diff --git a/cmd/dendrite/main.go b/cmd/dendrite/main.go index da43432f..5badbda2 100644 --- a/cmd/dendrite/main.go +++ b/cmd/dendrite/main.go @@ -94,6 +94,8 @@ func main() { dnsCache = fclient.NewDNSCache( cfg.Global.DNSCache.CacheSize, cfg.Global.DNSCache.CacheLifetime, + cfg.FederationAPI.AllowNetworkCIDRs, + cfg.FederationAPI.DenyNetworkCIDRs, ) logrus.Infof( "DNS cache enabled (size %d, lifetime %s)", diff --git a/cmd/generate-config/main.go b/cmd/generate-config/main.go index c6399ec5..63e1dde7 100644 --- a/cmd/generate-config/main.go +++ b/cmd/generate-config/main.go @@ -71,6 +71,10 @@ func main() { cfg.ClientAPI.RateLimiting.Enabled = false cfg.FederationAPI.DisableTLSValidation = false cfg.FederationAPI.DisableHTTPKeepalives = true + // Allow allow networks when running in CI, as otherwise connections + // to other servers might be blocked when running Complement/Sytest. + cfg.FederationAPI.DenyNetworkCIDRs = []string{} + cfg.FederationAPI.AllowNetworkCIDRs = []string{} // don't hit matrix.org when running tests!!! cfg.FederationAPI.KeyPerspectives = config.KeyPerspectives{} cfg.MediaAPI.BasePath = config.Path(filepath.Join(*dirPath, "media")) diff --git a/contrib/dendrite-demo-i2p/main.go b/contrib/dendrite-demo-i2p/main.go index 27f69acb..139edacc 100644 --- a/contrib/dendrite-demo-i2p/main.go +++ b/contrib/dendrite-demo-i2p/main.go @@ -70,6 +70,8 @@ func main() { dnsCache = fclient.NewDNSCache( cfg.Global.DNSCache.CacheSize, cfg.Global.DNSCache.CacheLifetime, + cfg.FederationAPI.AllowNetworkCIDRs, + cfg.FederationAPI.DenyNetworkCIDRs, ) logrus.Infof( "DNS cache enabled (size %d, lifetime %s)", diff --git a/contrib/dendrite-demo-tor/main.go b/contrib/dendrite-demo-tor/main.go index 132b557f..ab32e1db 100644 --- a/contrib/dendrite-demo-tor/main.go +++ b/contrib/dendrite-demo-tor/main.go @@ -65,6 +65,8 @@ func main() { dnsCache = fclient.NewDNSCache( cfg.Global.DNSCache.CacheSize, cfg.Global.DNSCache.CacheLifetime, + cfg.FederationAPI.AllowNetworkCIDRs, + cfg.FederationAPI.DenyNetworkCIDRs, ) logrus.Infof( "DNS cache enabled (size %d, lifetime %s)", diff --git a/dendrite-sample.yaml b/dendrite-sample.yaml index 0ee381f0..2afdc33f 100644 --- a/dendrite-sample.yaml +++ b/dendrite-sample.yaml @@ -254,6 +254,24 @@ federation_api: # last resort. prefer_direct_fetch: false + # deny_networks and allow_networks are the CIDR ranges used to prevent requests + # from accessing private IPs. If your system has specific IPs it should never + # contact, add them here with CIDR notation. + # + # The deny list is checked before the allow list. + deny_networks: + - "127.0.0.1/8" + - "10.0.0.0/8" + - "172.16.0.0/12" + - "192.168.0.0/16" + - "100.64.0.0/10" + - "169.254.0.0/16" + - "::1/128" + - "fe80::/64" + - "fc00::/7" + allow_networks: + - "0.0.0.0/0" # "Everything". The deny list will help limit this. + # Configuration for the Media API. media_api: # Storage path for uploaded media. May be relative or absolute. diff --git a/go.mod b/go.mod index 04453125..36463adb 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/matrix-org/dugong v0.0.0-20210921133753-66e6b1c67e2e github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91 github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 - github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8 + github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 github.com/mattn/go-sqlite3 v1.14.24 diff --git a/go.sum b/go.sum index ff0bbeb3..5d2612d3 100644 --- a/go.sum +++ b/go.sum @@ -232,8 +232,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91 h1:s7fexw github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo= github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U= github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s= -github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8 h1:nC998SaawQwbZ16/V70Pil3pY3rSQwTaeLOpHWp7ZTo= -github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d h1:c3Dkci0GDH/6cGGt8zGIiJMP+UOdtX0DPY6dxiJvtZM= +github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os= github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 h1:6t8kJr8i1/1I5nNttw6nn1ryQJgzVlBmSGgPiiaTdw4= github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7/go.mod h1:ReWMS/LoVnOiRAdq9sNUC2NZnd1mZkMNB52QhpTRWjg= github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y= diff --git a/setup/base/base.go b/setup/base/base.go index 359a6816..ffc2be37 100644 --- a/setup/base/base.go +++ b/setup/base/base.go @@ -82,6 +82,7 @@ func CreateFederationClient(cfg *config.Dendrite, dnsCache *fclient.DNSCache) fc fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation), fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives), fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())), + fclient.WithAllowDenyNetworks(cfg.FederationAPI.AllowNetworkCIDRs, cfg.FederationAPI.DenyNetworkCIDRs), } if cfg.Global.DNSCache.Enabled { opts = append(opts, fclient.WithDNSCache(dnsCache)) diff --git a/setup/config/config_federationapi.go b/setup/config/config_federationapi.go index 073c46e0..ed417a74 100644 --- a/setup/config/config_federationapi.go +++ b/setup/config/config_federationapi.go @@ -46,6 +46,10 @@ type FederationAPI struct { // Should we prefer direct key fetches over perspective ones? PreferDirectFetch bool `yaml:"prefer_direct_fetch"` + + // Deny/Allow lists used for restricting request scopes. + DenyNetworkCIDRs []string `yaml:"deny_networks"` + AllowNetworkCIDRs []string `yaml:"allow_networks"` } func (c *FederationAPI) Defaults(opts DefaultOpts) { @@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) { c.P2PFederationRetriesUntilAssumedOffline = 1 c.DisableTLSValidation = false c.DisableHTTPKeepalives = false + c.DenyNetworkCIDRs = []string{ + "127.0.0.1/8", + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "100.64.0.0/10", + "169.254.0.0/16", + "::1/128", + "fe80::/64", + "fc00::/7", + } + c.AllowNetworkCIDRs = []string{ + "0.0.0.0/0", + } if opts.Generate { c.KeyPerspectives = KeyPerspectives{ {