mirror of
https://github.com/element-hq/dendrite.git
synced 2025-03-14 14:15:35 +00:00
Merge commit from fork
* Support configuring allow/deny networks * Make the DNS cache aware of the allow/deny networks * Allow all networks in CI * Update GMSL * Add missed file --------- Co-authored-by: Till Faelligen <2353100+S7evinK@users.noreply.github.com>
This commit is contained in:
parent
4fb83354ca
commit
e9cc37ac52
9 changed files with 50 additions and 3 deletions
|
@ -94,6 +94,8 @@ func main() {
|
||||||
dnsCache = fclient.NewDNSCache(
|
dnsCache = fclient.NewDNSCache(
|
||||||
cfg.Global.DNSCache.CacheSize,
|
cfg.Global.DNSCache.CacheSize,
|
||||||
cfg.Global.DNSCache.CacheLifetime,
|
cfg.Global.DNSCache.CacheLifetime,
|
||||||
|
cfg.FederationAPI.AllowNetworkCIDRs,
|
||||||
|
cfg.FederationAPI.DenyNetworkCIDRs,
|
||||||
)
|
)
|
||||||
logrus.Infof(
|
logrus.Infof(
|
||||||
"DNS cache enabled (size %d, lifetime %s)",
|
"DNS cache enabled (size %d, lifetime %s)",
|
||||||
|
|
|
@ -71,6 +71,10 @@ func main() {
|
||||||
cfg.ClientAPI.RateLimiting.Enabled = false
|
cfg.ClientAPI.RateLimiting.Enabled = false
|
||||||
cfg.FederationAPI.DisableTLSValidation = false
|
cfg.FederationAPI.DisableTLSValidation = false
|
||||||
cfg.FederationAPI.DisableHTTPKeepalives = true
|
cfg.FederationAPI.DisableHTTPKeepalives = true
|
||||||
|
// Allow allow networks when running in CI, as otherwise connections
|
||||||
|
// to other servers might be blocked when running Complement/Sytest.
|
||||||
|
cfg.FederationAPI.DenyNetworkCIDRs = []string{}
|
||||||
|
cfg.FederationAPI.AllowNetworkCIDRs = []string{}
|
||||||
// don't hit matrix.org when running tests!!!
|
// don't hit matrix.org when running tests!!!
|
||||||
cfg.FederationAPI.KeyPerspectives = config.KeyPerspectives{}
|
cfg.FederationAPI.KeyPerspectives = config.KeyPerspectives{}
|
||||||
cfg.MediaAPI.BasePath = config.Path(filepath.Join(*dirPath, "media"))
|
cfg.MediaAPI.BasePath = config.Path(filepath.Join(*dirPath, "media"))
|
||||||
|
|
|
@ -70,6 +70,8 @@ func main() {
|
||||||
dnsCache = fclient.NewDNSCache(
|
dnsCache = fclient.NewDNSCache(
|
||||||
cfg.Global.DNSCache.CacheSize,
|
cfg.Global.DNSCache.CacheSize,
|
||||||
cfg.Global.DNSCache.CacheLifetime,
|
cfg.Global.DNSCache.CacheLifetime,
|
||||||
|
cfg.FederationAPI.AllowNetworkCIDRs,
|
||||||
|
cfg.FederationAPI.DenyNetworkCIDRs,
|
||||||
)
|
)
|
||||||
logrus.Infof(
|
logrus.Infof(
|
||||||
"DNS cache enabled (size %d, lifetime %s)",
|
"DNS cache enabled (size %d, lifetime %s)",
|
||||||
|
|
|
@ -65,6 +65,8 @@ func main() {
|
||||||
dnsCache = fclient.NewDNSCache(
|
dnsCache = fclient.NewDNSCache(
|
||||||
cfg.Global.DNSCache.CacheSize,
|
cfg.Global.DNSCache.CacheSize,
|
||||||
cfg.Global.DNSCache.CacheLifetime,
|
cfg.Global.DNSCache.CacheLifetime,
|
||||||
|
cfg.FederationAPI.AllowNetworkCIDRs,
|
||||||
|
cfg.FederationAPI.DenyNetworkCIDRs,
|
||||||
)
|
)
|
||||||
logrus.Infof(
|
logrus.Infof(
|
||||||
"DNS cache enabled (size %d, lifetime %s)",
|
"DNS cache enabled (size %d, lifetime %s)",
|
||||||
|
|
|
@ -254,6 +254,24 @@ federation_api:
|
||||||
# last resort.
|
# last resort.
|
||||||
prefer_direct_fetch: false
|
prefer_direct_fetch: false
|
||||||
|
|
||||||
|
# deny_networks and allow_networks are the CIDR ranges used to prevent requests
|
||||||
|
# from accessing private IPs. If your system has specific IPs it should never
|
||||||
|
# contact, add them here with CIDR notation.
|
||||||
|
#
|
||||||
|
# The deny list is checked before the allow list.
|
||||||
|
deny_networks:
|
||||||
|
- "127.0.0.1/8"
|
||||||
|
- "10.0.0.0/8"
|
||||||
|
- "172.16.0.0/12"
|
||||||
|
- "192.168.0.0/16"
|
||||||
|
- "100.64.0.0/10"
|
||||||
|
- "169.254.0.0/16"
|
||||||
|
- "::1/128"
|
||||||
|
- "fe80::/64"
|
||||||
|
- "fc00::/7"
|
||||||
|
allow_networks:
|
||||||
|
- "0.0.0.0/0" # "Everything". The deny list will help limit this.
|
||||||
|
|
||||||
# Configuration for the Media API.
|
# Configuration for the Media API.
|
||||||
media_api:
|
media_api:
|
||||||
# Storage path for uploaded media. May be relative or absolute.
|
# Storage path for uploaded media. May be relative or absolute.
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -25,7 +25,7 @@ require (
|
||||||
github.com/matrix-org/dugong v0.0.0-20210921133753-66e6b1c67e2e
|
github.com/matrix-org/dugong v0.0.0-20210921133753-66e6b1c67e2e
|
||||||
github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91
|
github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91
|
||||||
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530
|
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530
|
||||||
github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8
|
github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d
|
||||||
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7
|
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7
|
||||||
github.com/matrix-org/util v0.0.0-20221111132719-399730281e66
|
github.com/matrix-org/util v0.0.0-20221111132719-399730281e66
|
||||||
github.com/mattn/go-sqlite3 v1.14.24
|
github.com/mattn/go-sqlite3 v1.14.24
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -232,8 +232,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91 h1:s7fexw
|
||||||
github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo=
|
github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo=
|
||||||
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U=
|
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U=
|
||||||
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s=
|
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s=
|
||||||
github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8 h1:nC998SaawQwbZ16/V70Pil3pY3rSQwTaeLOpHWp7ZTo=
|
github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d h1:c3Dkci0GDH/6cGGt8zGIiJMP+UOdtX0DPY6dxiJvtZM=
|
||||||
github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
|
github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
|
||||||
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 h1:6t8kJr8i1/1I5nNttw6nn1ryQJgzVlBmSGgPiiaTdw4=
|
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 h1:6t8kJr8i1/1I5nNttw6nn1ryQJgzVlBmSGgPiiaTdw4=
|
||||||
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7/go.mod h1:ReWMS/LoVnOiRAdq9sNUC2NZnd1mZkMNB52QhpTRWjg=
|
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7/go.mod h1:ReWMS/LoVnOiRAdq9sNUC2NZnd1mZkMNB52QhpTRWjg=
|
||||||
github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y=
|
github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y=
|
||||||
|
|
|
@ -82,6 +82,7 @@ func CreateFederationClient(cfg *config.Dendrite, dnsCache *fclient.DNSCache) fc
|
||||||
fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation),
|
fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation),
|
||||||
fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives),
|
fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives),
|
||||||
fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())),
|
fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())),
|
||||||
|
fclient.WithAllowDenyNetworks(cfg.FederationAPI.AllowNetworkCIDRs, cfg.FederationAPI.DenyNetworkCIDRs),
|
||||||
}
|
}
|
||||||
if cfg.Global.DNSCache.Enabled {
|
if cfg.Global.DNSCache.Enabled {
|
||||||
opts = append(opts, fclient.WithDNSCache(dnsCache))
|
opts = append(opts, fclient.WithDNSCache(dnsCache))
|
||||||
|
|
|
@ -46,6 +46,10 @@ type FederationAPI struct {
|
||||||
|
|
||||||
// Should we prefer direct key fetches over perspective ones?
|
// Should we prefer direct key fetches over perspective ones?
|
||||||
PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
|
PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
|
||||||
|
|
||||||
|
// Deny/Allow lists used for restricting request scopes.
|
||||||
|
DenyNetworkCIDRs []string `yaml:"deny_networks"`
|
||||||
|
AllowNetworkCIDRs []string `yaml:"allow_networks"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *FederationAPI) Defaults(opts DefaultOpts) {
|
func (c *FederationAPI) Defaults(opts DefaultOpts) {
|
||||||
|
@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) {
|
||||||
c.P2PFederationRetriesUntilAssumedOffline = 1
|
c.P2PFederationRetriesUntilAssumedOffline = 1
|
||||||
c.DisableTLSValidation = false
|
c.DisableTLSValidation = false
|
||||||
c.DisableHTTPKeepalives = false
|
c.DisableHTTPKeepalives = false
|
||||||
|
c.DenyNetworkCIDRs = []string{
|
||||||
|
"127.0.0.1/8",
|
||||||
|
"10.0.0.0/8",
|
||||||
|
"172.16.0.0/12",
|
||||||
|
"192.168.0.0/16",
|
||||||
|
"100.64.0.0/10",
|
||||||
|
"169.254.0.0/16",
|
||||||
|
"::1/128",
|
||||||
|
"fe80::/64",
|
||||||
|
"fc00::/7",
|
||||||
|
}
|
||||||
|
c.AllowNetworkCIDRs = []string{
|
||||||
|
"0.0.0.0/0",
|
||||||
|
}
|
||||||
if opts.Generate {
|
if opts.Generate {
|
||||||
c.KeyPerspectives = KeyPerspectives{
|
c.KeyPerspectives = KeyPerspectives{
|
||||||
{
|
{
|
||||||
|
|
Loading…
Add table
Reference in a new issue