From 1f38e5a58919adb725d9e01f035a87e8f3568e1f Mon Sep 17 00:00:00 2001 From: clokep Date: Thu, 5 Aug 2021 11:20:41 +0000 Subject: deploy: 834cdc3606c9193f7b5a5e93936193b359222690 --- develop/setup/forward_proxy.html | 330 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 330 insertions(+) create mode 100644 develop/setup/forward_proxy.html (limited to 'develop/setup/forward_proxy.html') diff --git a/develop/setup/forward_proxy.html b/develop/setup/forward_proxy.html new file mode 100644 index 0000000000..8b0d6f3517 --- /dev/null +++ b/develop/setup/forward_proxy.html @@ -0,0 +1,330 @@ + + + + + + Configuring a Forward/Outbound Proxy - Synapse + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + + + + + + +
+
+ +
+ +
+ +

Using a forward proxy with Synapse

+

You can use Synapse with a forward or outbound proxy. An example of when +this is necessary is in corporate environments behind a DMZ (demilitarized zone). +Synapse supports routing outbound HTTP(S) requests via a proxy. Only HTTP(S) +proxy is supported, not SOCKS proxy or anything else.

+

Configure

+

The http_proxy, https_proxy, no_proxy environment variables are used to +specify proxy settings. The environment variable is not case sensitive.

+
    +
  • http_proxy: Proxy server to use for HTTP requests.
    • +
  • https_proxy: Proxy server to use for HTTPS requests.
    • +
  • no_proxy: Comma-separated list of hosts, IP addresses, or IP ranges in CIDR +format which should not use the proxy. Synapse will directly connect to these hosts.
    • +
+

The http_proxy and https_proxy environment variables have the form: [scheme://][<username>:<password>@]<host>[:<port>]

+
    +
  • +

    Supported schemes are http:// and https://. The default scheme is http:// +for compatibility reasons; it is recommended to set a scheme. If scheme is set +to https:// the connection uses TLS between Synapse and the proxy.

    +

    NOTE: Synapse validates the certificates. If the certificate is not +valid, then the connection is dropped.

    +
    • +
  • +

    Default port if not given is 1080.

    +
    • +
  • +

    Username and password are optional and will be used to authenticate against +the proxy.

    +
    • +
+

Examples

+
    +
  • HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/
    • +
  • HTTPS_PROXY=http://USERNAME:PASSWORD@proxy.example.com:8080/
    • +
  • NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16
    • +
+

NOTE: +Synapse does not apply the IP blacklist to connections through the proxy (since +the DNS resolution is done by the proxy). It is expected that the proxy or firewall +will apply blacklisting of IP addresses.

+

Connection types

+

The proxy will be used for:

+
    +
  • push
    • +
  • url previews
    • +
  • phone-home stats
    • +
  • recaptcha validation
    • +
  • CAS auth validation
    • +
  • OpenID Connect
    • +
  • Federation (checking public key revocation)
    • +
+

It will not be used for:

+
    +
  • Application Services
    • +
  • Identity servers
    • +
  • Outbound federation
    • +
  • In worker configurations +
      +
    • connections between workers
      • +
    • connections from workers to Redis
      • +
    +
    • +
  • Fetching public keys of other servers
    • +
  • Downloading remote media
    • +
+

Troubleshooting

+

If a proxy server is used with TLS (HTTPS) and no connections are established, +it is most likely due to the proxy's certificates. To test this, the validation +in Synapse can be deactivated.

+

NOTE: This has an impact on security and is for testing purposes only!

+

To deactivate the certificate validation, the following setting must be made in +homserver.yaml.

+
use_insecure_ssl_client_just_for_testing_do_not_use: true
+
+ +
+ + +
+
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file -- cgit 1.5.1