Automatically enable openid listeners when ma1sd enabled
ma1sd requires the openid endpoints for certain functionality.
Example: 90b2b5301c/src/main/java/io/kamax/mxisd/auth/AccountManager.java (L67-L99)
If federation is disabled, we still need to expose these openid APIs on the
federation port.
Previously, we were doing similar magic for Dimension.
As per its documentation, when running unfederated, one is to enable
the openid listener as well. As per their recommendation, people
are advised to do enable it on the Client-Server API port
and use the `federationUrl` variable to override where the federation
port is (making federation requests go to the Client-Server API).
Because ma1sd always uses the federation port (unless you do some
DNS overwriting magic using its configuration -- which we'd rather not
do), it's better if we just default to putting the `openid` listener
where it belongs - on the federation port.
With this commit, we retain the "automatically enable openid APIs" thing
we've been doing for Dimension, but move it to the federation port instead.
We also now do the same thing when ma1sd is enabled.
This commit is contained in:
Slavi Pantaleev
@ -136,6 +136,11 @@ matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.k
|
||||
# names.
|
||||
matrix_synapse_http_listener_resource_names: ["client"]
|
||||
|
||||
# Resources served on Synapse's federation port.
|
||||
# When disabling federation, we may wish to serve the `openid` resource here,
|
||||
# so that services like Dimension and ma1sd can work.
|
||||
matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}"
|
||||
|
||||
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
|
||||
# (things like number of users, number of messages sent, uptime, load, etc.)
|
||||
matrix_synapse_report_stats: false
|
||||
@ -211,10 +216,25 @@ matrix_synapse_caches_global_factor: 0.5
|
||||
|
||||
# Controls whether Synapse will federate at all.
|
||||
# Disable this to completely isolate your server from the rest of the Matrix network.
|
||||
# Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
|
||||
#
|
||||
# Disabling this still keeps the federation port exposed, because it may be used for other services (`openid`).
|
||||
#
|
||||
# Also see:
|
||||
# - `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
|
||||
# but want to stop the TLS listener (port 8448).
|
||||
# - `matrix_synapse_federation_port_enabled` to avoid exposing the federation ports
|
||||
matrix_synapse_federation_enabled: true
|
||||
|
||||
# Controls whether the federation ports are used at all.
|
||||
# One may wish to disable federation (`matrix_synapse_federation_enabled: true`),
|
||||
# but still run other resources (like `openid`) on the federation port
|
||||
# by enabling them in `matrix_synapse_federation_listener_resource_names`.
|
||||
matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}"
|
||||
|
||||
# Controls whether an `openid` listener is to be enabled. Useful when disabling federation,
|
||||
# but needing the `openid` APIs for Dimension or an identity server like ma1sd.
|
||||
matrix_synapse_federation_port_openid_resource_required: false
|
||||
|
||||
# A list of domain names that are allowed to federate with the given Synapse server.
|
||||
# An empty list value (`[]`) will also effectively stop federation, but if that's the desired
|
||||
# result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
|
||||
|
||||
@ -188,7 +188,7 @@ listeners:
|
||||
- '0.0.0.0'
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %}
|
||||
{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %}
|
||||
# TLS-enabled listener: for when matrix traffic is sent directly to synapse.
|
||||
- port: 8448
|
||||
tls: true
|
||||
@ -197,7 +197,7 @@ listeners:
|
||||
x_forwarded: false
|
||||
|
||||
resources:
|
||||
- names: [federation]
|
||||
- names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
|
||||
compress: false
|
||||
{% endif %}
|
||||
|
||||
@ -213,7 +213,7 @@ listeners:
|
||||
- names: {{ matrix_synapse_http_listener_resource_names|to_json }}
|
||||
compress: false
|
||||
|
||||
{% if matrix_synapse_federation_enabled %}
|
||||
{% if matrix_synapse_federation_port_enabled %}
|
||||
# Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy
|
||||
# that unwraps TLS.
|
||||
- port: 8048
|
||||
@ -223,7 +223,7 @@ listeners:
|
||||
x_forwarded: true
|
||||
|
||||
resources:
|
||||
- names: [federation]
|
||||
- names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
|
||||
compress: false
|
||||
{% endif %}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user