Clarify documentation about replication traffic. (#13656)

It can be authenticated with the worker_replication_secret setting, but is always unencrypted.
author: Patrick Cloke <clokep@users.noreply.github.com> 2022-08-30 08:21:19 -0400
committer: GitHub <noreply@github.com> 2022-08-30 12:21:19 +0000
commit: e761e8b475e26341d6d26ecc1499233c5f57c7ec (patch)
tree: e89cfa62b6cd2d8d95e0e4dcce6e4470fe35a49a
parent: Fix bug where we wedge media plugins if clients disconnect early (#13660) (diff)
download: synapse-e761e8b475e26341d6d26ecc1499233c5f57c7ec.tar.xz
2 files changed, 5 insertions, 1 deletions
diff --git a/changelog.d/13656.doc b/changelog.d/13656.doc
new file mode 100644
index 0000000000..61013a0daf
--- /dev/null
+++ b/changelog.d/13656.doc
@@ -0,0 +1 @@
+Clarify documentation that HTTP replication traffic can be protected with a shared secret.
diff --git a/docs/workers.md b/docs/workers.md
index 6969c424d8..dce584972d 100644
--- a/docs/workers.md
+++ b/docs/workers.md
@@ -120,7 +120,10 @@ redis:
 See the sample config for the full documentation of each option.
 
 Under **no circumstances** should the replication listener be exposed to the
-public internet; it has no authentication and is unencrypted.
+public internet; replication traffic is:
+
+* always unencrypted
+* unauthenticated, unless `worker_replication_secret` is configured
 
 
 ### Worker configuration
author	Patrick Cloke <clokep@users.noreply.github.com>	2022-08-30 08:21:19 -0400
committer	GitHub <noreply@github.com>	2022-08-30 12:21:19 +0000
commit	e761e8b475e26341d6d26ecc1499233c5f57c7ec (patch)
tree	e89cfa62b6cd2d8d95e0e4dcce6e4470fe35a49a
parent	Fix bug where we wedge media plugins if clients disconnect early (#13660) (diff)
download	synapse-e761e8b475e26341d6d26ecc1499233c5f57c7ec.tar.xz