From 88d6e39c8e53825138cef42464600c93d861d02c Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Thu, 14 Nov 2024 11:55:08 +0100 Subject: [PATCH] Added bit about blacklisting. --- matrix/synapse/README.md | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md index 5b4969e..29743f0 100644 --- a/matrix/synapse/README.md +++ b/matrix/synapse/README.md @@ -147,7 +147,7 @@ Logging is configured in `log.yaml`. Some logging should go to systemd, the more specific logging to Synapse's own logfile(s). -# Delegation and DNS {#Delegation} +## Delegation and DNS {#Delegation} If you run your server under a different FQDN than just the domain name you want to use, you need to delegate: point from your domain to the server. @@ -180,3 +180,37 @@ Very important: both names (example.com and matrix.example.com) must be A and/or AAAA records in DNS, not CNAME. See [nginx](../nginx) for details about how to publish this data. + + +## Blacklists + +You don't want Synapse to try to contact certain IP-addresses, especially not +those that are unroutable or for special uses. Add these addresses to `ip_range_blacklist`, +in `conf.d/ip_range_blacklist.yaml`: + +``` +ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' +``` + +You want to add addresses of malicious or otherwise unwanted machines to this +list too. See [Synapse's documentation](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=ip_range_blacklist#ip_range_blacklist) +for more information.