From edc21f15e575e9d40c96e67757e8f8a18722bc0e Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Sun, 24 Jan 2021 08:53:09 +0100 Subject: [PATCH] Restrict publishing worker (metrics) ports to localhost --- .../templates/synapse/systemd/matrix-synapse.service.j2 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index a88bb3666..3bf51b6fc 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -47,14 +47,15 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \ {% endif %} {% for worker in matrix_synapse_workers_enabled_list %} {% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %} - {# Expose worker ports (by default 18xxx range) on host if not using internal nginx proxy #} + {# Expose worker ports (by default in 18xxx range) on localhost, f.e. when using + an external reverse proxy outside the matrix docker network #} {% if worker.port != 0 %} - -p {{ worker.port }}:{{ worker.port }} \ + -p 127.0.0.1:{{ worker.port }}:{{ worker.port }} \ {% endif %} {% endif %} - {# Expose worker metrics ports on host if defined #} + {# Expose worker metrics ports on localhost #} {% if worker.metrics_port != 0 %} - -p {{ worker.metrics_port }}:{{ worker.metrics_port }} \ + -p 127.0.0.1:{{ worker.metrics_port }}:{{ worker.metrics_port }} \ {% endif %} {% endfor %} --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \