Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Infer no_tls from presence of TLS listeners
Browse files Browse the repository at this point in the history
Rather than have to specify `no_tls` explicitly, infer whether we need to load
the TLS keys etc from whether we have any TLS-enabled listeners.
  • Loading branch information
richvdh committed Feb 11, 2019
1 parent 15272f8 commit 4fddf8f
Show file tree
Hide file tree
Showing 10 changed files with 27 additions and 20 deletions.
1 change: 1 addition & 0 deletions changelog.d/4613.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners
1 change: 1 addition & 0 deletions changelog.d/4615.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners
1 change: 0 additions & 1 deletion changelog.d/4615.misc

This file was deleted.

1 change: 1 addition & 0 deletions changelog.d/4617.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
There is no longer any need to specify `no_tls`: it is inferred from the absence of TLS listeners
1 change: 0 additions & 1 deletion changelog.d/4617.misc

This file was deleted.

2 changes: 1 addition & 1 deletion synapse/app/_base.py
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ def refresh_certificate(hs):
"""
hs.config.read_certificate_from_disk()

if hs.config.no_tls:
if not hs.config.has_tls_listener():
# nothing else to do here
return

Expand Down
5 changes: 0 additions & 5 deletions synapse/app/homeserver.py
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,6 @@ def _listener_http(self, config, listener_config):
tls = listener_config.get("tls", False)
site_tag = listener_config.get("tag", port)

if tls and config.no_tls:
raise ConfigError(
"Listener on port %i has TLS enabled, but no_tls is set" % (port,),
)

resources = {}
for res in listener_config["resources"]:
for name in res["names"]:
Expand Down
2 changes: 1 addition & 1 deletion synapse/config/homeserver.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
from .workers import WorkerConfig


class HomeServerConfig(TlsConfig, ServerConfig, DatabaseConfig, LoggingConfig,
class HomeServerConfig(ServerConfig, TlsConfig, DatabaseConfig, LoggingConfig,
RatelimitConfig, ContentRepositoryConfig, CaptchaConfig,
VoipConfig, RegistrationConfig, MetricsConfig, ApiConfig,
AppServiceConfig, KeyConfig, SAML2Config, CasConfig,
Expand Down
23 changes: 20 additions & 3 deletions synapse/config/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -126,14 +126,22 @@ def read_config(self, config):
self.public_baseurl += '/'
self.start_pushers = config.get("start_pushers", True)

self.listeners = config.get("listeners", [])

for listener in self.listeners:
self.listeners = []
for listener in config.get("listeners", []):
if not isinstance(listener.get("port", None), int):
raise ConfigError(
"Listener configuration is lacking a valid 'port' option"
)

if listener.setdefault("tls", False):
# no_tls is not really supported any more, but let's grandfather it in
# here.
if config.get("no_tls", False):
logger.info(
"Ignoring TLS-enabled listener on port %i due to no_tls"
)
continue

bind_address = listener.pop("bind_address", None)
bind_addresses = listener.setdefault("bind_addresses", [])

Expand All @@ -145,13 +153,18 @@ def read_config(self, config):
if not bind_addresses:
bind_addresses.extend(DEFAULT_BIND_ADDRESSES)

self.listeners.append(listener)

if not self.web_client_location:
_warn_if_webclient_configured(self.listeners)

self.gc_thresholds = read_gc_thresholds(config.get("gc_thresholds", None))

bind_port = config.get("bind_port")
if bind_port:
if config.get("no_tls", False):
raise ConfigError("no_tls is incompatible with bind_port")

self.listeners = []
bind_host = config.get("bind_host", "")
gzip_responses = config.get("gzip_responses", True)
Expand Down Expand Up @@ -198,6 +211,7 @@ def read_config(self, config):
"port": manhole,
"bind_addresses": ["127.0.0.1"],
"type": "manhole",
"tls": False,
})

metrics_port = config.get("metrics_port")
Expand All @@ -223,6 +237,9 @@ def read_config(self, config):

_check_resource_config(self.listeners)

def has_tls_listener(self):
return any(l["tls"] for l in self.listeners)

def default_config(self, server_name, data_dir_path, **kwargs):
_, bind_port = parse_and_validate_server_name(server_name)
if bind_port is not None:
Expand Down
10 changes: 2 additions & 8 deletions synapse/config/tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ def read_config(self, config):
self._original_tls_fingerprints = []

self.tls_fingerprints = list(self._original_tls_fingerprints)
self.no_tls = config.get("no_tls", False)

# This config option applies to non-federation HTTP clients
# (e.g. for talking to recaptcha, identity servers, and such)
Expand Down Expand Up @@ -141,6 +140,8 @@ def default_config(self, config_dir_path, server_name, **kwargs):

return (
"""\
## TLS ##
# PEM-encoded X509 certificate for TLS.
# This certificate, as of Synapse 1.0, will need to be a valid and verifiable
# certificate, signed by a recognised Certificate Authority.
Expand Down Expand Up @@ -201,13 +202,6 @@ def default_config(self, config_dir_path, server_name, **kwargs):
#
# reprovision_threshold: 30
# If your server runs behind a reverse-proxy which terminates TLS connections
# (for both client and federation connections), it may be useful to disable
# All TLS support for incoming connections. Setting no_tls to True will
# do so (and avoid the need to give synapse a TLS private key).
#
# no_tls: True
# List of allowed TLS fingerprints for this server to publish along
# with the signing keys for this server. Other matrix servers that
# make HTTPS requests to this server will check that the TLS
Expand Down

0 comments on commit 4fddf8f

Please sign in to comment.