summary refs log tree commit diff
path: root/synapse/config
diff options
context:
space:
mode:
authorMatthew Hodgson <matthew@arasphere.net>2018-01-22 19:11:18 +0100
committerGitHub <noreply@github.com>2018-01-22 19:11:18 +0100
commitab9f844aaf3662a64dbc4c56077e9fa37bc7d5d0 (patch)
treedf5417cbd46f5c9a386d4d762f83b06d58afda17 /synapse/config
parentMerge pull request #2813 from matrix-org/matthew/registrations_require_3pid (diff)
downloadsynapse-ab9f844aaf3662a64dbc4c56077e9fa37bc7d5d0.tar.xz
Add federation_domain_whitelist option (#2820)
Add federation_domain_whitelist

gives a way to restrict which domains your HS is allowed to federate with.
useful mainly for gracefully preventing a private but internet-connected HS from trying to federate to the wider public Matrix network
Diffstat (limited to 'synapse/config')
-rw-r--r--synapse/config/server.py22
1 files changed, 22 insertions, 0 deletions
diff --git a/synapse/config/server.py b/synapse/config/server.py
index 436dd8a6fe..8f0b6d1f28 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -55,6 +55,17 @@ class ServerConfig(Config):
             "block_non_admin_invites", False,
         )
 
+        # FIXME: federation_domain_whitelist needs sytests
+        self.federation_domain_whitelist = None
+        federation_domain_whitelist = config.get(
+            "federation_domain_whitelist", None
+        )
+        # turn the whitelist into a hash for speed of lookup
+        if federation_domain_whitelist is not None:
+            self.federation_domain_whitelist = {}
+            for domain in federation_domain_whitelist:
+                self.federation_domain_whitelist[domain] = True
+
         if self.public_baseurl is not None:
             if self.public_baseurl[-1] != '/':
                 self.public_baseurl += '/'
@@ -210,6 +221,17 @@ class ServerConfig(Config):
         # (except those sent by local server admins). The default is False.
         # block_non_admin_invites: True
 
+        # Restrict federation to the following whitelist of domains.
+        # N.B. we recommend also firewalling your federation listener to limit
+        # inbound federation traffic as early as possible, rather than relying
+        # purely on this application-layer restriction.  If not specified, the
+        # default is to whitelist everything.
+        #
+        # federation_domain_whitelist:
+        #  - lon.example.com
+        #  - nyc.example.com
+        #  - syd.example.com
+
         # List of ports that Synapse should listen on, their purpose and their
         # configuration.
         listeners: