Added 'Server' options, removed ip_range_blacklist.yaml.

This commit is contained in:
Hans van Zijst 2024-11-14 18:12:40 +01:00 committed by Valentin Gagarin
parent 42774137ce
commit 4cfa698ba4

View file

@ -183,40 +183,6 @@ and/or AAAA records in DNS, not CNAME.
See [nginx](../nginx) for details about how to publish this data.
# Blacklists
You don't want Synapse to try to contact certain IP-addresses, especially not
those that are unroutable or for special uses. Add these addresses to `ip_range_blacklist`,
in `conf.d/ip_range_blacklist.yaml`:
```
ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
```
You want to add addresses of malicious or otherwise unwanted machines to this
list too. See [Synapse's documentation](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=ip_range_blacklist#ip_range_blacklist)
for more information.
# E-mail {#Email}
Synapse should probably be able to send out e-mails; notifications for those
@ -307,7 +273,7 @@ Logging in can be done in basically two ways: an internal or external
database. Let's start with the first: users and their passwords are stored in
Synapse's database.
We use `conf.d/signon.yaml` to configure this stuff.
We use `conf.d/authentication.yaml` to configure this stuff.
```
password_config:
@ -358,5 +324,48 @@ live under `ou=users,o=Example,dc=example,dc=com` and that are active Posix
accounts. Users will not be able to change their passwords via Matrix, they
have to do that in LDAP.
(this setup has not been tested, although it borrows heavily from the current
ProcoliX setup).
# Server configuration {#serverconfig}
See [Define your homeserver name and other base options](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=require_auth_for_profile_requests#server)
in the Synapse documentation.
It would be logical to put the next options under `conf.d/server.yaml`, but
Debian insists on `conf.d/server_name.yaml` existing and containing the name
of the domain. So we'll use that file for the next options as well. Add these
options:
```
presence:
enabled: true
include_offline_users_on_sync: false
require_auth_for_profile_requests: true
allow_public_rooms_over_federation: true
ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
filter_timeline_limit: 500
```
These should be reasonable defaults, but do check the [Server block](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#server)
in Synapse's documentation for more options and information.