From 66dc75ec0555669b38b5446df40ddadcd76ef70c Mon Sep 17 00:00:00 2001 From: erikjohnston Date: Wed, 14 Sep 2022 20:25:14 +0000 Subject: deploy: 80bb098d8775cc2ad1bf5abd150913577e643481 --- .../usage/configuration/config_documentation.html | 177 ++++++++++++--------- 1 file changed, 103 insertions(+), 74 deletions(-) (limited to 'latest/usage/configuration/config_documentation.html') diff --git a/latest/usage/configuration/config_documentation.html b/latest/usage/configuration/config_documentation.html index 89e2bc44db..b2efcc4050 100644 --- a/latest/usage/configuration/config_documentation.html +++ b/latest/usage/configuration/config_documentation.html @@ -76,7 +76,7 @@ @@ -481,9 +481,6 @@ configuration.

  • metrics: (see the docs here),

    • -
  • -

    replication: (deprecated as of Synapse 1.18, see the docs here).

    -
  • @@ -645,6 +642,7 @@ hs_disabled_message: 'Reason for why the HS is blocked' server owner wants to limit to the number of monthly active users. When enabled and a limit is reached the server returns a ResourceLimitError with error type Codes.RESOURCE_LIMIT_EXCEEDED. Defaults to false. If this is enabled, a value for max_mau_value must also be set.

    +

    See Monthly Active Users for details on how to configure MAU.

    Example configuration:

    limit_usage_by_mau: true
    @@ -1713,23 +1711,25 @@ should be in the form of providers.json). By default this list is empty.

    See here for full details on setting up captcha.

    recaptcha_public_key

    -

    This homeserver's ReCAPTCHA public key. Must be specified if enable_registration_captcha is -enabled.

    +

    This homeserver's ReCAPTCHA public key. Must be specified if +enable_registration_captcha is enabled.

    Example configuration:

    recaptcha_public_key: "YOUR_PUBLIC_KEY"

    recaptcha_private_key

    -

    This homeserver's ReCAPTCHA private key. Must be specified if enable_registration_captcha is +

    This homeserver's ReCAPTCHA private key. Must be specified if +enable_registration_captcha is enabled.

    Example configuration:

    recaptcha_private_key: "YOUR_PRIVATE_KEY"

    enable_registration_captcha

    -

    Set to true to enable ReCaptcha checks when registering, preventing signup -unless a captcha is answered. Requires a valid ReCaptcha public/private key. -Defaults to false.

    +

    Set to true to require users to complete a CAPTCHA test when registering an account. +Requires a valid ReCaptcha public/private key. +Defaults to false.

    +

    Note that enable_registration must also be set to allow account registration.

    Example configuration:

    enable_registration_captcha: true
    @@ -1781,69 +1781,34 @@ it allows users to connect to arbitrary endpoints without having first signed up

    Registration can be rate-limited using the parameters in the Ratelimiting section of this manual.

    enable_registration

    -

    Enable registration for new users. Defaults to false. It is highly recommended that if you enable registration, -you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration -without any verification, you must also set enable_registration_without_verification to true.

    +

    Enable registration for new users. Defaults to false.

    +

    It is highly recommended that if you enable registration, you set one or more +or the following options, to avoid abuse of your server by "bots":

    + +

    (In order to enable registration without any verification, you must also set +enable_registration_without_verification.)

    +

    Note that even if this setting is disabled, new accounts can still be created +via the admin API if +registration_shared_secret is set.

    Example configuration:

    enable_registration: true

    enable_registration_without_verification

    Enable registration without email or captcha verification. Note: this option is not recommended, -as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect -unless enable_registration is also enabled.

    +as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect +unless enable_registration is also enabled.

    Example configuration:

    enable_registration_without_verification: true
    -

    session_lifetime

    -

    Time that a user's session remains valid for, after they log in.

    -

    Note that this is not currently compatible with guest logins.

    -

    Note also that this is calculated at login time: changes are not applied retrospectively to users who have already -logged in.

    -

    By default, this is infinite.

    -

    Example configuration:

    -
    session_lifetime: 24h
-
    -
    -

    refresh_access_token_lifetime

    -

    Time that an access token remains valid for, if the session is using refresh tokens.

    -

    For more information about refresh tokens, please see the manual.

    -

    Note that this only applies to clients which advertise support for refresh tokens.

    -

    Note also that this is calculated at login time and refresh time: changes are not applied to -existing sessions until they are refreshed.

    -

    By default, this is 5 minutes.

    -

    Example configuration:

    -
    refreshable_access_token_lifetime: 10m
-
    -
    -

    refresh_token_lifetime: 24h

    -

    Time that a refresh token remains valid for (provided that it is not -exchanged for another one first). -This option can be used to automatically log-out inactive sessions. -Please see the manual for more information.

    -

    Note also that this is calculated at login time and refresh time: -changes are not applied to existing sessions until they are refreshed.

    -

    By default, this is infinite.

    -

    Example configuration:

    -
    refresh_token_lifetime: 24h
-
    -
    -

    nonrefreshable_access_token_lifetime

    -

    Time that an access token remains valid for, if the session is NOT -using refresh tokens.

    -

    Please note that not all clients support refresh tokens, so setting -this to a short value may be inconvenient for some users who will -then be logged out frequently.

    -

    Note also that this is calculated at login time: changes are not applied -retrospectively to existing sessions for users that have already logged in.

    -

    By default, this is infinite.

    -

    Example configuration:

    -
    nonrefreshable_access_token_lifetime: 24h
-
    -

    registrations_require_3pid

    -

    If this is set, the user must provide all of the specified types of 3PID when registering.

    +

    If this is set, users must provide all of the specified types of 3PID when registering an account.

    +

    Note that enable_registration must also be set to allow account registration.

    Example configuration:

    registrations_require_3pid:
   - email
@@ -1879,20 +1844,36 @@ flow (overrides registrations_require_3pid if MSISDNs are set as re
 
    registration_requires_token
    
 
    Require users to submit a token during registration.
 Tokens can be managed using the admin API.
-Note that enable_registration must be set to true.
 Disabling this option will not delete any tokens previously generated.
-Defaults to false. Set to true to enable.
    
+Defaults to false. Set to true to enable.
    
+
    Note that enable_registration must also be set to allow account registration.
    
 
    Example configuration:
    
 
    registration_requires_token: true
 
    
 
    
 
    registration_shared_secret
    
-
    If set, allows registration of standard or admin accounts by anyone who
-has the shared secret, even if registration is otherwise disabled.
    
+
    If set, allows registration of standard or admin accounts by anyone who has the
+shared secret, even if enable_registration is not
+set.
    
+
    This is primarily intended for use with the register_new_matrix_user script
+(see Registering a user);
+however, the interface is documented.
    
+
    See also registration_shared_secret_path.
    
 
    Example configuration:
    
 
    registration_shared_secret: <PRIVATE STRING>
 
    
 
    
+
    registration_shared_secret_path
    
+
    An alternative to registration_shared_secret:
+allows the shared secret to be specified in an external file.
    
+
    The file should be a plain text file, containing only the shared secret.
    
+
    If this file does not exist, Synapse will create a new signing
+key on startup and store it in this file.
    
+
    Example configuration:
    
+
    registration_shared_secret_file: /path/to/secrets/file
+
    
+
    Added in Synapse 1.67.0.
    
+
    
 
    bcrypt_rounds
    
 
    Set the number of bcrypt rounds used to generate password hash.
 Larger numbers increase the work factor needed to generate the hash.
@@ -2060,6 +2041,54 @@ raise an error if the registration completes and the username conflicts.
    
 
    inhibit_user_in_use_error: true
 
    
 
    
+
    User session management
    
+
    
+
    session_lifetime
    
+
    Time that a user's session remains valid for, after they log in.
    
+
    Note that this is not currently compatible with guest logins.
    
+
    Note also that this is calculated at login time: changes are not applied retrospectively to users who have already
+logged in.
    
+
    By default, this is infinite.
    
+
    Example configuration:
    
+
    session_lifetime: 24h
+
    
+
    
+
    refresh_access_token_lifetime
    
+
    Time that an access token remains valid for, if the session is using refresh tokens.
    
+
    For more information about refresh tokens, please see the manual.
    
+
    Note that this only applies to clients which advertise support for refresh tokens.
    
+
    Note also that this is calculated at login time and refresh time: changes are not applied to
+existing sessions until they are refreshed.
    
+
    By default, this is 5 minutes.
    
+
    Example configuration:
    
+
    refreshable_access_token_lifetime: 10m
+
    
+
    
+
    refresh_token_lifetime: 24h
    
+
    Time that a refresh token remains valid for (provided that it is not
+exchanged for another one first).
+This option can be used to automatically log-out inactive sessions.
+Please see the manual for more information.
    
+
    Note also that this is calculated at login time and refresh time:
+changes are not applied to existing sessions until they are refreshed.
    
+
    By default, this is infinite.
    
+
    Example configuration:
    
+
    refresh_token_lifetime: 24h
+
    
+
    
+
    nonrefreshable_access_token_lifetime
    
+
    Time that an access token remains valid for, if the session is NOT
+using refresh tokens.
    
+
    Please note that not all clients support refresh tokens, so setting
+this to a short value may be inconvenient for some users who will
+then be logged out frequently.
    
+
    Note also that this is calculated at login time: changes are not applied
+retrospectively to existing sessions for users that have already logged in.
    
+
    By default, this is infinite.
    
+
    Example configuration:
    
+
    nonrefreshable_access_token_lifetime: 24h
+
    
+
    
 
    Metrics
    
 
    Config options related to metrics.
    
 
    
@@ -2117,7 +2146,7 @@ Defaults to https://matrix.org/report-usage-stats/push
    
 
    API Configuration
    
 
    Config settings related to the client/server API
    
 
    
-
    room_prejoin_state:
    
+
    room_prejoin_state
    
 
    Controls for the state that is shared with users who receive an invite
 to a room. By default, the following state event types are shared with users who
 receive invites to the room:
    
@@ -2201,7 +2230,9 @@ forms to work.
    
 
    Config options relating to signing keys
    
 
    
 
    signing_key_path
    
-
    Path to the signing key to sign messages with.
    
+
    Path to the signing key to sign events and federation requests with.
    
+
    New in Synapse 1.67: If this file does not exist, Synapse will create a new signing
+key on startup and store it in this file.
    
 
    Example configuration:
    
 
    signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 
    
@@ -2227,7 +2258,7 @@ are still valid. Defaults to 1d.
    
 
    key_refresh_interval: 2d
 
    
 
    
-
    trusted_key_servers:
    
+
    trusted_key_servers
    
 
    The trusted servers to download signing keys from.
    
 
    When we need to fetch a signing key, each server is tried in parallel.
    
 
    Normally, the connection to the key server is validated via TLS certificates.
@@ -2281,14 +2312,12 @@ defaults to the server signing key.
    
 
    Single sign-on integration
    
 
    The following settings can be used to make Synapse use a single sign-on
 provider for authentication, instead of its internal password database.
    
-
    You will probably also want to set the following options to false to
+
    You will probably also want to set the following options to false to
 disable the regular login/registration flows:
    
 
-
    You will also want to investigate the settings under the "sso" configuration
-section below.
    
 
    
 
    saml2_config
    
 
    Enable SAML2 for registration and login. Uses pysaml2. To learn more about pysaml and
-- 
cgit 1.5.1