| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
| |
The expected use case is to suppress MAU limiting on small instances
|
| |
|
|
|
| |
Add a linting script that enforces all boolean values in the default config be lowercase.
This has annoyed me for a while so I decided to fix it.
|
| |
|
| |
Added database owner authentication with `sudo` when `su` does not work
|
| |
|
| |
Now, the CAS server can return an attribute stating what's the desired displayname, instead of using the username directly.
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
configured (#6090)
|
| |\ \
| | |
| | |
| | | |
erikj/cleanup_user_ips_2
|
| | |\ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Second part of solving #6076
Fixes #6076
We return a submit_url parameter on calls to POST */msisdn/requestToken so that clients know where to submit token information to.
|
| | | |\ \
| | | | |
| | | | | |
Make the sample saml config closer to our standards
|
| | | | |\ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses.
Fixes #5935
|
| | |\ \ \ \ \
| | | |_|/ /
| | |/| | | |
|
| | | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | | |
We want to assign unique mxids to saml users based on an incrementing
suffix. For that to work, we need to record the allocated mxid in a separate
table.
|
| | | |_|/
| |/| |
| | | |
| | | | |
It' still not great, thanks to the nested dictionaries, but it's better.
|
| | | | | |
|
| | |_|/
|/| |
| | |
| | | |
Defaults to pruning everything older than 28d.
|
| | | | |
|
| | |/
|/| |
|
| | |
| |
| |
| | |
this was apparently broken by #6040.
|
| | |
| |
| |
| |
| | |
Converting some of the rst documentation to markdown. Attempted to
preserve whitespace and line breaks to minimize cosmetic change.
|
| | | |
|
| | |
| |
| | |
This PR adds the optional `report_stats_endpoint` to configure where stats are reported to, if enabled.
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Censor redactions in DB after a month
|
| | | | |
|
| | |\ \
| | | |
| | | |
| | | | |
erikj/censor_redactions
|
| | | | | |
|
| | | | | |
|
| | |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
server to handle 3pid validation (#5987)
This is a combination of a few different PRs, finally all being merged into `develop`:
* #5875
* #5876
* #5868 (This one added the `/versions` flag but the flag itself was actually [backed out](https://github.com/matrix-org/synapse/commit/891afb57cbdf9867f2848341b29c75d6f35eef5a#diff-e591d42d30690ffb79f63bb726200891) in #5969. What's left is just giving /versions access to the config file, which could be useful in the future)
* #5835
* #5969
* #5940
Clients should not actually use the new registration functionality until https://github.com/matrix-org/synapse/pull/5972 is merged.
UPGRADE.rst, changelog entries and config file changes should all be reviewed closely before this PR is merged.
|
| |/ /
| |
| | |
Previously the stats were not being correctly populated.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Template config files
* Imagine a system composed entirely of x, y, z etc and the basic operations..
Wait George, why XOR? Why not just neq?
George: Eh, I didn't think of that..
Co-Authored-By: Erik Johnston <erik@matrix.org>
|
| | | |
|
| |\ \
| | |
| | | |
Add GET method to admin API /users/@user:dom/admin
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Olivier Wilkinson (reivilibre) <olivier@librepush.net>
|
| |\ \ \
| |/ /
|/| | |
Add config option to sign remote key query responses with a separate key.
|
| | | | |
|
| | |/
| |
| |
| |
| | |
This allows servers to separate keys that are used to sign remote keys
when acting as a notary server.
|
| | |
| |
| | |
Admin API: Set adminship of a user
|
| | |
| |
| |
| |
| | |
Propagate opentracing contexts through EDUs
Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The `expire_access_token` didn't do what it sounded like it should do. What it
actually did was make Synapse enforce the 'time' caveat on macaroons used as
access tokens, but since our access token macaroons never contained such a
caveat, it was always a no-op.
(The code to add 'time' caveats was removed back in v0.18.5, in #1656)
|
| | |
|
| |
|
|
|
|
| |
* Allow Jaeger to be configured
* Update sample config
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Opentracing survival guide
* Update decorator names in doc
* Doc cleanup
These are all alterations as a result of comments in #5703, it
includes mostly typos and clarifications. The most interesting
changes are:
- Split developer and user docs into two sections
- Add a high level description of OpenTracing
* newsfile
* Move contributer specific info to docstring.
* Sample config.
* Trailing whitespace.
* Update 5703.misc
* Apply suggestions from code review
Mostly just rewording parts of the docs for clarity.
Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
|
| |/
|
|
|
| |
A few fixes and removal of duplicated stuff, but mostly a bunch of the words on the config file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up config settings and dead code.
This is mostly about cleaning up the config format, to bring it into line with our conventions. In particular:
* There should be a blank line after `## Section ##' headings
* There should be a blank line between each config setting
* There should be a `#`-only line between a comment and the setting it describes
* We don't really do the `# #` style commenting-out of whole sections if we can help it
* rename `tracer_enabled` to `enabled`
While we're here, do more config parsing upfront, which makes it easier to use
later on.
Also removes redundant code from LogContextScopeManager.
Also changes the changelog fragment to a `feature` - it's exciting!
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is basically a contrived way of adding a `Recommends` on `libpq5`, to fix #5653.
The way this is supposed to happen in debhelper is to run
`dh_shlibdeps`, which in turn runs `dpkg-shlibdeps`, which spits things out
into `debian/<package>.substvars` whence they can later be included by
`control`.
Previously, we had disabled `dh_shlibdeps`, mostly because `dpkg-shlibdeps`
gets confused about PIL's interdependent objects, but that's not really the
right thing to do and there is another way to work around that.
Since we don't always use postgres, we don't necessarily want a hard Depends on
libpq5, so I've actually ended up adding an explicit invocation of
`dpkg-shlibdeps` for `psycopg2`.
I've also updated the build-depends list for the package, which was missing a
couple of entries.
|
| |
|
|
| |
Record how long an access token is valid for, and raise a soft-logout once it
expires.
|
| |
|
|
|
| |
Updates reverse_proxy.rst with information about nginx' URI normalisation.
|
| |
|
|
|
| |
Added that synapse_user needs a database to access before it can auth
Noted you'll need to enable password auth, linked to pg_hba.conf docs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Configure and initialise tracer
Includes config options for the tracer and sets up JaegerClient.
* Scope manager using LogContexts
We piggy-back our tracer scopes by using log context.
The current log context gives us the current scope. If new scope is
created we create a stack of scopes in the context.
* jaeger is a dependency now
* Carrier inject and extraction for Twisted Headers
* Trace federation requests on the way in and out.
The span is created in _started_processing and closed in
_finished_processing because we need a meaningful log context.
* Create logcontext for new scope.
Instead of having a stack of scopes in a logcontext we create a new
context for a new scope if the current logcontext already has a scope.
* Remove scope from logcontext if logcontext is top level
* Disable tracer if not configured
* typo
* Remove dependence on jaeger internals
* bools
* Set service name
* :Explicitely state that the tracer is disabled
* Black is the new black
* Newsfile
* Code style
* Use the new config setup.
* Generate config.
* Copyright
* Rename config to opentracing
* Remove user whitelisting
* Empty whitelist by default
* User ConfigError instead of RuntimeError
* Use isinstance
* Use tag constants for opentracing.
* Remove debug comment and no need to explicitely record error
* Two errors a "s(c)entry"
* Docstrings!
* Remove debugging brainslip
* Homeserver Whitlisting
* Better opentracing config comment
* linting
* Inclue worker name in service_name
* Make opentracing an optional dependency
* Neater config retreival
* Clean up dummy tags
* Instantiate tracing as object instead of global class
* Inlcude opentracing as a homeserver member.
* Thread opentracing to the request level
* Reference opetnracing through hs
* Instantiate dummy opentracin g for tests.
* About to revert, just keeping the unfinished changes just in case
* Revert back to global state, commit number:
9ce4a3d9067bf9889b86c360c05ac88618b85c4f
* Use class level methods in tracerutils
* Start and stop requests spans in a place where we
have access to the authenticated entity
* Seen it, isort it
* Make sure to close the active span.
* I'm getting black and blue from this.
* Logger formatting
Co-Authored-By: Erik Johnston <erik@matrix.org>
* Outdated comment
* Import opentracing at the top
* Return a contextmanager
* Start tracing client requests from the servlet
* Return noop context manager if not tracing
* Explicitely say that these are federation requests
* Include servlet name in client requests
* Use context manager
* Move opentracing to logging/
* Seen it, isort it again!
* Ignore twisted return exceptions on context exit
* Escape the scope
* Scopes should be entered to make them useful.
* Nicer decorator names
* Just one init, init?
* Don't need to close something that isn't open
* Docs make you smarter
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
federation (#5550)
|
| | |
| |
| |
| |
| | |
Signed-off-by: Daniel Hoffend <dh@dotlan.net>
|
| | |
| |
| | |
Helps address #5444
|
| | |\
| | |
| | | |
Update HAProxy example rules
|
| | | |
| | |
| | | |
These new rules allow a user to instead route only matrix traffic, allowing them to run matrix on the domain without affecting their existing websites
|
| | | | |
|
| |/ / |
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
* master:
Fix broken link in MSC1711 FAQ
Update changelog to better expain password reset change (#5545)
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Fixes #5533
Adds information about how to install and run black on the codebase.
|
| |\ \ \
| | | |
| | | | |
Add --data-dir and --open-private-ports options.
|
| | | | |
| | | |
| | | |
| | | | |
This is helpful when generating a config file for running synapse under docker.
|
| |\ \ \ \
| |/ / /
|/| | | |
Split public rooms directory auth config in two
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | | |
Because sticking it in the same place as the config isn't necessarily the right
thing to do.
|
| | | |
| | |
| | | |
This has no useful purpose on python3, and is generally a source of confusion.
|
| | | |
| | |
| | |
| | |
| | | |
E_TOO_MANY_NEGATIVES
Co-Authored-By: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
Allow server admins to define implementations of extra rules for allowing or denying incoming events
|
| | | | |
|
| |/ /
| |
| |
| | |
Add FAQ questions to federate.md. Add a health warning making it clear that the 1711 upgrade FAQ is now out of date.
|
| | |
| |
| |
| | |
Set default room version to v4.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
identity server (#5377)
Sends password reset emails from the homeserver instead of proxying to the identity server. This is now the default behaviour for security reasons. If you wish to continue proxying password reset requests to the identity server you must now enable the email.trust_identity_server_for_password_resets option.
This PR is a culmination of 3 smaller PRs which have each been separately reviewed:
* #5308
* #5345
* #5368
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are a few changes going on here:
* We make checking the signature on a key server response optional: if no
verify_keys are specified, we trust to TLS to validate the connection.
* We change the default config so that it does not require responses to be
signed by the old key.
* We replace the old 'perspectives' config with 'trusted_key_servers', which
is also formatted slightly differently.
* We emit a warning to the logs every time we trust a key server response
signed by the old key.
|
| | |
| |
| |
| | |
1.0 upgrade/install notes
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
fixes #4951
|
| | | |
| | |
| | |
| | | |
Improve documentation of monthly active user blocking and mau_trial_days
|
| |/ / |
|
| |\ \
| | |
| | | |
Allow configuring a range for the account validity startup job
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Specify the type of reCAPTCHA key to use (#5013)
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| | | | | |
|
| |/ / /
| | |
| | |
| | | |
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Replaces DEFAULT_ROOM_VERSION constant with a method that first checks the config, then returns a hardcoded value if the option is not present.
That hardcoded value is now located in the server.py config file.
|
| | |/
|/| |
|
| |\|
| |
| |
| |
| | |
matrix-org/babolivier/account_validity_expiration_date
Add startup background job for account validity
|
| | | |
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* Stop telling people to install the optional dependencies.
They're optional.
Also update the postgres docs a bit for clarity(?)
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
| |
Signed-off-by: Gergely Polonkai <gergely@polonkai.eu>
|
| |
|
|
|
|
|
|
| |
* Add AllowEncodedSlashes to apache
Add `AllowEncodedSlashes On` to apache config to support encoding for v3 rooms. "The AllowEncodedSlashes setting is not inherited by virtual hosts, and virtual hosts are used in many default Apache configurations, such as the one in Ubuntu. The workaround is to add the AllowEncodedSlashes setting inside a <VirtualHost> container (/etc/apache2/sites-available/default in Ubuntu)." Source: https://stackoverflow.com/questions/4390436/need-to-allow-encoded-slashes-on-apache
* change allowencodedslashes to nodecode
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CS API (#5083)
This commit adds two config options:
* `restrict_public_rooms_to_local_users`
Requires auth to fetch the public rooms directory through the CS API and disables fetching it through the federation API.
* `require_auth_for_profile_requests`
When set to `true`, requires that requests to `/profile` over the CS API are authenticated, and only returns the user's profile if the requester shares a room with the profile's owner, as per MSC1301.
MSC1301 also specifies a behaviour for federation (only returning the profile if the server asking for it shares a room with the profile's owner), but that's currently really non-trivial to do in a not too expensive way. Next step is writing down a MSC that allows a HS to specify which user sent the profile query. In this implementation, Synapse won't send a profile query over federation if it doesn't believe it already shares a room with the profile's owner, though.
Groups have been intentionally omitted from this commit.
|
| |
|
|
|
|
|
|
|
| |
This endpoint isn't much use for its intended purpose if you first need to get
yourself an admin's auth token.
I've restricted it to the `/_synapse/admin` path to make it a bit easier to
lock down for those concerned about exposing this information. I don't imagine
anyone is using it in anger currently.
|
| | |
|
| |
|
|
| |
... after it got broken in 1565ebec2c.
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Add some limitations to alias creation
|
| | | | |
|
| | | | |
|
| |/ / |
|
| |\ \
| | |
| | | |
Fix path in account validity admin route's doc
|
| | | | |
|
| | | | |
|
| |/ / |
|
| |\ \
| | |
| | |
| | | |
babolivier/account_expiration
|
| | |\ \
| | | |
| | | | |
Send out emails with links to extend an account's validity period
|
| | |\ \ \
| | | | |
| | | | | |
Move some rest endpoints to client reader
|
| | | | | | |
|
| | | | | | |
|
| | |\ \ \ \
| | | | | |
| | | | | | |
Add time-based account expiration
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
add context to phonehome stats
|
| | | |/ / /
| |/| | | |
|
| | | |_|/
| |/| | |
|
| | |_|/
|/| | |
|
| | |/
|/| |
|
| |/ |
|
| |
|
|
|
| |
Adds a new method, check_3pid_auth, which gives password providers
the chance to allow authentication with third-party identifiers such
as email or msisdn.
|
| | |
|
| |
|
|
|
| |
This one should close #4841. Many thanks to @dev4223 for bringing it up and finding a solution.
Signed-off-by: Colin White
|
| |\
| |
| | |
Add option to disable search room lists
|
| | | |
|
| | |
| |
| |
| | |
This disables both local and remote room list searching.
|
| |\ \
| | |
| | | |
Add option to disable searching in the user dir
|
| | | | |
|
| | |/ |
|
| |/
|
|
| |
Rate-limit outgoing read-receipts as per #4730.
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Make it so that most options in the config are optional, and commented out in
the generated config.
The reasons this is a good thing are as follows:
* If we decide that we should change the default for an option, we can do so,
and only those admins that have deliberately chosen to override that option
will be stuck on the old setting.
* It moves us towards a point where we can get rid of the super-surprising
feature of synapse where the default settings for the config come from the
generated yaml.
* It makes setting up a test config for unit testing an order of magnitude
easier (see forthcoming PR).
* It makes the generated config more consistent, and hopefully easier for users
to understand.
|
| | | |
|
| | |
| |
| | |
Add two ratelimiters on login (per-IP address and per-userID).
|
| | | |
|
| |\| |
|
| | | |
|
| | |
| |
| |
| |
| | |
Improved federation configuration docs. Specifically detailing .well-known and SRV based delegation methods.
Inspiration Valentin Lab <valentin.lab@kalysto.org> for https://github.com/matrix-org/synapse/pull/4781
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Clarify what registration_shared_secret allows for (#2885)
Signed-off-by: Aaron Raimist <aaron@raim.ist>
* Add changelog
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Add 'server_version' endpoint to admin API
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Joseph Weston <joseph@weston.cloud>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Rate-limiting for registration
* Add unit test for registration rate limiting
* Add config parameters for rate limiting on auth endpoints
* Doc
* Fix doc of rate limiting function
Co-Authored-By: babolivier <contact@brendanabolivier.com>
* Incorporate review
* Fix config parsing
* Fix linting errors
* Set default config for auth rate limiting
* Fix tests
* Add changelog
* Advance reactor instead of mocked clock
* Move parameters to registration specific config and give them more sensible default values
* Remove unused config options
* Don't mock the rate limiter un MAU tests
* Rename _register_with_store into register_with_store
* Make CI happy
* Remove unused import
* Update sample config
* Fix ratelimiting test for py2
* Add non-guest test
|
| |\ \ \
| | | |
| | | | |
Allow /keys/{changes,query} API to run on worker
|
| | | | | |
|
| |/ / / |
|
| |/ /
| |
| |
| |
| | |
The v4v6 option only has a usage one ipv6 socket: https://serverfault.com/q/747895
Signed-off-by: Flakebi <flakebi@t-online.de>
|
| |\ \
| | |
| | | |
Move /account/3pid to client_reader
|
| | | | |
|
| |/ / |
|
| |\ \
| |/
|/| |
Fix tightloop over connecting to replication server
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the client failed to process incoming commands during the initial set
up of the replication connection it would immediately disconnect and
reconnect, resulting in a tightloop.
This can happen, for example, when subscribing to a stream that has a
row that is too long in the backlog.
The fix here is to not consider the connection successfully set up until
the client has succesfully subscribed and caught up with the streams.
This ensures that the retry logic timers aren't reset until then,
meaning that if an error does happen during start up the client will
continue backing off before retrying again.
|
| |/
|
|
|
| |
So that it actually works. See https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
Signed-off-by: Paul Tötterman <paul.totterman@iki.fi>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* Added HAProxy example
Proposal of an example with HAProxy. Asked by #4541.
Signed-off-by: Benoît S. (“Benpro”) <gitlab@benpro.fr>
* Following suggestions of @richvdh
|
| |\
| |
| | |
Batch cache invalidation over replication
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Synapse 0.99.1 (2019-02-14)
===========================
Features
--------
- Include m.room.encryption on invites by default ([\#3902](https://github.com/matrix-org/synapse/issues/3902))
- Federation OpenID listener resource can now be activated even if federation is disabled ([\#4420](https://github.com/matrix-org/synapse/issues/4420))
- Synapse's ACME support will now correctly reprovision a certificate that approaches its expiry while Synapse is running. ([\#4522](https://github.com/matrix-org/synapse/issues/4522))
- Add ability to update backup versions ([\#4580](https://github.com/matrix-org/synapse/issues/4580))
- Allow the "unavailable" presence status for /sync.
This change makes Synapse compliant with r0.4.0 of the Client-Server specification. ([\#4592](https://github.com/matrix-org/synapse/issues/4592))
- There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners ([\#4613](https://github.com/matrix-org/synapse/issues/4613), [\#4615](https://github.com/matrix-org/synapse/issues/4615), [\#4617](https://github.com/matrix-org/synapse/issues/4617), [\#4636](https://github.com/matrix-org/synapse/issues/4636))
- The default configuration no longer requires TLS certificates. ([\#4614](https://github.com/matrix-org/synapse/issues/4614))
Bugfixes
--------
- Copy over room federation ability on room upgrade. ([\#4530](https://github.com/matrix-org/synapse/issues/4530))
- Fix noisy "twisted.internet.task.TaskStopped" errors in logs ([\#4546](https://github.com/matrix-org/synapse/issues/4546))
- Synapse is now tolerant of the `tls_fingerprints` option being None or not specified. ([\#4589](https://github.com/matrix-org/synapse/issues/4589))
- Fix 'no unique or exclusion constraint' error ([\#4591](https://github.com/matrix-org/synapse/issues/4591))
- Transfer Server ACLs on room upgrade. ([\#4608](https://github.com/matrix-org/synapse/issues/4608))
- Fix failure to start when not TLS certificate was given even if TLS was disabled. ([\#4618](https://github.com/matrix-org/synapse/issues/4618))
- Fix self-signed cert notice from generate-config. ([\#4625](https://github.com/matrix-org/synapse/issues/4625))
- Fix performance of `user_ips` table deduplication background update ([\#4626](https://github.com/matrix-org/synapse/issues/4626), [\#4627](https://github.com/matrix-org/synapse/issues/4627))
Internal Changes
----------------
- Change the user directory state query to use a filtered call to the db instead of a generic one. ([\#4462](https://github.com/matrix-org/synapse/issues/4462))
- Reject federation transactions if they include more than 50 PDUs or 100 EDUs. ([\#4513](https://github.com/matrix-org/synapse/issues/4513))
- Reduce duplication of ``synapse.app`` code. ([\#4567](https://github.com/matrix-org/synapse/issues/4567))
- Fix docker upload job to push -py2 images. ([\#4576](https://github.com/matrix-org/synapse/issues/4576))
- Add port configuration information to ACME instructions. ([\#4578](https://github.com/matrix-org/synapse/issues/4578))
- Update MSC1711 FAQ to calrify .well-known usage ([\#4584](https://github.com/matrix-org/synapse/issues/4584))
- Clean up default listener configuration ([\#4586](https://github.com/matrix-org/synapse/issues/4586))
- Clarifications for reverse proxy docs ([\#4607](https://github.com/matrix-org/synapse/issues/4607))
- Move ClientTLSOptionsFactory init out of `refresh_certificates` ([\#4611](https://github.com/matrix-org/synapse/issues/4611))
- Fail cleanly if listener config lacks a 'port' ([\#4616](https://github.com/matrix-org/synapse/issues/4616))
- Remove redundant entries from docker config ([\#4619](https://github.com/matrix-org/synapse/issues/4619))
- README updates ([\#4621](https://github.com/matrix-org/synapse/issues/4621))
|
| | |
| |
| |
| |
| |
| |
| | |
Factor out the reverse proxy info to a separate file, add some more info on
reverse-proxying the federation port.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A surprising number of people are using the well-known method, and are
simply copying the example configuration. This is problematic as the
example includes an explicit port, which causes inbound federation
requests to have the HTTP Host header include the port, upsetting some
reverse proxies.
Given that, we update the well-known example to be more explicit about
the various ways you can set it up, and the consequence of using an
explict port.
|
| | |
| |
| | |
Fix incorrect heading level
|
| | | |
|
| |\| |
|
| | |\ |
|
| | | | |
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A surprising number of people are using the well-known method, and are
simply copying the example configuration. This is problematic as the
example includes an explicit port, which causes inbound federation
requests to have the HTTP Host header include the port, upsetting some
reverse proxies.
Given that, we update the well-known example to be more explicit about
the various ways you can set it up, and the consequence of using an
explict port.
|
| |/ |
|
| | |
|
| |\
| |
| | |
Add ACME docs and link to it from README and INSTALL
|
| | | |
|
| | |\
| | |
| | |
| | | |
into anoa/self_signed_upgrade
|
| | | |
| | |
| | | |
Co-Authored-By: anoadragon453 <1342360+anoadragon453@users.noreply.github.com>
|
| | |/ |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
|
| |
MSC1711 certificates FAQ
|
| |
|
|
|
|
|
|
|
|
|
| |
* Remove mention of lt-cred-mech in the sample coturn config.
See https://github.com/coturn/coturn/pull/262 for more context.
Also clean up some minor formatting issues while I'm here.
* Add changelog.
Signed-off-by: Krithin Sitaram <krithin@gmail.com>
|
| |
|
|
|
|
| |
Allow for the creation of a support user.
A support user can access the server, join rooms, interact with other users, but does not appear in the user directory nor does it contribute to monthly active user limits.
|
| |
|
|
|
|
|
|
|
|
| |
* Some words about garbage collections and logcontexts
* Do a GC after each test to fix logcontext leaks
This feels like an awful hack, but...
* changelog
|
| |
|
|
|
|
| |
People keep asking why their database hasn't gotten smaller after using this API.
Signed-off-by: Aaron Raimist <aaron@raim.ist>
|
| |
|
|
| |
So people can still collect consent the old way if they want to.
|
| | |
|
| |\
| |
| | |
Reference that the federation_reader needs the HTTP replication port set
|
| | | |
|
| |\ \
| |/
|/| |
Allow profile updates to happen on workers
|
| | |\
| | |
| | |
| | | |
erikj/split_profiles
|
| | | | |
|
| | |/
|/| |
|
| | |
| |
| | |
Presumably this is the intention anyways. I've also updated the domain part to be something more along the lines of what people might expect.
|
| |/ |
|
| |\
| |
| |
| | |
erikj/client_apis_move
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| | |
doc/postgres.rst: fix display of the last command block
|
| | |
| |
| | |
Also indent all of them with 4 spaces.
|
| | | |
|
| | | |
|
| |/
|
|
| |
They still can't reject invites, but we let them leave it.
|
| |
|
|
| |
probably should have done this in the first place, like @turt2live suggested.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
fixes #3260
|
| |\ |
|
| | |
| |
| |
| | |
the final step
|
| |/
|
|
|
| |
Hopefully there are enough comments and docs in this that it makes sense on its
own.
|
