summary refs log tree commit diff
path: root/docs
diff options
context:
space:
mode:
authorPatrick Cloke <clokep@users.noreply.github.com>2020-12-04 10:56:28 -0500
committerGitHub <noreply@github.com>2020-12-04 10:56:28 -0500
commit96358cb42410a4be6268eaa3ffec229c550208ea (patch)
tree5edef7ceff55c023747f5084ea4304649b15781d /docs
parentPass room_id to get_auth_chain_difference (#8879) (diff)
downloadsynapse-96358cb42410a4be6268eaa3ffec229c550208ea.tar.xz
Add authentication to replication endpoints. (#8853)
Authentication is done by checking a shared secret provided
in the Synapse configuration file.
Diffstat (limited to 'docs')
-rw-r--r--docs/sample_config.yaml7
-rw-r--r--docs/workers.md6
2 files changed, 12 insertions, 1 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index 6dbccf5932..8712c580c0 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -2589,6 +2589,13 @@ opentracing:
 #
 #run_background_tasks_on: worker1
 
+# A shared secret used by the replication APIs to authenticate HTTP requests
+# from workers.
+#
+# By default this is unused and traffic is not authenticated.
+#
+#worker_replication_secret: ""
+
 
 # Configuration for Redis when using workers. This *must* be enabled when
 # using workers (unless using old style direct TCP configuration).
diff --git a/docs/workers.md b/docs/workers.md
index c53d1bd2ff..efe97af31a 100644
--- a/docs/workers.md
+++ b/docs/workers.md
@@ -89,7 +89,8 @@ shared configuration file.
 Normally, only a couple of changes are needed to make an existing configuration
 file suitable for use with workers. First, you need to enable an "HTTP replication
 listener" for the main process; and secondly, you need to enable redis-based
-replication. For example:
+replication. Optionally, a shared secret can be used to authenticate HTTP
+traffic between workers. For example:
 
 
 ```yaml
@@ -103,6 +104,9 @@ listeners:
     resources:
      - names: [replication]
 
+# Add a random shared secret to authenticate traffic.
+worker_replication_secret: ""
+
 redis:
     enabled: true
 ```