-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
The interaction between url_preview_ip_range_blacklist
and outbound HTTP proxies is confusing
#9812
Comments
We should also ensure that |
It does not! synapse/docs/sample_config.yaml Lines 174 to 186 in 0481923
|
I don't think these are quite accurate, are they? IIRC they are applied to the connection to the proxy. If we say that they are ignored, that is also confusing. |
They are not. See #9084. |
oh! sorry! |
Per issue #9812 using `url_preview_ip_range_blacklist` with a proxy via `HTTPS_PROXY` or `HTTP_PROXY` environment variables has some inconsistent bahavior than mentioned. This PR changes the following: - Changes the Sample Config file to include a note mentioning that `url_preview_ip_range_blacklist` and `ip_range_blacklist` is ignored when using a proxy - Changes some logic in synapse/config/repository.py to send a warning when both `*ip_range_blacklist` configs and a proxy environment variable are set and but no longer throws an error. Signed-off-by: Kento Okamoto <[email protected]>
Can this be closed now that #10129 was merged? |
I think so - thanks! |
Context: #9417 (comment)
The Synapse config option
url_preview_ip_range_blacklist
is intended to restrict access to previewing certain URLs based on their resolved IP address. However, when using a proxy with Synapse (via theHTTP_PROXY
andHTTPS_PROXY
environment variables), url preview requests are forwarded to the proxy, which then resolves the IP address of the URL. This completely bypasses any IP ranges set in theurl_preview_ip_range_blacklist
option.Ideally we'd do a couple things that would help reduce confusion for sysadmins:
url_preview_ip_range_blacklist
is ignored when using an HTTP proxy, as resolving URLs to preview is done by the proxy.url_preview_ip_range_blacklist
if URL previews are enabled. We shouldn't requireurl_preview_ip_range_blacklist
to be set when using a proxy, and we should log a warning whenurl_preview_ip_range_blacklist
is set and a proxy is in use so that the sysadmin isn't under the wrong impression regarding security of the system.To be clear, if you're using a proxy for URL previews, you should do your ip blacklisting in the proxy config. Also note that
url_preview_url_blacklist
is still enforced whether a proxy is in use or not.The text was updated successfully, but these errors were encountered: