "><li class="part-title">Other</li><li class="chapter-item expanded "><a href="deprecation_policy.html">Dependency Deprecation Policy</a></li><li class="chapter-item expanded "><a href="other/running_synapse_on_single_board_computers.html">Running Synapse on a Single-Board Computer</a></li></ol>
+ <ol class="chapter"><li class="chapter-item expanded affix "><li class="part-title">Introduction</li><li class="chapter-item expanded "><a href="welcome_and_overview.html">Welcome and Overview</a></li><li class="chapter-item expanded affix "><li class="part-title">Setup</li><li class="chapter-item expanded "><a href="setup/installation.html">Installation</a></li><li class="chapter-item expanded "><a href="postgres.html">Using Postgres</a></li><li class="chapter-item expanded "><a href="reverse_proxy.html">Configuring a Reverse Proxy</a></li><li class="chapter-item expanded "><a href="setup/forward_proxy.html">Configuring a Forward/Outbound Proxy</a></li><li class="chapter-item expanded "><a href="turn-howto.html">Configuring a Turn Server</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="setup/turn/coturn.html">coturn TURN server</a></li><li class="chapter-item expanded "><a href="setup/turn/eturnal.html">eturnal TURN server</a></li></ol></li><li class="chapter-item expanded "><a href="delegate.html">Delegation</a></li><li class="chapter-item expanded affix "><li class="part-title">Upgrading</li><li class="chapter-item expanded "><a href="upgrade.html">Upgrading between Synapse Versions</a></li><li class="chapter-item expanded affix "><li class="part-title">Usage</li><li class="chapter-item expanded "><a href="federate.html">Federation</a></li><li class="chapter-item expanded "><a href="usage/configuration/index.html">Configuration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/config_documentation.html">Configuration Manual</a></li><li class="chapter-item expanded "><a href="usage/configuration/homeserver_sample_config.html">Homeserver Sample Config File</a></li><li class="chapter-item expanded "><a href="usage/configuration/logging_sample_config.html">Logging Sample Config File</a></li><li class="chapter-item expanded "><a href="structured_logging.html">Structured Logging</a></li><li class="chapter-item expanded "><a href="templates.html">Templates</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/index.html">User Authentication</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/index.html">Single-Sign On</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="openid.html">OpenID Connect</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/single_sign_on/cas.html">CAS</a></li><li class="chapter-item expanded "><a href="sso_mapping_providers.html">SSO Mapping Providers</a></li></ol></li><li class="chapter-item expanded "><a href="password_auth_providers.html">Password Auth Providers</a></li><li class="chapter-item expanded "><a href="jwt.html">JSON Web Tokens</a></li><li class="chapter-item expanded "><a href="usage/configuration/user_authentication/refresh_tokens.html">Refresh Tokens</a></li></ol></li><li class="chapter-item expanded "><a href="CAPTCHA_SETUP.html">Registration Captcha</a></li><li class="chapter-item expanded "><a href="application_services.html">Application Services</a></li><li class="chapter-item expanded "><a href="server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="consent_tracking.html">Consent Tracking</a></li><li class="chapter-item expanded "><a href="user_directory.html">User Directory</a></li><li class="chapter-item expanded "><a href="message_retention_policies.html">Message Retention Policies</a></li><li class="chapter-item expanded "><a href="modules/index.html">Pluggable Modules</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/writing_a_module.html">Writing a module</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="modules/spam_checker_callbacks.html">Spam checker callbacks</a></li><li class="chapter-item expanded "><a href="modules/third_party_rules_callbacks.html">Third-party rules callbacks</a></li><li class="chapter-item expanded "><a href="modules/presence_router_callbacks.html">Presence router callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_validity_callbacks.html">Account validity callbacks</a></li><li class="chapter-item expanded "><a href="modules/password_auth_provider_callbacks.html">Password auth provider callbacks</a></li><li class="chapter-item expanded "><a href="modules/background_update_controller_callbacks.html">Background update controller callbacks</a></li><li class="chapter-item expanded "><a href="modules/account_data_callbacks.html">Account data callbacks</a></li><li class="chapter-item expanded "><a href="modules/porting_legacy_module.html">Porting a legacy module to the new interface</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="workers.html">Workers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="synctl_workers.html">Using synctl with Workers</a></li><li class="chapter-item expanded "><a href="systemd-with-workers/index.html">Systemd</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/index.html">Administration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/admin_api/index.html">Admin API</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="admin_api/account_validity.html">Account Validity</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/background_updates.html">Background Updates</a></li><li class="chapter-item expanded "><a href="admin_api/event_reports.html">Event Reports</a></li><li class="chapter-item expanded "><a href="admin_api/media_admin_api.html">Media</a></li><li class="chapter-item expanded "><a href="admin_api/purge_history_api.html">Purge History</a></li><li class="chapter-item expanded "><a href="admin_api/register_api.html">Register Users</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/registration_tokens.html">Registration Tokens</a></li><li class="chapter-item expanded "><a href="admin_api/room_membership.html">Manipulate Room Membership</a></li><li class="chapter-item expanded "><a href="admin_api/rooms.html">Rooms</a></li><li class="chapter-item expanded "><a href="admin_api/server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="admin_api/statistics.html">Statistics</a></li><li class="chapter-item expanded "><a href="admin_api/user_admin_api.html">Users</a></li><li class="chapter-item expanded "><a href="admin_api/version_api.html">Server Version</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_api/federation.html">Federation</a></li></ol></li><li class="chapter-item expanded "><a href="manhole.html">Manhole</a></li><li class="chapter-item expanded "><a href="metrics-howto.html">Monitoring</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="usage/administration/monitoring/reporting_homeserver_usage_statistics.html">Reporting Homeserver Usage Statistics</a></li></ol></li><li class="chapter-item expanded "><a href="usage/administration/monthly_active_users.html">Monthly Active Users</a></li><li class="chapter-item expanded "><a href="usage/administration/understanding_synapse_through_grafana_graphs.html">Understanding Synapse Through Grafana Graphs</a></li><li class="chapter-item expanded "><a href="usage/administration/useful_sql_for_admins.html">Useful SQL for Admins</a></li><li class="chapter-item expanded "><a href="usage/administration/database_maintenance_tools.html">Database Maintenance Tools</a></li><li class="chapter-item expanded "><a href="usage/administration/state_groups.html">State Groups</a></li><li class="chapter-item expanded "><a href="usage/administration/request_log.html">Request log format</a></li><li class="chapter-item expanded "><a href="usage/administration/admin_faq.html">Admin FAQ</a></li><li class="chapter-item expanded "><div>Scripts</div></li></ol></li><li class="chapter-item expanded "><li class="part-title">Development</li><li class="chapter-item expanded "><a href="development/contributing_guide.html">Contributing Guide</a></li><li class="chapter-item expanded "><a href="code_style.html">Code Style</a></li><li class="chapter-item expanded "><a href="development/reviews.html">Reviewing Code</a></li><li class="chapter-item expanded "><a href="development/releases.html">Release Cycle</a></li><li class="chapter-item expanded "><a href="development/git.html">Git Usage</a></li><li class="chapter-item expanded "><div>Testing</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/demo.html">Demo scripts</a></li></ol></li><li class="chapter-item expanded "><a href="opentracing.html">OpenTracing</a></li><li class="chapter-item expanded "><a href="development/database_schema.html">Database Schemas</a></li><li class="chapter-item expanded "><a href="development/experimental_features.html">Experimental features</a></li><li class="chapter-item expanded "><a href="development/dependencies.html">Dependency management</a></li><li class="chapter-item expanded "><div>Synapse Architecture</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/synapse_architecture/cancellation.html">Cancellation</a></li><li class="chapter-item expanded "><a href="log_contexts.html">Log Contexts</a></li><li class="chapter-item expanded "><a href="replication.html">Replication</a></li><li class="chapter-item expanded "><a href="tcp_replication.html">TCP Replication</a></li></ol></li><li class="chapter-item expanded "><a href="development/internal_documentation/index.html">Internal Documentation</a></li><li><ol class="section"><li class="chapter-item expanded "><div>Single Sign-On</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="development/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="development/cas.html">CAS</a></li></ol></li><li class="chapter-item expanded "><a href="development/room-dag-concepts.html">Room DAG concepts</a></li><li class="chapter-item expanded "><div>State Resolution</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="auth_chain_difference_algorithm.html">The Auth Chain Difference Algorithm</a></li></ol></li><li class="chapter-item expanded "><a href="media_repository.html">Media Repository</a></li><li class="chapter-item expanded "><a href="room_and_user_statistics.html">Room and User Statistics</a></li></ol></li><li class="chapter-item expanded "><div>Scripts</div></li><li class="chapter-item expanded affix "><li class="part-title">Other</li><li class="chapter-item expanded "><a href="deprecation_policy.html">Dependency Deprecation Policy</a></li><li class="chapter-item expanded "><a href="other/running_synapse_on_single_board_computers.html">Running Synapse on a Single-Board Computer</a></li></ol>
</div>
<div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
</nav>
@@ -919,6 +919,9 @@ reverse proxy is using.</p>
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
+
+ # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+ proxy_http_version 1.1;
}
}
</code></pre>
@@ -1155,17 +1158,163 @@ TURN.</p>
allows the homeserver to generate credentials that are valid for use on the
TURN server through the use of a secret shared between the homeserver and the
TURN server.</p>
-<p>The following sections describe how to install <a href="https://github.com/coturn/coturn">coturn</a> (which implements the TURN REST API) and integrate it with synapse.</p>
+<p>This documentation provides two TURN server configuration examples:</p>
+<ul>
+<li><a href="setup/turn/coturn.html">coturn</a></li>
+<li><a href="setup/turn/eturnal.html">eturnal</a></li>
+</ul>
<h2 id="requirements"><a class="header" href="#requirements">Requirements</a></h2>
-<p>For TURN relaying with <code>coturn</code> to work, it must be hosted on a server/endpoint with a public IP.</p>
+<p>For TURN relaying to work, the TURN service must be hosted on a server/endpoint with a public IP.</p>
<p>Hosting TURN behind NAT requires port forwaring and for the NAT gateway to have a public IP.
However, even with appropriate configuration, NAT is known to cause issues and to often not work.</p>
+<p>Afterwards, the homeserver needs some further configuration.</p>
+<h2 id="synapse-setup"><a class="header" href="#synapse-setup">Synapse setup</a></h2>
+<p>Your homeserver configuration file needs the following extra keys:</p>
+<ol>
+<li><a href="usage/configuration/config_documentation.html#turn_uris"><code>turn_uris</code></a></li>
+<li><a href="usage/configuration/config_documentation.html#turn_shared_secret"><code>turn_shared_secret</code></a></li>
+<li><a href="usage/configuration/config_documentation.html#turn_user_lifetime"><code>turn_user_lifetime</code></a></li>
+<li><a href="usage/configuration/config_documentation.html#turn_allow_guests"><code>turn_allow_guests</code></a></li>
+</ol>
+<p>As an example, here is the relevant section of the config file for <code>matrix.org</code>. The
+<code>turn_uris</code> are appropriate for TURN servers listening on the default ports, with no TLS.</p>
+<pre><code>turn_uris: [ "turn:turn.matrix.org?transport=udp", "turn:turn.matrix.org?transport=tcp" ]
+turn_shared_secret: "n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons"
+turn_user_lifetime: 86400000
+turn_allow_guests: True
+</code></pre>
+<p>After updating the homeserver configuration, you must restart synapse:</p>
+<ul>
+<li>If you use synctl:
+<pre><code class="language-sh"># Depending on how Synapse is installed, synctl may already be on
+# your PATH. If not, you may need to activate a virtual environment.
+synctl restart
+</code></pre>
+</li>
+<li>If you use systemd:
+<pre><code class="language-sh">systemctl restart matrix-synapse.service
+</code></pre>
+</li>
+</ul>
+<p>... and then reload any clients (or wait an hour for them to refresh their
+settings).</p>
+<h2 id="troubleshooting-2"><a class="header" href="#troubleshooting-2">Troubleshooting</a></h2>
+<p>The normal symptoms of a misconfigured TURN server are that calls between
+devices on different networks ring, but get stuck at "call
+connecting". Unfortunately, troubleshooting this can be tricky.</p>
+<p>Here are a few things to try:</p>
+<ul>
+<li>
+<p>Check that you have opened your firewall to allow TCP and UDP traffic to the
+TURN ports (normally 3478 and 5349).</p>
+</li>
+<li>
+<p>Check that you have opened your firewall to allow UDP traffic to the UDP
+relay ports (49152-65535 by default).</p>
+</li>
+<li>
+<p>Try disabling TLS/DTLS listeners and enable only its (unencrypted)
+TCP/UDP listeners. (This will only leave signaling traffic unencrypted;
+voice & video WebRTC traffic is always encrypted.)</p>
+</li>
+<li>
+<p>Some WebRTC implementations (notably, that of Google Chrome) appear to get
+confused by TURN servers which are reachable over IPv6 (this appears to be
+an unexpected side-effect of its handling of multiple IP addresses as
+defined by
+<a href="https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12"><code>draft-ietf-rtcweb-ip-handling</code></a>).</p>
+<p>Try removing any AAAA records for your TURN server, so that it is only
+reachable over IPv4.</p>
+</li>
+<li>
+<p>If your TURN server is behind NAT:</p>
+<ul>
+<li>
+<p>double-check that your NAT gateway is correctly forwarding all TURN
+ports (normally 3478 & 5349 for TCP & UDP TURN traffic, and 49152-65535 for the UDP
+relay) to the NAT-internal address of your TURN server. If advertising
+both IPv4 and IPv6 external addresses via the <code>external-ip</code> option, ensure
+that the NAT is forwarding both IPv4 and IPv6 traffic to the IPv4 and IPv6
+internal addresses of your TURN server. When in doubt, remove AAAA records
+for your TURN server and specify only an IPv4 address as your <code>external-ip</code>.</p>
+</li>
+<li>
+<p>ensure that your TURN server uses the NAT gateway as its default route.</p>
+</li>
+</ul>
+</li>
+<li>
+<p>Enable more verbose logging, in <code>coturn</code> via the <code>verbose</code> setting:</p>
+<pre><code>verbose
+</code></pre>
+<p>or with <code>eturnal</code> with the shell command <code>eturnalctl loglevel debug</code> or in the configuration file (the service needs to <a href="https://eturnal.net/documentation/#Operation">reload</a> for it to become effective):</p>
+<pre><code class="language-yaml"> ## Logging configuration:
+ log_level: debug
+</code></pre>
+<p>... and then see if there are any clues in its logs.</p>
+</li>
+<li>
+<p>If you are using a browser-based client under Chrome, check
+<code>chrome://webrtc-internals/</code> for insights into the internals of the
+negotiation. On Firefox, check the "Connection Log" on <code>about:webrtc</code>.</p>
+<p>(Understanding the output is beyond the scope of this document!)</p>
+</li>
+<li>
+<p>You can test your Matrix homeserver TURN setup with <a href="https://test.voip.librepush.net/">https://test.voip.librepush.net/</a>.
+Note that this test is not fully reliable yet, so don't be discouraged if
+the test fails.
+<a href="https://github.com/matrix-org/voip-tester">Here</a> is the github repo of the
+source of the tester, where you can file bug reports.</p>
+</li>
+<li>
+<p>There is a WebRTC test tool at
+<a href="https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/">https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/</a>. To
+use it, you will need a username/password for your TURN server. You can
+either:</p>
+<ul>
+<li>
+<p>look for the <code>GET /_matrix/client/r0/voip/turnServer</code> request made by a
+matrix client to your homeserver in your browser's network inspector. In
+the response you should see <code>username</code> and <code>password</code>. Or:</p>
+</li>
+<li>
+<p>Use the following shell commands for <code>coturn</code>:</p>
+<pre><code class="language-sh">secret=staticAuthSecretHere
+
+u=$((`date +%s` + 3600)):test
+p=$(echo -n $u | openssl dgst -hmac $secret -sha1 -binary | base64)
+echo -e "username: $u\npassword: $p"
+</code></pre>
+<p>or for <code>eturnal</code></p>
+<pre><code class="language-sh">eturnalctl credentials
+</code></pre>
+</li>
+<li>
+<p>Or (<strong>coturn only</strong>): Temporarily configure <code>coturn</code> to accept a static
+username/password. To do this, comment out <code>use-auth-secret</code> and
+<code>static-auth-secret</code> and add the following:</p>
+<pre><code>lt-cred-mech
+user=username:password
+</code></pre>
+<p><strong>Note</strong>: these settings will not take effect unless <code>use-auth-secret</code>
+and <code>static-auth-secret</code> are disabled.</p>
+<p>Restart coturn after changing the configuration file.</p>
+<p>Remember to restore the original settings to go back to testing with
+Matrix clients!</p>
+</li>
+</ul>
+<p>If the TURN server is working correctly, you should see at least one <code>relay</code>
+entry in the results.</p>
+</li>
+</ul>
+<div style="break-before: page; page-break-before: always;"></div><h1 id="coturn-turn-server"><a class="header" href="#coturn-turn-server">coturn TURN server</a></h1>
+<p>The following sections describe how to install <a href="https://github.com/coturn/coturn">coturn</a> (which implements the TURN REST API).</p>
<h2 id="coturn-setup"><a class="header" href="#coturn-setup"><code>coturn</code> setup</a></h2>
<h3 id="initial-installation"><a class="header" href="#initial-installation">Initial installation</a></h3>
<p>The TURN daemon <code>coturn</code> is available from a variety of sources such as native package managers, or installation from source.</p>
-<h4 id="debian-installation"><a class="header" href="#debian-installation">Debian installation</a></h4>
+<h4 id="debian-and-ubuntu-based-distributions"><a class="header" href="#debian-and-ubuntu-based-distributions">Debian and Ubuntu based distributions</a></h4>
<p>Just install the debian package:</p>
-<pre><code class="language-sh">apt install coturn
+<pre><code class="language-sh">sudo apt install coturn
</code></pre>
<p>This will install and start a systemd service called <code>coturn</code>.</p>
<h4 id="source-installation"><a class="header" href="#source-installation">Source installation</a></h4>
@@ -1185,7 +1334,7 @@ for this purpose.</p>
<li>
<p>Build and install it:</p>
<pre><code class="language-sh">make
-make install
+sudo make install
</code></pre>
</li>
</ol>
@@ -1207,13 +1356,13 @@ sent to clients as part of the authentication flow.) It is conventional to
set it to be your server name.</p>
</li>
<li>
-<p>You will most likely want to configure coturn to write logs somewhere. The
+<p>You will most likely want to configure <code>coturn</code> to write logs somewhere. The
easiest way is normally to send them to the syslog:</p>
<pre><code class="language-sh">syslog
</code></pre>
<p>(in which case, the logs will be available via <code>journalctl -u coturn</code> on a
-systemd system). Alternatively, coturn can be configured to write to a
-logfile - check the example config file supplied with coturn.</p>
+systemd system). Alternatively, <code>coturn</code> can be configured to write to a
+logfile - check the example config file supplied with <code>coturn</code>.</p>
</li>
<li>
<p>Consider your security settings. TURN lets users request a relay which will
@@ -1286,7 +1435,7 @@ for the UDP relay.)</p>
</li>
<li>
<p>If your TURN server is behind NAT, the NAT gateway must have an external,
-publicly-reachable IP address. You must configure coturn to advertise that
+publicly-reachable IP address. You must configure <code>coturn</code> to advertise that
address to connecting clients:</p>
<pre><code>external-ip=EXTERNAL_NAT_IPv4_ADDRESS
</code></pre>
@@ -1295,7 +1444,7 @@ address that is mapped by NAT to the external address:</p>
<pre><code>listening-ip=INTERNAL_TURNSERVER_IPv4_ADDRESS
</code></pre>
<p>If your NAT gateway is reachable over both IPv4 and IPv6, you may
-configure coturn to advertise each available address:</p>
+configure <code>coturn</code> to advertise each available address:</p>
<pre><code>external-ip=EXTERNAL_NAT_IPv4_ADDRESS
external-ip=EXTERNAL_NAT_IPv6_ADDRESS
</code></pre>
@@ -1309,164 +1458,152 @@ IPv6 address that is mapped by NAT to the external IPv6 address.</p>
<ul>
<li>
<p>If you used the Debian package (or have set up a systemd unit yourself):</p>
-<pre><code class="language-sh">systemctl restart coturn
+<pre><code class="language-sh">sudo systemctl restart coturn
</code></pre>
</li>
<li>
-<p>If you installed from source:</p>
-<pre><code class="language-sh">bin/turnserver -o
+<p>If you built from source:</p>
+<pre><code class="language-sh">/usr/local/bin/turnserver -o
</code></pre>
</li>
</ul>
</li>
</ol>
-<h2 id="synapse-setup"><a class="header" href="#synapse-setup">Synapse setup</a></h2>
-<p>Your homeserver configuration file needs the following extra keys:</p>
+<div style="break-before: page; page-break-before: always;"></div><h1 id="eturnal-turn-server"><a class="header" href="#eturnal-turn-server">eturnal TURN server</a></h1>
+<p>The following sections describe how to install <a href="https://github.com/processone/eturnal">eturnal</a>
+(which implements the TURN REST API).</p>
+<h2 id="eturnal-setup"><a class="header" href="#eturnal-setup"><code>eturnal</code> setup</a></h2>
+<h3 id="initial-installation-1"><a class="header" href="#initial-installation-1">Initial installation</a></h3>
+<p>The <code>eturnal</code> TURN server implementation is available from a variety of sources
+such as native package managers, binary packages, installation from source or
+<a href="https://eturnal.net/documentation/code/docker.html">container image</a>. They are
+all described <a href="https://github.com/processone/eturnal#installation">here</a>.</p>
+<p>Quick-Test instructions in a <a href="https://github.com/processone/eturnal/blob/master/QUICK-TEST.md">Linux Shell</a>
+or with <a href="https://github.com/processone/eturnal/blob/master/docker-k8s/QUICK-TEST.md">Docker</a>
+are available as well.</p>
+<h3 id="configuration-1"><a class="header" href="#configuration-1">Configuration</a></h3>
+<p>After installation, <code>eturnal</code> usually ships a <a href="https://github.com/processone/eturnal/blob/master/config/eturnal.yml">default configuration file</a>
+here: <code>/etc/eturnal.yml</code> (and, if not found there, there is a backup file here:
+<code>/opt/eturnal/etc/eturnal.yml</code>). It uses the (indentation-sensitive!) <a href="https://en.wikipedia.org/wiki/YAML">YAML</a>
+format. The file contains further explanations.</p>
+<p>Here are some hints how to configure eturnal on your <a href="https://github.com/processone/eturnal#configuration">host machine</a>
+or when using e.g. <a href="https://eturnal.net/documentation/code/docker.html">Docker</a>.
+You may also further deep dive into the <a href="https://eturnal.net/documentation/">reference documentation</a>.</p>
+<p><code>eturnal</code> runs out of the box with the default configuration. To enable TURN and
+to integrate it with your homeserver, some aspects in <code>eturnal</code>'s default configuration file
+must be edited:</p>
<ol>
-<li>"<code>turn_uris</code>": This needs to be a yaml list of public-facing URIs
-for your TURN server to be given out to your clients. Add separate
-entries for each transport your TURN server supports.</li>
-<li>"<code>turn_shared_secret</code>": This is the secret shared between your
-homeserver and your TURN server, so you should set it to the same
-string you used in turnserver.conf.</li>
-<li>"<code>turn_user_lifetime</code>": This is the amount of time credentials
-generated by your homeserver are valid for (in milliseconds).
-Shorter times offer less potential for abuse at the expense of
-increased traffic between web clients and your homeserver to
-refresh credentials. The TURN REST API specification recommends
-one day (86400000).</li>
-<li>"<code>turn_allow_guests</code>": Whether to allow guest users to use the
-TURN server. This is enabled by default, as otherwise VoIP will
-not work reliably for guests. However, it does introduce a
-security risk as it lets guests connect to arbitrary endpoints
-without having gone through a CAPTCHA or similar to register a
-real account.</li>
-</ol>
-<p>As an example, here is the relevant section of the config file for <code>matrix.org</code>. The
-<code>turn_uris</code> are appropriate for TURN servers listening on the default ports, with no TLS.</p>
-<pre><code>turn_uris: [ "turn:turn.matrix.org?transport=udp", "turn:turn.matrix.org?transport=tcp" ]
-turn_shared_secret: "n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons"
-turn_user_lifetime: 86400000
-turn_allow_guests: True
-</code></pre>
-<p>After updating the homeserver configuration, you must restart synapse:</p>
-<ul>
-<li>If you use synctl:
-<pre><code class="language-sh"># Depending on how Synapse is installed, synctl may already be on
-# your PATH. If not, you may need to activate a virtual environment.
-synctl restart
+<li>
+<p>Homeserver's <a href="setup/turn/../../usage/configuration/config_documentation.html#turn_shared_secret"><code>turn_shared_secret</code></a>
+and eturnal's shared <code>secret</code> for authentication</p>
+<p>Both need to have the same value. Uncomment and adjust this line in <code>eturnal</code>'s
+configuration file:</p>
+<pre><code class="language-yaml">secret: "long-and-cryptic" # Shared secret, CHANGE THIS.
</code></pre>
-</li>
-<li>If you use systemd:
-<pre><code class="language-sh">systemctl restart matrix-synapse.service
+<p>One way to generate a <code>secret</code> is with <code>pwgen</code>:</p>
+<pre><code class="language-sh">pwgen -s 64 1
</code></pre>
</li>
-</ul>
-<p>... and then reload any clients (or wait an hour for them to refresh their
-settings).</p>
-<h2 id="troubleshooting-2"><a class="header" href="#troubleshooting-2">Troubleshooting</a></h2>
-<p>The normal symptoms of a misconfigured TURN server are that calls between
-devices on different networks ring, but get stuck at "call
-connecting". Unfortunately, troubleshooting this can be tricky.</p>
-<p>Here are a few things to try:</p>
-<ul>
-<li>
-<p>Check that you have opened your firewall to allow TCP and UDP traffic to the
-TURN ports (normally 3478 and 5349).</p>
-</li>
-<li>
-<p>Check that you have opened your firewall to allow UDP traffic to the UDP
-relay ports (49152-65535 by default).</p>
-</li>
-<li>
-<p>Try disabling <code>coturn</code>'s TLS/DTLS listeners and enable only its (unencrypted)
-TCP/UDP listeners. (This will only leave signaling traffic unencrypted;
-voice & video WebRTC traffic is always encrypted.)</p>
-</li>
<li>
-<p>Some WebRTC implementations (notably, that of Google Chrome) appear to get
-confused by TURN servers which are reachable over IPv6 (this appears to be
-an unexpected side-effect of its handling of multiple IP addresses as
-defined by
-<a href="https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12"><code>draft-ietf-rtcweb-ip-handling</code></a>).</p>
-<p>Try removing any AAAA records for your TURN server, so that it is only
-reachable over IPv4.</p>
-</li>
-<li>
-<p>If your TURN server is behind NAT:</p>
-<ul>
-<li>
-<p>double-check that your NAT gateway is correctly forwarding all TURN
-ports (normally 3478 & 5349 for TCP & UDP TURN traffic, and 49152-65535 for the UDP
-relay) to the NAT-internal address of your TURN server. If advertising
-both IPv4 and IPv6 external addresses via the <code>external-ip</code> option, ensure
-that the NAT is forwarding both IPv4 and IPv6 traffic to the IPv4 and IPv6
-internal addresses of your TURN server. When in doubt, remove AAAA records
-for your TURN server and specify only an IPv4 address as your <code>external-ip</code>.</p>
-</li>
-<li>
-<p>ensure that your TURN server uses the NAT gateway as its default route.</p>
-</li>
-</ul>
-</li>
-<li>
-<p>Enable more verbose logging in coturn via the <code>verbose</code> setting:</p>
-<pre><code>verbose
+<p>Public IP address</p>
+<p>If your TURN server is behind NAT, the NAT gateway must have an external,
+publicly-reachable IP address. <code>eturnal</code> tries to autodetect the public IP address,
+however, it may also be configured by uncommenting and adjusting this line, so
+<code>eturnal</code> advertises that address to connecting clients:</p>
+<pre><code class="language-yaml">relay_ipv4_addr: "203.0.113.4" # The server's public IPv4 address.
</code></pre>
-<p>... and then see if there are any clues in its logs.</p>
+<p>If your NAT gateway is reachable over both IPv4 and IPv6, you may
+configure <code>eturnal</code> to advertise each available address:</p>
+<pre><code class="language-yaml">relay_ipv4_addr: "203.0.113.4" # The server's public IPv4 address.
+relay_ipv6_addr: "2001:db8::4" # The server's public IPv6 address (optional).
+</code></pre>
+<p>When advertising an external IPv6 address, ensure that the firewall and
+network settings of the system running your TURN server are configured to
+accept IPv6 traffic, and that the TURN server is listening on the local
+IPv6 address that is mapped by NAT to the external IPv6 address.</p>
</li>
<li>
-<p>If you are using a browser-based client under Chrome, check
-<code>chrome://webrtc-internals/</code> for insights into the internals of the
-negotiation. On Firefox, check the "Connection Log" on <code>about:webrtc</code>.</p>
-<p>(Understanding the output is beyond the scope of this document!)</p>
+<p>Logging</p>
+<p>If <code>eturnal</code> was started by systemd, log files are written into the
+<code>/var/log/eturnal</code> directory by default. In order to log to the <a href="https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html">journal</a>
+instead, the <code>log_dir</code> option can be set to <code>stdout</code> in the configuration file.</p>
</li>
<li>
-<p>You can test your Matrix homeserver TURN setup with <a href="https://test.voip.librepush.net/">https://test.voip.librepush.net/</a>.
-Note that this test is not fully reliable yet, so don't be discouraged if
-the test fails.
-<a href="https://github.com/matrix-org/voip-tester">Here</a> is the github repo of the
-source of the tester, where you can file bug reports.</p>
-</li>
-<li>
-<p>There is a WebRTC test tool at
-<a href="https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/">https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/</a>. To
-use it, you will need a username/password for your TURN server. You can
-either:</p>
-<ul>
-<li>
-<p>look for the <code>GET /_matrix/client/r0/voip/turnServer</code> request made by a
-matrix client to your homeserver in your browser's network inspector. In
-the response you should see <code>username</code> and <code>password</code>. Or:</p>
+<p>Security considerations</p>
+<p>Consider your security settings. TURN lets users request a relay which will
+connect to arbitrary IP addresses and ports. The following configuration is
+suggested as a minimum starting point, <a href="https://eturnal.net/documentation/#blacklist">see also the official documentation</a>:</p>
+<pre><code class="language-yaml">## Reject TURN relaying from/to the following addresses/networks:
+blacklist: # This is the default blacklist.
+ - "127.0.0.0/8" # IPv4 loopback.
+ - "::1" # IPv6 loopback.
+ - recommended # Expands to a number of networks recommended to be
+ # blocked, but includes private networks. Those
+ # would have to be 'whitelist'ed if eturnal serves
+ # local clients/peers within such networks.
+</code></pre>
+<p>To whitelist IP addresses or specific (private) networks, you need to <strong>add</strong> a
+whitelist part into the configuration file, e.g.:</p>
+<pre><code class="language-yaml">whitelist:
+ - "192.168.0.0/16"
+ - "203.0.113.113"
+ - "2001:db8::/64"
+</code></pre>
+<p>The more specific, the better.</p>
+</li>
+<li>
+<p>TURNS (TURN via TLS/DTLS)</p>
+<p>Also consider supporting TLS/DTLS. To do this, adjust the following settings
+in the <code>eturnal.yml</code> configuration file (TLS parts should not be commented anymore):</p>
+<pre><code class="language-yaml">listen:
+ - ip: "::"
+ port: 3478
+ transport: udp
+ - ip: "::"
+ port: 3478
+ transport: tcp
+ - ip: "::"
+ port: 5349
+ transport: tls
+
+## TLS certificate/key files (must be readable by 'eturnal' user!):
+tls_crt_file: /etc/eturnal/tls/crt.pem
+tls_key_file: /etc/eturnal/tls/key.pem
+</code></pre>
+<p>In this case, replace the <code>turn:</code> schemes in homeserver's <code>turn_uris</code> settings
+with <code>turns:</code>. More is described <a href="setup/turn/../../usage/configuration/config_documentation.html#turn_uris">here</a>.</p>
+<p>We recommend that you only try to set up TLS/DTLS once you have set up a
+basic installation and got it working.</p>
+<p>NB: If your TLS certificate was provided by Let's Encrypt, TLS/DTLS will
+not work with any Matrix client that uses Chromium's WebRTC library. This
+currently includes Element Android & iOS; for more details, see their
+<a href="https://github.com/vector-im/element-android/issues/1533">respective</a>
+<a href="https://github.com/vector-im/element-ios/issues/2712">issues</a> as well as the underlying
+<a href="https://bugs.chromium.org/p/webrtc/issues/detail?id=11710">WebRTC issue</a>.
+Consider using a ZeroSSL certificate for your TURN server as a working alternative.</p>
</li>
<li>
-<p>Use the following shell commands:</p>
-<pre><code class="language-sh">secret=staticAuthSecretHere
-
-u=$((`date +%s` + 3600)):test
-p=$(echo -n $u | openssl dgst -hmac $secret -sha1 -binary | base64)
-echo -e "username: $u\npassword: $p"
-</code></pre>
-<p>Or:</p>
+<p>Firewall</p>
+<p>Ensure your firewall allows traffic into the TURN server on the ports
+you've configured it to listen on (By default: 3478 and 5349 for TURN
+traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535
+for the UDP relay.)</p>
</li>
<li>
-<p>Temporarily configure coturn to accept a static username/password. To do
-this, comment out <code>use-auth-secret</code> and <code>static-auth-secret</code> and add the
-following:</p>
-<pre><code>lt-cred-mech
-user=username:password
+<p>Reload/ restarting <code>eturnal</code></p>
+<p>Changes in the configuration file require <code>eturnal</code> to reload/ restart, this
+can be achieved by:</p>
+<pre><code class="language-sh">eturnalctl reload
</code></pre>
-<p><strong>Note</strong>: these settings will not take effect unless <code>use-auth-secret</code>
-and <code>static-auth-secret</code> are disabled.</p>
-<p>Restart coturn after changing the configuration file.</p>
-<p>Remember to restore the original settings to go back to testing with
-Matrix clients!</p>
-</li>
-</ul>
-<p>If the TURN server is working correctly, you should see at least one <code>relay</code>
-entry in the results.</p>
+<p><code>eturnal</code> performs a configuration check before actually reloading/ restarting
+and provides hints, if something is not correctly configured.</p>
</li>
-</ul>
+</ol>
+<h3 id="eturnalctl-opterations-script"><a class="header" href="#eturnalctl-opterations-script">eturnalctl opterations script</a></h3>
+<p><code>eturnal</code> offers a handy <a href="https://eturnal.net/documentation/#Operation">operations script</a>
+which can be called e.g. to check, whether the service is up, to restart the service,
+to query how many active sessions exist, to change logging behaviour and so on.</p>
+<p>Hint: If <code>eturnalctl</code> is not part of your <code>$PATH</code>, consider either sym-linking it (e.g. ´ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl´) or call it from the default <code>eturnal</code> directory directly: e.g. <code>/opt/eturnal/bin/eturnalctl info</code></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="delegation-of-incoming-federation-traffic"><a class="header" href="#delegation-of-incoming-federation-traffic">Delegation of incoming federation traffic</a></h1>
<p>In the following documentation, we use the term <code>server_name</code> to refer to that setting
in your homeserver configuration file. It appears at the ends of user ids, and tells
@@ -1624,6 +1761,11 @@ dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
</code></pre>
</li>
</ul>
+<h1 id="upgrading-to-v1720"><a class="header" href="#upgrading-to-v1720">Upgrading to v1.72.0</a></h1>
+<h2 id="dropping-support-for-postgresql-10"><a class="header" href="#dropping-support-for-postgresql-10">Dropping support for PostgreSQL 10</a></h2>
+<p>In line with our <a href="deprecation_policy.html">deprecation policy</a>, we've dropped
+support for PostgreSQL 10, as it is no longer supported upstream.</p>
+<p>This release of Synapse requires PostgreSQL 11+.</p>
<h1 id="upgrading-to-v1710"><a class="header" href="#upgrading-to-v1710">Upgrading to v1.71.0</a></h1>
<h2 id="removal-of-the-generate_short_term_login_token-module-api-method"><a class="header" href="#removal-of-the-generate_short_term_login_token-module-api-method">Removal of the <code>generate_short_term_login_token</code> module API method</a></h2>
<p>As announced with the release of <a href="upgrade.html#deprecation-of-the-generate_short_term_login_token-module-api-method">Synapse 1.69.0</a>, the deprecated <code>generate_short_term_login_token</code> module method has been removed.</p>
@@ -3303,7 +3445,7 @@ release of Synapse.</p>
private federation, there is a script in the <code>demo</code> directory. This is mainly
useful just for development purposes. See
<a href="https://matrix-org.github.io/synapse/develop/development/demo.html">demo scripts</a>.</p>
-<div style="break-before: page; page-break-before: always;"></div><h1 id="configuration-1"><a class="header" href="#configuration-1">Configuration</a></h1>
+<div style="break-before: page; page-break-before: always;"></div><h1 id="configuration-2"><a class="header" href="#configuration-2">Configuration</a></h1>
<p>This section contains information on tweaking Synapse via the various options in the configuration file. A configuration
file should have been generated when you <a href="usage/configuration/../../setup/installation.html">installed Synapse</a>.</p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="configuring-synapse"><a class="header" href="#configuring-synapse">Configuring Synapse</a></h1>
@@ -6626,6 +6768,20 @@ The main Synapse process defines this with a <code>replication</code> resource i
<pre><code class="language-yaml">worker_replication_http_port: 9093
</code></pre>
<hr />
+<h3 id="worker_replication_http_tls"><a class="header" href="#worker_replication_http_tls"><code>worker_replication_http_tls</code></a></h3>
+<p>Whether TLS should be used for talking to the HTTP replication port on the main
+Synapse process.
+The main Synapse process defines this with the <code>tls</code> option on its <a href="usage/configuration/config_documentation.html#listeners">listener</a> that
+has the <code>replication</code> resource enabled.</p>
+<p><strong>Please note:</strong> by default, it is not safe to expose replication ports to the
+public Internet, even with TLS enabled.
+See <a href="usage/configuration/config_documentation.html#worker_replication_secret"><code>worker_replication_secret</code></a>.</p>
+<p>Defaults to <code>false</code>.</p>
+<p><em>Added in Synapse 1.72.0.</em></p>
+<p>Example configuration:</p>
+<pre><code class="language-yaml">worker_replication_http_tls: true
+</code></pre>
+<hr />
<h3 id="worker_listeners"><a class="header" href="#worker_listeners"><code>worker_listeners</code></a></h3>
<p>A worker can handle HTTP requests. To do so, a <code>worker_listeners</code> option
must be declared, in the same way as the <a href="usage/configuration/config_documentation.html#listeners"><code>listeners</code> option</a>
@@ -10262,9 +10418,10 @@ have different characteristics and so admins
may wish to run multiple groups of workers handling different endpoints so that
load balancing can be done in different ways.</p>
<p>For <code>/sync</code> and <code>/initialSync</code> requests it will be more efficient if all
-requests from a particular user are routed to a single instance. Extracting a
-user ID from the access token or <code>Authorization</code> header is currently left as an
-exercise for the reader. Admins may additionally wish to separate out <code>/sync</code>
+requests from a particular user are routed to a single instance. This can
+be done e.g. in nginx via IP <code>hash $http_x_forwarded_for;</code> or via
+<code>hash $http_authorization consistent;</code> which contains the users access token.</p>
+<p>Admins may additionally wish to separate out <code>/sync</code>
requests that have a <code>since</code> query parameter from those that don't (and
<code>/initialSync</code>), as requests that don't are known as "initial sync" that happens
when a user logs in on a new device and can be <em>very</em> resource intensive, so
@@ -13683,6 +13840,30 @@ for more information.</p>
}
</code></pre>
<p><em>Added in Synapse 1.68.0.</em></p>
+<h3 id="find-a-user-based-on-their-third-party-id-threepid-or-3pid"><a class="header" href="#find-a-user-based-on-their-third-party-id-threepid-or-3pid">Find a user based on their Third Party ID (ThreePID or 3PID)</a></h3>
+<p>The API is:</p>
+<pre><code>GET /_synapse/admin/v1/threepid/$medium/users/$address
+</code></pre>
+<p>When a user matched the given address for the given medium, an HTTP code <code>200</code> with a response body like the following is returned:</p>
+<pre><code class="language-json">{
+ "user_id": "@hello:example.org"
+}
+</code></pre>
+<p><strong>Parameters</strong></p>
+<p>The following parameters should be set in the URL:</p>
+<ul>
+<li><code>medium</code> - Kind of third-party ID, either <code>email</code> or <code>msisdn</code>.</li>
+<li><code>address</code> - Value of the third-party ID.</li>
+</ul>
+<p>The <code>address</code> may have characters that are not URL-safe, so it is advised to URL-encode those parameters.</p>
+<p><strong>Errors</strong></p>
+<p>Returns a <code>404</code> HTTP status code if no user was found, with a response body like this:</p>
+<pre><code class="language-json">{
+ "errcode":"M_NOT_FOUND",
+ "error":"User not found"
+}
+</code></pre>
+<p><em>Added in Synapse 1.72.0.</em></p>
<div style="break-before: page; page-break-before: always;"></div><h1 id="version-api"><a class="header" href="#version-api">Version API</a></h1>
<p>This API returns the running Synapse version and the Python version
on which Synapse is being run. This is useful when a Synapse instance
@@ -14961,7 +15142,16 @@ Here is how to run your local Synapse checkout against your local Complement che
<p>The above will run a monolithic (single-process) Synapse with SQLite as the database. For other configurations, try:</p>
<ul>
<li>Passing <code>POSTGRES=1</code> as an environment variable to use the Postgres database instead.</li>
-<li>Passing <code>WORKERS=1</code> as an environment variable to use a workerised setup instead. This option implies the use of Postgres.</li>
+<li>Passing <code>WORKERS=1</code> as an environment variable to use a workerised setup instead. This option implies the use of Postgres.
+<ul>
+<li>If setting <code>WORKERS=1</code>, optionally set <code>WORKER_TYPES=</code> to declare which worker
+types you wish to test. A simple comma-delimited string containing the worker types
+defined from the <code>WORKERS_CONFIG</code> template in
+<a href="https://github.com/matrix-org/synapse/blob/develop/docker/configure_workers_and_start.py#L54">here</a>.
+A safe example would be <code>WORKER_TYPES="federation_inbound, federation_sender, synchrotron"</code>.
+See the <a href="development/../workers.html">worker documentation</a> for additional information on workers.</li>
+</ul>
+</li>
</ul>
<p>To increase the log level for the tests, set <code>SYNAPSE_TEST_LOG_LEVEL</code>, e.g:</p>
<pre><code class="language-sh">SYNAPSE_TEST_LOG_LEVEL=DEBUG COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh -run TestImportHistoricalMessages
|
