Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

support federation queries through http connect proxy #10475

Merged
merged 32 commits into from
Aug 11, 2021

Conversation

dklimpel
Copy link
Contributor

@dklimpel dklimpel commented Jul 24, 2021

Can be specified by HTTPS_PROXY env var.
pass unfiltered reactor to federation agent for proxy support

Sorry for so much lines of code in one PR.
I have tried to do smaller commits.

Replaces: #9306
Fixes: #8660
Blocked by:

ToDo:

Need help / review

given that we already pass the ip blacklist into MatrixFederationAgent, why not move the construction of BlacklistingReactorWrapper down to it, rather than having to pass in two reactors?

  • Choose the right TLS policy for connection with https proxy.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
  • Pull request includes a sign off
  • Code style is correct (run the linters)

Signed-off-by: Dirk Klimpel [email protected]

@dklimpel dklimpel force-pushed the federation_through_proxy branch from 1b98ec7 to 0bf5ac8 Compare July 24, 2021 21:29
) = proxyagent.http_proxy_endpoint(
https_proxy,
proxy_reactor,
tls_client_options_factory or BrowserLikePolicyForHTTPS(),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if BrowserLikePolicyForHTTPS is the best default policy.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need a default policy here. tls_client_options_factory=None is supposed to disable TLS, not fall back to a default. I would make the tls_options_factory parameter to _http_proxy_endpoint Optional, and raise an Exception if the scheme is https but there is no tls factory.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im not sure what is the best error to raise. ValueError, ConfigError, RuntimeError or anything else?

@dklimpel dklimpel marked this pull request as ready for review July 27, 2021 19:40
@clokep clokep requested a review from a team August 5, 2021 12:28
@richvdh richvdh self-assigned this Aug 6, 2021
Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks generally great, thank you! Particular thanks for taking the time to figure out the tests.

A few minor suggestions here.

@@ -343,6 +343,7 @@ def __init__(self, hs, tls_client_options_factory):
tls_client_options_factory,
user_agent,
hs.config.federation_ip_range_blacklist,
proxy_reactor=hs.get_reactor(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per #9306 (comment):

I suggest you move the code at lines 330-334 which builds a BlacklistingReactorWrapper into MatrixFederationAgent. There is no need for MatrixFederationHttpClient.reactor to be a BlacklistingReactorWrapper.

synapse/http/federation/matrix_federation_agent.py Outdated Show resolved Hide resolved
synapse/http/federation/matrix_federation_agent.py Outdated Show resolved Hide resolved
) = proxyagent.http_proxy_endpoint(
https_proxy,
proxy_reactor,
tls_client_options_factory or BrowserLikePolicyForHTTPS(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need a default policy here. tls_client_options_factory=None is supposed to disable TLS, not fall back to a default. I would make the tls_options_factory parameter to _http_proxy_endpoint Optional, and raise an Exception if the scheme is https but there is no tls factory.

Comment on lines 336 to 343
connect_headers = Headers()
# Determine whether we need to set Proxy-Authorization headers
if self.https_proxy_creds:
# Set a Proxy-Authorization header
connect_headers.addRawHeader(
b"Proxy-Authorization",
self.https_proxy_creds.as_proxy_authorization_value(),
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we just move this into HTTPConnectProxyEndpoint, to save doing it each time we construct one?

(in other words: make HTTPConnectProxyEndpoint take an Optional[ProxyCredentials] parameter instead of a custom headers parameter)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was larger.
I had to move ProxyCredentials from proxyagent to connectproxyclient. The reason was a circular import.
I have replaced headers parameter because it was introduced in #9657 only for proxy connections and is not needed anymore.

_srv_resolver=self.mock_resolver,
_well_known_resolver=self.well_known_resolver,
)
self.agent = self._make_agent()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better not to create an agent here at all, than to create it and then recreate for some of the tests.

tests/http/federation/test_matrix_federation_agent.py Outdated Show resolved Hide resolved
tests/http/federation/test_matrix_federation_agent.py Outdated Show resolved Hide resolved
@sim0nx
Copy link

sim0nx commented Aug 6, 2021

Am I correct to assume that this also solves #8859 , i.e. http proxy outbound federation ?

@dklimpel
Copy link
Contributor Author

dklimpel commented Aug 6, 2021

Am I correct to assume that this also solves #8859 , i.e. http proxy outbound federation ?

#8859 is a duplictae of #8660 (#8859 (comment))
With this PR you can make outbound federation requests via proxy. You can connect to this proxy either with http or https.
All federation request uses https (https_proxy env var).

Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Thank you so much for working on this!

@richvdh richvdh merged commit 339c391 into matrix-org:develop Aug 11, 2021
@3nprob 3nprob mentioned this pull request Aug 11, 2021
4 tasks
@dklimpel dklimpel deleted the federation_through_proxy branch August 11, 2021 18:10
@f1-outsourcing
Copy link

f1-outsourcing commented Aug 11, 2021

@dklimpel @richvdh
Do I understand correctly that this makes it possible to run synapse only through proxies (forward and reverse)? Without eg. having a default gateway available? Hi how can I test this?

Yes. That is the purpose for this PR.
You can do a pip install https://matrix-org.github.io/synapse/latest/setup/installation.html#installing-from-source
The source code for a test is: https://github.com/dklimpel/synapse/tree/federation_through_proxy

I am using tinyproxy currently for this test environment. I have connected the element webinterface and it authenticated against the synapse server. I am able to send messages between a user on the webinterface and a user on a mobile device. I have configured synapse to run with these environment variables:

HTTP_PROXY=http://xxxx.xxxx.xxxxxxxx.xxxxx:53245"
HTTPS_PROXY=https://xxxx.xxxx.xxxxxxxx.xxxxx:53245"
NO_PROXY=".local,localhost,127.0.0.1"

I am using firefox, and that seems to work for http and https sites with this proxy.

However when I 'explore public rooms' search for test on matrix.org, I am getting this error

Aug 11 21:32:14 xxx journal: matrix-synapse synapse.http.federation.matrix_federation_agent - 361 - INFO - POST-261 - Failed to connect to matrix-federation.matrix.org.cdn.cloudflare.net:8443: [('SSL routines', 'ssl3_get_record', 'wrong version number')]

To be sure I also used curl to test the connections, which seem ok.

curl --proxy http://xxxx.xxxx.xxxxxxxx.xxxxx:53245 http://httpbin.org/get
curl --proxy https://xxxx.xxxx.xxxxxxxx.xxxxx:53245 https://httpbin.org/get

If this is related to the certificate being used for outgoing connections (as maybe mentioned here #5684) How should I configure multiple certificates.

I have my synapse container running with task/host names '111.222.333.444.555' while my 'front end' is using a 'aaa.bbb.cccc' hostname. Currently most containers are running on my own CA so, multiple instances of synapse (workers?) will communicate via such hostnames 111.222.333.444.555.

@dklimpel
Copy link
Contributor Author

Are you sure that tinyproxy is able to use it with HTTPS_PROXY=https://xxxx.xxxx.xxxxxxxx.xxxxx:53245"? I could not find an option to set a certificate for tinyproxy. HTTPS_PROXY=https:// means that Synapse connect to proxy via https and then request the target. But to connect to proxy via https the proxy needs a certificate. I would recommend to use HTTPS_PROXY=http://xxxx.xxxx.xxxxxxxx.xxxxx:53245"

@f1-outsourcing
Copy link

But incoming requests are going to my reverse proxy, haproxy and there I have the correct certificate. With the outgoing request to matrix-federation.matrix.org.cdn.cloudflare.net:8443 is there some client certificate being used and verified?

What does this exactly mean?
SSL routines', 'ssl3_get_record', 'wrong version number'

@f1-outsourcing
Copy link

Oh oh, looks like maybe cloudflare issue or where do you get this hostname from?

This is what I get when I open the url in firefox.

https://matrix-federation.matrix.org.cdn.cloudflare.net:8443/

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for matrix-federation.matrix.org.cdn.cloudflare.net:8443. The certificate is only valid for the following names: about.riot.im, arewereadyyet.com, lfs.matrix.org, matrix-client.matrix.org, matrix-federation.matrix.org, matrix.org, matrix.to, modular.im, riot.im, spec.matrix.org, status.matrix.org, vector.im, www.matrix.org, www.modular.im

Error code: SSL_ERROR_BAD_CERT_DOMAIN

@f1-outsourcing
Copy link

synapse log

Aug 11 23:26:10 c04 journal: matrix-synapse synapse.handlers.presence - 755 - INFO - persist_presence_changes-0 - Persisting 1 unpersisted presence updates
Aug 11 23:26:10 c04 journal: matrix-synapse synapse.http.federation.well_known_resolver - 253 - INFO - POST-72 - Fetching https://matrix.org/.well-known/matrix/server
Aug 11 23:26:10 c04 journal: matrix-synapse synapse.http.federation.well_known_resolver - 284 - INFO - POST-72 - Error fetching https://matrix.org/.well-known/matrix/server: [('SSL routines', 'ssl3_get_record', 'wrong version number')]

Curl

[@test2 ~]#  curl --proxy https://proxy.xxxxxxxxxxxx:53245 'https://matrix.org/.well-known/matrix/server'
{ "m.server": "matrix-federation.matrix.org:443" }
[@test2 ~]#  curl --proxy http://proxy.xxxxxxxxxxxx:53245 'https://matrix.org/.well-known/matrix/server'
{ "m.server": "matrix-federation.matrix.org:443" }

@dklimpel
Copy link
Contributor Author

How did you configure that tinyproxy supports https://proxy.xxxxxxxxxxxx:53245?
Whe I am use it. I get this:

curl --proxy https://localhost:8888 'https://matrix.org/.well-known/matrix/server' -v
*   Trying 127.0.0.1:8888...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8888 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Tinyproxy log:

CONNECT   Aug 12 07:02:58 [267779]: Connect (file descriptor 6): localhost [127.0.0.1]
CONNECT   Aug 12 07:02:58 [267779]: Request (file descriptor 6): ^V^C^A^B
WARNING   Aug 12 07:02:58 [267779]: Could not retrieve all the headers from the client
INFO      Aug 12 07:02:58 [267779]: Read request entity of 341 bytes

This what I am expect. Because tinyproxy cannot create a connection with https. It has no TLS certificate for this.

A normal http connection with tinyproxy:

curl --proxy http://localhost:8888 'https://matrix.org/.well-known/matrix/server' -v
*   Trying 127.0.0.1:8888...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8888 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to matrix.org:443
> CONNECT matrix.org:443 HTTP/1.1
> Host: matrix.org:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
< Proxy-agent: tinyproxy/1.10.0
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.matrix.org
*  start date: Jun 12 02:08:30 2021 GMT
*  expire date: Sep 10 02:08:29 2021 GMT
*  subjectAltName: host "matrix.org" matched cert's "matrix.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56166ddfc860)
> GET /.well-known/matrix/server HTTP/2
> Host: matrix.org
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 12 Aug 2021 07:03:31 GMT
< content-length: 52
< last-modified: Thu, 12 Aug 2021 02:17:28 GMT
< etag: "34-5c95356209e00"
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: sameorigin
< referrer-policy: strict-origin-when-cross-origin
< cache-control: max-age=14400
< permissions-policy: interest-cohort=()
< cf-cache-status: HIT
< age: 1346
< accept-ranges: bytes
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 67d7d825fe7134e4-DUB
<
{ "m.server": "matrix-federation.matrix.org:443" }
* Connection #0 to host localhost left intact

@f1-outsourcing
Copy link

f1-outsourcing commented Aug 12, 2021

btw thanks for helping and testing this, I really appreciate it. ;) I am really looking forward to having this synapse in my container environment.

This is the config I have. I just redacted some more allow lines. I have tinyproxy running on two networks one connected to the internet and one connected to a container/vm environment.

Maybe running this on localhost is not the best way to test, because local routing could mess up the outgoing traffic? My tinyproxy is running separate, from my test2 and synapse. All have their own ip addresses. I know for sure my environment is getting the ssl websites. Yesterday I even checked if the container was validating the certificates of matrix.org correctly, which are letsencrypt and curl just worked fine. To me it starts to look like some client certificate is being used communicating with matrix.org. But this error message is just not clear.

[@ tinyproxy]# cat tinyproxy.conf  | grep -v '^#'|sed  '/^$/d'
User tinyproxy
Group tinyproxy
Port 53245
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Syslog On
LogLevel Info
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 1
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
DisableViaHeader Yes
[@test2 root]$ curl --proxy http://xxxxxxxx:53245 'https://matrix.org/.well-known/matrix/server' -v
* About to connect() to xxxxxxxxs port 53245 (#0)
*   Trying 192.168.122.21...
* Connected to xxxxxxxxx (192.168.122.21) port 53245 (#0)
* Establish HTTP proxy tunnel to matrix.org:443
> CONNECT matrix.org:443 HTTP/1.1
> Host: matrix.org:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
< Proxy-agent: tinyproxy/1.10.0
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.matrix.org
*       start date: Jun 12 02:08:30 2021 GMT
*       expire date: Sep 10 02:08:29 2021 GMT
*       common name: www.matrix.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET /.well-known/matrix/server HTTP/1.1
> User-Agent: curl/7.29.0
> Host: matrix.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 12 Aug 2021 10:43:11 GMT
< Content-Length: 52
< Connection: keep-alive
< Last-Modified: Thu, 12 Aug 2021 02:17:28 GMT
< ETag: "34-5c95356209e00"
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Frame-Options: sameorigin
< Referrer-Policy: strict-origin-when-cross-origin
< Cache-Control: max-age=14400
< Permissions-Policy: interest-cohort=()
< CF-Cache-Status: HIT

PS. If you want access to my test environment, you can have it.

@dklimpel
Copy link
Contributor Author

I think you env var is not correct.
You use

HTTP_PROXY=http://xxxx.xxxx.xxxxxxxx.xxxxx:53245"
HTTPS_PROXY=https://xxxx.xxxx.xxxxxxxx.xxxxx:53245"
NO_PROXY=".local,localhost,127.0.0.1"

You have to use:

HTTP_PROXY=http://xxxx.xxxx.xxxxxxxx.xxxxx:53245"
HTTPS_PROXY=http://xxxx.xxxx.xxxxxxxx.xxxxx:53245"
NO_PROXY=".local,localhost,127.0.0.1"

You can connect to your proxy via http and not https.
The error message is not a message from Synapse.
[('SSL routines', 'ssl3_get_record', 'wrong version number')] is from SSL library.
You try to connect with TLS (HTTPS_PROXY=https://xxxx.xxxx.xxxxxxxx.xxxxx:53245") to your proxy. But the proxy does not support TLS/https. It supports only http (HTTPS_PROXY=http://xxxx.xxxx.xxxxxxxx.xxxxx:53245").

@f1-outsourcing
Copy link

f1-outsourcing commented Aug 12, 2021

I think tinyproxy by default supports ssl/tls and just switches automatically based on the protocol it receives. I think you should be able to do this[1] also. It does not really make sense not supporting ssl these days. I will try and have a look at this (ssl?) library and see what this error means.

[1]

[@test2 root]$ curl --proxy https://xxxxxxxx:53245 'https://matrix.org/.well-known/matrix/server' -v
* About to connect() to proxy proxy.dev.marathon.mesos port 53245 (#0)
*   Trying 192.168.122.21...
* Connected to xxxxxxxxx (192.168.122.21) port 53245 (#0)
* Establish HTTP proxy tunnel to matrix.org:443
> CONNECT matrix.org:443 HTTP/1.1
> Host: matrix.org:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
< Proxy-agent: tinyproxy/1.10.0
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.matrix.org
*       start date: Jun 12 02:08:30 2021 GMT
*       expire date: Sep 10 02:08:29 2021 GMT
*       common name: www.matrix.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET /.well-known/matrix/server HTTP/1.1
> User-Agent: curl/7.29.0

@f1-outsourcing
Copy link

Do you have a code snippet that I can use to test with? Something that would generate the same error message in my environment?
Maybe it is related to how the connection is made? Here they are writing about ssl records. openssl/openssl#10938 (comment)
In his case he was not reading the first packet correctly

@dklimpel
Copy link
Contributor Author

dklimpel commented Aug 12, 2021

I do not have a code snippet.
Extract it from Synapse is not so easy.

I did a request with a proxy that is able to talk https (squid), I can see 2 TLS handshakes.
First for proxy connection and second for connection with matrix.org.

curl --proxy https://localhost:3129 'https://matrix.org/.well-known/matrix/server' -v --proxy-insecure
*   Trying 127.0.0.1:3129...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3129 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
*  subject: C=DE; ST=Some-State;
*  start date: Jul 16 12:10:33 2021 GMT
*  expire date: Jul 16 12:10:33 2022 GMT
*  issuer: C=DE; ST=Some-State;
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* allocate connect buffer!
* Establish HTTP proxy tunnel to matrix.org:443
> CONNECT matrix.org:443 HTTP/1.1
> Host: matrix.org:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.matrix.org
*  start date: Jun 12 02:08:30 2021 GMT
*  expire date: Sep 10 02:08:29 2021 GMT
*  subjectAltName: host "matrix.org" matched cert's "matrix.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x557a37b08860)
> GET /.well-known/matrix/server HTTP/2
> Host: matrix.org
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 12 Aug 2021 12:13:31 GMT
< content-length: 52
< last-modified: Thu, 12 Aug 2021 12:04:00 GMT
< etag: "34-5c95b87bbec00"
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: sameorigin
< referrer-policy: strict-origin-when-cross-origin
< cache-control: max-age=14400
< permissions-policy: interest-cohort=()
< cf-cache-status: HIT
< age: 431
< accept-ranges: bytes
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 67d99e40ba5b60cd-DUB
<
{ "m.server": "matrix-federation.matrix.org:443" }
* Connection #0 to host localhost left intact

@dklimpel
Copy link
Contributor Author

curl 7.29.0 is not up to date. Release date was Feb 6 2013.

@f1-outsourcing
Copy link

curl 7.29.0 is not up to date. Release date was Feb 6 2013.

We should let RedHat worry about such things, the el7 is still a supported distribution ;)

@dklimpel
Copy link
Contributor Author

Yes it is supported for security bugfixes. But curl 7.29.0 does not support proxy connections with TLS.
https://daniel.haxx.se/blog/2016/11/26/https-proxy-with-curl/
Your curl version ignores the https and does a connection via http whether you tell him to use https or not.

It does not really make sense not supporting ssl these days

But 2013! ;)

@f1-outsourcing
Copy link

Genius, genius of you.

I just tried on the docker image with curl 7.78, and whoppa

url: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

And while I was doing this, I thought lets run the container with
"HTTP_PROXY": "http://192.168.122.xx:53245", "HTTPS_PROXY": "http://192.168.122.xx:53245",

And this seems to work!!!!!! Explore rooms is being filled with external data.

I am embarrassed about wasting your time on this

@f1-outsourcing
Copy link

@dklimpel

I just switched back from using a hostname in the proxy config to an ip address, hoping it would resolve the timeout messages that I am getting (in case python is not using the correct ip address). But I keep getting lots of these. Joining a room seems to be slow, however I managed to join 2.

Aug 13 16:02:29 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-1135 - {PUT-O-679} [packet.delivery] Request failed: PUT matrix://packet.delivery/_matrix/federation/v1/send/1628862410582: TimeoutError('Timed out after 60s')
Aug 13 16:02:29 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - GET-994 - {GET-O-702} [vi.fi] Request failed: GET matrix://vi.fi/_matrix/media/r0/download/vi.fi/rDHTynXjBZZofVeosisEMzKV?allow_remote=false: TimeoutError('')
Aug 13 16:02:29 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-1165 - {PUT-O-685} [furry.lol] Request failed: PUT matrix://furry.lol/_matrix/federation/v1/send/1628862410588: TimeoutError('')
Aug 13 16:02:30 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - GET-1640 - {GET-O-713} [kapsi.fi] Request failed: GET matrix://kapsi.fi/_matrix/media/r0/download/kapsi.fi/FUJcYeeynfFBUAuPaANxzbcd?allow_remote=false: TimeoutError('')
Aug 13 16:02:30 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-528 - {PUT-O-358} [matrix.onosend.ai] Request failed: PUT matrix://matrix.onosend.ai/_matrix/federation/v1/send/1628862410468: TimeoutError('Timed out after 60s')
Aug 13 16:02:31 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - GET-1642 - {GET-O-714} [fullcontrol.se] Request failed: GET matrix://fullcontrol.se/_matrix/media/r0/download/fullcontrol.se/gKAdbEJzBMFETgsfCiHaJJvq?allow_remote=false: TimeoutError('Timed out after 60s')
Aug 13 16:02:31 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-235 - {PUT-O-299} [purplewire.xyz] Request failed: PUT matrix://purplewire.xyz/_matrix/federation/v1/send/1628862410409: TimeoutError('')
Aug 13 16:02:31 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-711 - {PUT-O-418} [matrix.splitanatom.com] Request failed: PUT matrix://matrix.splitanatom.com/_matrix/federation/v1/send/1628862410507: TimeoutError('Timed out after 60s')
Aug 13 16:02:31 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-683 - {PUT-O-385} [zgrz.yt] Request failed: PUT matrix://zgrz.yt/_matrix/federation/v1/send/1628862410495: TimeoutError('')
Aug 13 16:02:31 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-582 - {PUT-O-365} [thebeckmeyers.xyz] Request failed: PUT matrix://thebeckmeyers.xyz/_matrix/federation/v1/send/1628862410475: TimeoutError('')
Aug 13 16:02:32 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-313 - {PUT-O-267} [canarymod.net] Request failed: PUT matrix://canarymod.net/_matrix/federation/v1/send/1628862410377: TimeoutError('Timed out after 60s')
Aug 13 16:02:34 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-741 - {PUT-O-618} [exp.farm] Request failed: PUT matrix://exp.farm/_matrix/federation/v1/send/1628862410528: TimeoutError('Timed out after 60s')
Aug 13 16:02:34 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-105 - {PUT-O-227} [matrix.beachcom.org] Request failed: PUT matrix://matrix.beachcom.org/_matrix/federation/v1/send/1628862410337: TimeoutError('')
Aug 13 16:02:35 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-835 - {PUT-O-630} [matrix.privatebit.de] Request failed: PUT matrix://matrix.privatebit.de/_matrix/federation/v1/send/1628862410540: TimeoutError('')
Aug 13 16:02:35 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-758 - {PUT-O-620} [matrix.datenwolke.io] Request failed: PUT matrix://matrix.datenwolke.io/_matrix/federation/v1/send/1628862410530: TimeoutError('Timed out after 60s')
Aug 13 16:02:35 xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_transaction_transmission_loop-782 - {PUT-O-623} [hu-berlin.de] Request failed: PUT matrix://hu-berlin.de/_matrix/federation/v1/send/1628862410533: TimeoutError('Timed out after 60s')
Aug 13 16:02:36 
```xxxxxx journal: matrix-synapse synapse.http.matrixfederationclient - 635 - INFO - federation_tran

@dklimpel
Copy link
Contributor Author

I think this is not easy to debug.
I would have a look also in proxy server log and perhaps make a tcp dump to have a look if the proxy has to much connections or something else.

richvdh added a commit that referenced this pull request Aug 24, 2021
Synapse 1.41.0rc1 (2021-08-18)
==============================

Features
--------

- Add `get_userinfo_by_id` method to ModuleApi. ([\#9581](#9581))
- Initial local support for [MSC3266](#10394), Room Summary over the unstable `/rooms/{roomIdOrAlias}/summary` API. ([\#10394](#10394))
- Experimental support for [MSC3288](matrix-org/matrix-spec-proposals#3288), sending `room_type` to the identity server for 3pid invites over the `/store-invite` API. ([\#10435](#10435))
- Add support for sending federation requests through a proxy. Contributed by @Bubu and @dklimpel. ([\#10475](#10475))
- Add support for "marker" events which makes historical events discoverable for servers that already have all of the scrollback history (part of [MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#10498](#10498))
- Add a configuration setting for the time a `/sync` response is cached for. ([\#10513](#10513))
- The default logging handler for new installations is now `PeriodicallyFlushingMemoryHandler`, a buffered logging handler which periodically flushes itself. ([\#10518](#10518))
- Add support for new redaction rules for historical events specified in [MSC2716](matrix-org/matrix-spec-proposals#2716). ([\#10538](#10538))
- Add a setting to disable TLS when sending email. ([\#10546](#10546))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\#10549](#10549), [\#10560](#10560), [\#10569](#10569), [\#10574](#10574), [\#10575](#10575), [\#10579](#10579), [\#10583](#10583))
- Admin API to delete several media for a specific user. Contributed by @dklimpel. ([\#10558](#10558), [\#10628](#10628))
- Add support for routing `/createRoom` to workers. ([\#10564](#10564))
- Update the Synapse Grafana dashboard. ([\#10570](#10570))
- Add an admin API (`GET /_synapse/admin/username_available`) to check if a username is available (regardless of registration settings). ([\#10578](#10578))
- Allow editing a user's `external_ids` via the "Edit User" admin API. Contributed by @dklimpel. ([\#10598](#10598))
- The Synapse manhole no longer needs coroutines to be wrapped in `defer.ensureDeferred`. ([\#10602](#10602))
- Add option to allow modules to run periodic tasks on all instances, rather than just the one configured to run background tasks. ([\#10638](#10638))

Bugfixes
--------

- Add some clarification to the sample config file. Contributed by @Kentokamoto. ([\#10129](#10129))
- Fix a long-standing bug where protocols which are not implemented by any appservices were incorrectly returned via `GET /_matrix/client/r0/thirdparty/protocols`. ([\#10532](#10532))
- Fix exceptions in logs when failing to get remote room list. ([\#10541](#10541))
- Fix longstanding bug which caused the user "status" to be reset when the user went offline. Contributed by @dklimpel. ([\#10550](#10550))
- Allow public rooms to be previewed in the spaces summary APIs from [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\#10580](#10580))
- Fix a bug introduced in v1.37.1 where an error could occur in the asynchronous processing of PDUs when the queue was empty. ([\#10592](#10592))
- Fix errors on /sync when read receipt data is a string. Only affects homeservers with the experimental flag for [MSC2285](matrix-org/matrix-spec-proposals#2285) enabled. Contributed by @SimonBrandner. ([\#10606](#10606))
- Additional validation for the spaces summary API to avoid errors like `ValueError: Stop argument for islice() must be None or an integer`. The missing validation has existed since v1.31.0. ([\#10611](#10611))
- Revert behaviour introduced in v1.38.0 that strips `org.matrix.msc2732.device_unused_fallback_key_types` from `/sync` when its value is empty. This field should instead always be present according to [MSC2732](https://github.com/matrix-org/matrix-doc/blob/master/proposals/2732-olm-fallback-keys.md). ([\#10623](#10623))

Improved Documentation
----------------------

- Add documentation for configuration a forward proxy. ([\#10443](#10443))
- Updated the reverse proxy documentation to highlight the homserver configuration that is needed to make Synapse aware that is is intentionally reverse proxied. ([\#10551](#10551))
- Update CONTRIBUTING.md to fix index links and the instructions for SyTest in docker. ([\#10599](#10599))

Deprecations and Removals
-------------------------

- No longer build `.deb` packages for Ubuntu 20.10 LTS Groovy Gorilla, which has now EOLed. ([\#10588](#10588))
- The `template_dir` configuration settings in the `sso`, `account_validity` and `email` sections of the configuration file are now deprecated in favour of the global `templates.custom_template_directory` setting. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\#10596](#10596))

Internal Changes
----------------

- Improve event caching mechanism to avoid having multiple copies of an event in memory at a time. ([\#10119](#10119))
- Reduce errors in PostgreSQL logs due to concurrent serialization errors. ([\#10504](#10504))
- Include room ID in ignored EDU log messages. Contributed by @ilmari. ([\#10507](#10507))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\#10527](#10527), [\#10530](#10530))
- Fix CI to not break when run against branches rather than pull requests. ([\#10529](#10529))
- Mark all events stemming from the [MSC2716](matrix-org/matrix-spec-proposals#2716) `/batch_send` endpoint as historical. ([\#10537](#10537))
- Clean up some of the federation event authentication code for clarity. ([\#10539](#10539), [\#10591](#10591))
- Convert `Transaction` and `Edu` objects to attrs. ([\#10542](#10542))
- Update `/batch_send` endpoint to only return `state_events` created by the `state_events_from_before` passed in. ([\#10552](#10552))
- Update contributing.md to warn against rebasing an open PR. ([\#10563](#10563))
- Remove the unused public rooms replication stream. ([\#10565](#10565))
- Clarify error message when failing to join a restricted room. ([\#10572](#10572))
- Remove references to BuildKite in favour of GitHub Actions. ([\#10573](#10573))
- Move `/batch_send` endpoint defined by [MSC2716](matrix-org/matrix-spec-proposals#2716) to the `/v2_alpha` directory. ([\#10576](#10576))
- Allow multiple custom directories in `read_templates`. ([\#10587](#10587))
- Re-organize the `synapse.federation.transport.server` module to create smaller files. ([\#10590](#10590))
- Flatten the `synapse.rest.client` package by moving the contents of `v1` and `v2_alpha` into the parent. ([\#10600](#10600))
- Build Debian packages for Debian 12 (Bookworm). ([\#10612](#10612))
- Fix up a couple of links to the database schema documentation. ([\#10620](#10620))
- Fix a broken link to the upgrade notes. ([\#10631](#10631))
aaronraimist added a commit to aaronraimist/synapse that referenced this pull request Aug 31, 2021
Synapse 1.41.0 (2021-08-24)
===========================

This release adds support for Debian 12 (Bookworm), but **removes support for Ubuntu 20.10 (Groovy Gorilla)**, which reached End of Life last month.

Note that when using workers the `/_synapse/admin/v1/users/{userId}/media` must now be handled by media workers. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information.

Features
--------

- Enable room capabilities ([MSC3244](matrix-org/matrix-spec-proposals#3244)) by default and set room version 8 as the preferred room version when creating restricted rooms. ([\matrix-org#10571](matrix-org#10571))

Synapse 1.41.0rc1 (2021-08-18)
==============================

Features
--------

- Add `get_userinfo_by_id` method to ModuleApi. ([\matrix-org#9581](matrix-org#9581))
- Initial local support for [MSC3266](matrix-org#10394), Room Summary over the unstable `/rooms/{roomIdOrAlias}/summary` API. ([\matrix-org#10394](matrix-org#10394))
- Experimental support for [MSC3288](matrix-org/matrix-spec-proposals#3288), sending `room_type` to the identity server for 3pid invites over the `/store-invite` API. ([\matrix-org#10435](matrix-org#10435))
- Add support for sending federation requests through a proxy. Contributed by @Bubu and @dklimpel. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\matrix-org#10596](matrix-org#10596)). ([\matrix-org#10475](matrix-org#10475))
- Add support for "marker" events which makes historical events discoverable for servers that already have all of the scrollback history (part of [MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\matrix-org#10498](matrix-org#10498))
- Add a configuration setting for the time a `/sync` response is cached for. ([\matrix-org#10513](matrix-org#10513))
- The default logging handler for new installations is now `PeriodicallyFlushingMemoryHandler`, a buffered logging handler which periodically flushes itself. ([\matrix-org#10518](matrix-org#10518))
- Add support for new redaction rules for historical events specified in [MSC2716](matrix-org/matrix-spec-proposals#2716). ([\matrix-org#10538](matrix-org#10538))
- Add a setting to disable TLS when sending email. ([\matrix-org#10546](matrix-org#10546))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\matrix-org#10549](matrix-org#10549), [\matrix-org#10560](matrix-org#10560), [\matrix-org#10569](matrix-org#10569), [\matrix-org#10574](matrix-org#10574), [\matrix-org#10575](matrix-org#10575), [\matrix-org#10579](matrix-org#10579), [\matrix-org#10583](matrix-org#10583))
- Admin API to delete several media for a specific user. Contributed by @dklimpel. ([\matrix-org#10558](matrix-org#10558), [\matrix-org#10628](matrix-org#10628))
- Add support for routing `/createRoom` to workers. ([\matrix-org#10564](matrix-org#10564))
- Update the Synapse Grafana dashboard. ([\matrix-org#10570](matrix-org#10570))
- Add an admin API (`GET /_synapse/admin/username_available`) to check if a username is available (regardless of registration settings). ([\matrix-org#10578](matrix-org#10578))
- Allow editing a user's `external_ids` via the "Edit User" admin API. Contributed by @dklimpel. ([\matrix-org#10598](matrix-org#10598))
- The Synapse manhole no longer needs coroutines to be wrapped in `defer.ensureDeferred`. ([\matrix-org#10602](matrix-org#10602))
- Add option to allow modules to run periodic tasks on all instances, rather than just the one configured to run background tasks. ([\matrix-org#10638](matrix-org#10638))

Bugfixes
--------

- Add some clarification to the sample config file. Contributed by @Kentokamoto. ([\matrix-org#10129](matrix-org#10129))
- Fix a long-standing bug where protocols which are not implemented by any appservices were incorrectly returned via `GET /_matrix/client/r0/thirdparty/protocols`. ([\matrix-org#10532](matrix-org#10532))
- Fix exceptions in logs when failing to get remote room list. ([\matrix-org#10541](matrix-org#10541))
- Fix longstanding bug which caused the user's presence "status message" to be reset when the user went offline. Contributed by @dklimpel. ([\matrix-org#10550](matrix-org#10550))
- Allow public rooms to be previewed in the spaces summary APIs from [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\matrix-org#10580](matrix-org#10580))
- Fix a bug introduced in v1.37.1 where an error could occur in the asynchronous processing of PDUs when the queue was empty. ([\matrix-org#10592](matrix-org#10592))
- Fix errors on /sync when read receipt data is a string. Only affects homeservers with the experimental flag for [MSC2285](matrix-org/matrix-spec-proposals#2285) enabled. Contributed by @SimonBrandner. ([\matrix-org#10606](matrix-org#10606))
- Additional validation for the spaces summary API to avoid errors like `ValueError: Stop argument for islice() must be None or an integer`. The missing validation has existed since v1.31.0. ([\matrix-org#10611](matrix-org#10611))
- Revert behaviour introduced in v1.38.0 that strips `org.matrix.msc2732.device_unused_fallback_key_types` from `/sync` when its value is empty. This field should instead always be present according to [MSC2732](https://github.com/matrix-org/matrix-doc/blob/master/proposals/2732-olm-fallback-keys.md). ([\matrix-org#10623](matrix-org#10623))

Improved Documentation
----------------------

- Add documentation for configuring a forward proxy. ([\matrix-org#10443](matrix-org#10443))
- Updated the reverse proxy documentation to highlight the homserver configuration that is needed to make Synapse aware that is is intentionally reverse proxied. ([\matrix-org#10551](matrix-org#10551))
- Update CONTRIBUTING.md to fix index links and the instructions for SyTest in docker. ([\matrix-org#10599](matrix-org#10599))

Deprecations and Removals
-------------------------

- No longer build `.deb` packages for Ubuntu 20.10 Groovy Gorilla, which has now EOLed. ([\matrix-org#10588](matrix-org#10588))
- The `template_dir` configuration settings in the `sso`, `account_validity` and `email` sections of the configuration file are now deprecated in favour of the global `templates.custom_template_directory` setting. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\matrix-org#10596](matrix-org#10596))

Internal Changes
----------------

- Improve event caching mechanism to avoid having multiple copies of an event in memory at a time. ([\matrix-org#10119](matrix-org#10119))
- Reduce errors in PostgreSQL logs due to concurrent serialization errors. ([\matrix-org#10504](matrix-org#10504))
- Include room ID in ignored EDU log messages. Contributed by @ilmari. ([\matrix-org#10507](matrix-org#10507))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\matrix-org#10527](matrix-org#10527), [\matrix-org#10530](matrix-org#10530))
- Fix CI to not break when run against branches rather than pull requests. ([\matrix-org#10529](matrix-org#10529))
- Mark all events stemming from the [MSC2716](matrix-org/matrix-spec-proposals#2716) `/batch_send` endpoint as historical. ([\matrix-org#10537](matrix-org#10537))
- Clean up some of the federation event authentication code for clarity. ([\matrix-org#10539](matrix-org#10539), [\matrix-org#10591](matrix-org#10591))
- Convert `Transaction` and `Edu` objects to attrs. ([\matrix-org#10542](matrix-org#10542))
- Update `/batch_send` endpoint to only return `state_events` created by the `state_events_from_before` passed in. ([\matrix-org#10552](matrix-org#10552))
- Update contributing.md to warn against rebasing an open PR. ([\matrix-org#10563](matrix-org#10563))
- Remove the unused public rooms replication stream. ([\matrix-org#10565](matrix-org#10565))
- Clarify error message when failing to join a restricted room. ([\matrix-org#10572](matrix-org#10572))
- Remove references to BuildKite in favour of GitHub Actions. ([\matrix-org#10573](matrix-org#10573))
- Move `/batch_send` endpoint defined by [MSC2716](matrix-org/matrix-spec-proposals#2716) to the `/v2_alpha` directory. ([\matrix-org#10576](matrix-org#10576))
- Allow multiple custom directories in `read_templates`. ([\matrix-org#10587](matrix-org#10587))
- Re-organize the `synapse.federation.transport.server` module to create smaller files. ([\matrix-org#10590](matrix-org#10590))
- Flatten the `synapse.rest.client` package by moving the contents of `v1` and `v2_alpha` into the parent. ([\matrix-org#10600](matrix-org#10600))
- Build Debian packages for Debian 12 (Bookworm). ([\matrix-org#10612](matrix-org#10612))
- Fix up a couple of links to the database schema documentation. ([\matrix-org#10620](matrix-org#10620))
- Fix a broken link to the upgrade notes. ([\matrix-org#10631](matrix-org#10631))
babolivier added a commit to matrix-org/synapse-dinsic that referenced this pull request Sep 1, 2021
Synapse 1.41.0 (2021-08-24)
===========================

This release adds support for Debian 12 (Bookworm), but **removes support for Ubuntu 20.10 (Groovy Gorilla)**, which reached End of Life last month.

Note that when using workers the `/_synapse/admin/v1/users/{userId}/media` must now be handled by media workers. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information.

Features
--------

- Enable room capabilities ([MSC3244](matrix-org/matrix-spec-proposals#3244)) by default and set room version 8 as the preferred room version when creating restricted rooms. ([\#10571](matrix-org/synapse#10571))

Synapse 1.41.0rc1 (2021-08-18)
==============================

Features
--------

- Add `get_userinfo_by_id` method to ModuleApi. ([\#9581](matrix-org/synapse#9581))
- Initial local support for [MSC3266](matrix-org/synapse#10394), Room Summary over the unstable `/rooms/{roomIdOrAlias}/summary` API. ([\#10394](matrix-org/synapse#10394))
- Experimental support for [MSC3288](matrix-org/matrix-spec-proposals#3288), sending `room_type` to the identity server for 3pid invites over the `/store-invite` API. ([\#10435](matrix-org/synapse#10435))
- Add support for sending federation requests through a proxy. Contributed by @Bubu and @dklimpel. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\#10596](matrix-org/synapse#10596)). ([\#10475](matrix-org/synapse#10475))
- Add support for "marker" events which makes historical events discoverable for servers that already have all of the scrollback history (part of [MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\#10498](matrix-org/synapse#10498))
- Add a configuration setting for the time a `/sync` response is cached for. ([\#10513](matrix-org/synapse#10513))
- The default logging handler for new installations is now `PeriodicallyFlushingMemoryHandler`, a buffered logging handler which periodically flushes itself. ([\#10518](matrix-org/synapse#10518))
- Add support for new redaction rules for historical events specified in [MSC2716](matrix-org/matrix-spec-proposals#2716). ([\#10538](matrix-org/synapse#10538))
- Add a setting to disable TLS when sending email. ([\#10546](matrix-org/synapse#10546))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\#10549](matrix-org/synapse#10549), [\#10560](matrix-org/synapse#10560), [\#10569](matrix-org/synapse#10569), [\#10574](matrix-org/synapse#10574), [\#10575](matrix-org/synapse#10575), [\#10579](matrix-org/synapse#10579), [\#10583](matrix-org/synapse#10583))
- Admin API to delete several media for a specific user. Contributed by @dklimpel. ([\#10558](matrix-org/synapse#10558), [\#10628](matrix-org/synapse#10628))
- Add support for routing `/createRoom` to workers. ([\#10564](matrix-org/synapse#10564))
- Update the Synapse Grafana dashboard. ([\#10570](matrix-org/synapse#10570))
- Add an admin API (`GET /_synapse/admin/username_available`) to check if a username is available (regardless of registration settings). ([\#10578](matrix-org/synapse#10578))
- Allow editing a user's `external_ids` via the "Edit User" admin API. Contributed by @dklimpel. ([\#10598](matrix-org/synapse#10598))
- The Synapse manhole no longer needs coroutines to be wrapped in `defer.ensureDeferred`. ([\#10602](matrix-org/synapse#10602))
- Add option to allow modules to run periodic tasks on all instances, rather than just the one configured to run background tasks. ([\#10638](matrix-org/synapse#10638))

Bugfixes
--------

- Add some clarification to the sample config file. Contributed by @Kentokamoto. ([\#10129](matrix-org/synapse#10129))
- Fix a long-standing bug where protocols which are not implemented by any appservices were incorrectly returned via `GET /_matrix/client/r0/thirdparty/protocols`. ([\#10532](matrix-org/synapse#10532))
- Fix exceptions in logs when failing to get remote room list. ([\#10541](matrix-org/synapse#10541))
- Fix longstanding bug which caused the user's presence "status message" to be reset when the user went offline. Contributed by @dklimpel. ([\#10550](matrix-org/synapse#10550))
- Allow public rooms to be previewed in the spaces summary APIs from [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\#10580](matrix-org/synapse#10580))
- Fix a bug introduced in v1.37.1 where an error could occur in the asynchronous processing of PDUs when the queue was empty. ([\#10592](matrix-org/synapse#10592))
- Fix errors on /sync when read receipt data is a string. Only affects homeservers with the experimental flag for [MSC2285](matrix-org/matrix-spec-proposals#2285) enabled. Contributed by @SimonBrandner. ([\#10606](matrix-org/synapse#10606))
- Additional validation for the spaces summary API to avoid errors like `ValueError: Stop argument for islice() must be None or an integer`. The missing validation has existed since v1.31.0. ([\#10611](matrix-org/synapse#10611))
- Revert behaviour introduced in v1.38.0 that strips `org.matrix.msc2732.device_unused_fallback_key_types` from `/sync` when its value is empty. This field should instead always be present according to [MSC2732](https://github.com/matrix-org/matrix-doc/blob/master/proposals/2732-olm-fallback-keys.md). ([\#10623](matrix-org/synapse#10623))

Improved Documentation
----------------------

- Add documentation for configuring a forward proxy. ([\#10443](matrix-org/synapse#10443))
- Updated the reverse proxy documentation to highlight the homserver configuration that is needed to make Synapse aware that is is intentionally reverse proxied. ([\#10551](matrix-org/synapse#10551))
- Update CONTRIBUTING.md to fix index links and the instructions for SyTest in docker. ([\#10599](matrix-org/synapse#10599))

Deprecations and Removals
-------------------------

- No longer build `.deb` packages for Ubuntu 20.10 Groovy Gorilla, which has now EOLed. ([\#10588](matrix-org/synapse#10588))
- The `template_dir` configuration settings in the `sso`, `account_validity` and `email` sections of the configuration file are now deprecated in favour of the global `templates.custom_template_directory` setting. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\#10596](matrix-org/synapse#10596))

Internal Changes
----------------

- Improve event caching mechanism to avoid having multiple copies of an event in memory at a time. ([\#10119](matrix-org/synapse#10119))
- Reduce errors in PostgreSQL logs due to concurrent serialization errors. ([\#10504](matrix-org/synapse#10504))
- Include room ID in ignored EDU log messages. Contributed by @ilmari. ([\#10507](matrix-org/synapse#10507))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\#10527](matrix-org/synapse#10527), [\#10530](matrix-org/synapse#10530))
- Fix CI to not break when run against branches rather than pull requests. ([\#10529](matrix-org/synapse#10529))
- Mark all events stemming from the [MSC2716](matrix-org/matrix-spec-proposals#2716) `/batch_send` endpoint as historical. ([\#10537](matrix-org/synapse#10537))
- Clean up some of the federation event authentication code for clarity. ([\#10539](matrix-org/synapse#10539), [\#10591](matrix-org/synapse#10591))
- Convert `Transaction` and `Edu` objects to attrs. ([\#10542](matrix-org/synapse#10542))
- Update `/batch_send` endpoint to only return `state_events` created by the `state_events_from_before` passed in. ([\#10552](matrix-org/synapse#10552))
- Update contributing.md to warn against rebasing an open PR. ([\#10563](matrix-org/synapse#10563))
- Remove the unused public rooms replication stream. ([\#10565](matrix-org/synapse#10565))
- Clarify error message when failing to join a restricted room. ([\#10572](matrix-org/synapse#10572))
- Remove references to BuildKite in favour of GitHub Actions. ([\#10573](matrix-org/synapse#10573))
- Move `/batch_send` endpoint defined by [MSC2716](matrix-org/matrix-spec-proposals#2716) to the `/v2_alpha` directory. ([\#10576](matrix-org/synapse#10576))
- Allow multiple custom directories in `read_templates`. ([\#10587](matrix-org/synapse#10587))
- Re-organize the `synapse.federation.transport.server` module to create smaller files. ([\#10590](matrix-org/synapse#10590))
- Flatten the `synapse.rest.client` package by moving the contents of `v1` and `v2_alpha` into the parent. ([\#10600](matrix-org/synapse#10600))
- Build Debian packages for Debian 12 (Bookworm). ([\#10612](matrix-org/synapse#10612))
- Fix up a couple of links to the database schema documentation. ([\#10620](matrix-org/synapse#10620))
- Fix a broken link to the upgrade notes. ([\#10631](matrix-org/synapse#10631))
Fizzadar pushed a commit to Fizzadar/synapse that referenced this pull request Oct 26, 2021
Synapse 1.41.0 (2021-08-24)
===========================

This release adds support for Debian 12 (Bookworm), but **removes support for Ubuntu 20.10 (Groovy Gorilla)**, which reached End of Life last month.

Note that when using workers the `/_synapse/admin/v1/users/{userId}/media` must now be handled by media workers. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information.

Features
--------

- Enable room capabilities ([MSC3244](matrix-org/matrix-spec-proposals#3244)) by default and set room version 8 as the preferred room version when creating restricted rooms. ([\matrix-org#10571](matrix-org#10571))

Synapse 1.41.0rc1 (2021-08-18)
==============================

Features
--------

- Add `get_userinfo_by_id` method to ModuleApi. ([\matrix-org#9581](matrix-org#9581))
- Initial local support for [MSC3266](matrix-org#10394), Room Summary over the unstable `/rooms/{roomIdOrAlias}/summary` API. ([\matrix-org#10394](matrix-org#10394))
- Experimental support for [MSC3288](matrix-org/matrix-spec-proposals#3288), sending `room_type` to the identity server for 3pid invites over the `/store-invite` API. ([\matrix-org#10435](matrix-org#10435))
- Add support for sending federation requests through a proxy. Contributed by @Bubu and @dklimpel. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\matrix-org#10596](matrix-org#10596)). ([\matrix-org#10475](matrix-org#10475))
- Add support for "marker" events which makes historical events discoverable for servers that already have all of the scrollback history (part of [MSC2716](matrix-org/matrix-spec-proposals#2716)). ([\matrix-org#10498](matrix-org#10498))
- Add a configuration setting for the time a `/sync` response is cached for. ([\matrix-org#10513](matrix-org#10513))
- The default logging handler for new installations is now `PeriodicallyFlushingMemoryHandler`, a buffered logging handler which periodically flushes itself. ([\matrix-org#10518](matrix-org#10518))
- Add support for new redaction rules for historical events specified in [MSC2716](matrix-org/matrix-spec-proposals#2716). ([\matrix-org#10538](matrix-org#10538))
- Add a setting to disable TLS when sending email. ([\matrix-org#10546](matrix-org#10546))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\matrix-org#10549](matrix-org#10549), [\matrix-org#10560](matrix-org#10560), [\matrix-org#10569](matrix-org#10569), [\matrix-org#10574](matrix-org#10574), [\matrix-org#10575](matrix-org#10575), [\matrix-org#10579](matrix-org#10579), [\matrix-org#10583](matrix-org#10583))
- Admin API to delete several media for a specific user. Contributed by @dklimpel. ([\matrix-org#10558](matrix-org#10558), [\matrix-org#10628](matrix-org#10628))
- Add support for routing `/createRoom` to workers. ([\matrix-org#10564](matrix-org#10564))
- Update the Synapse Grafana dashboard. ([\matrix-org#10570](matrix-org#10570))
- Add an admin API (`GET /_synapse/admin/username_available`) to check if a username is available (regardless of registration settings). ([\matrix-org#10578](matrix-org#10578))
- Allow editing a user's `external_ids` via the "Edit User" admin API. Contributed by @dklimpel. ([\matrix-org#10598](matrix-org#10598))
- The Synapse manhole no longer needs coroutines to be wrapped in `defer.ensureDeferred`. ([\matrix-org#10602](matrix-org#10602))
- Add option to allow modules to run periodic tasks on all instances, rather than just the one configured to run background tasks. ([\matrix-org#10638](matrix-org#10638))

Bugfixes
--------

- Add some clarification to the sample config file. Contributed by @Kentokamoto. ([\matrix-org#10129](matrix-org#10129))
- Fix a long-standing bug where protocols which are not implemented by any appservices were incorrectly returned via `GET /_matrix/client/r0/thirdparty/protocols`. ([\matrix-org#10532](matrix-org#10532))
- Fix exceptions in logs when failing to get remote room list. ([\matrix-org#10541](matrix-org#10541))
- Fix longstanding bug which caused the user's presence "status message" to be reset when the user went offline. Contributed by @dklimpel. ([\matrix-org#10550](matrix-org#10550))
- Allow public rooms to be previewed in the spaces summary APIs from [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\matrix-org#10580](matrix-org#10580))
- Fix a bug introduced in v1.37.1 where an error could occur in the asynchronous processing of PDUs when the queue was empty. ([\matrix-org#10592](matrix-org#10592))
- Fix errors on /sync when read receipt data is a string. Only affects homeservers with the experimental flag for [MSC2285](matrix-org/matrix-spec-proposals#2285) enabled. Contributed by @SimonBrandner. ([\matrix-org#10606](matrix-org#10606))
- Additional validation for the spaces summary API to avoid errors like `ValueError: Stop argument for islice() must be None or an integer`. The missing validation has existed since v1.31.0. ([\matrix-org#10611](matrix-org#10611))
- Revert behaviour introduced in v1.38.0 that strips `org.matrix.msc2732.device_unused_fallback_key_types` from `/sync` when its value is empty. This field should instead always be present according to [MSC2732](https://github.com/matrix-org/matrix-doc/blob/master/proposals/2732-olm-fallback-keys.md). ([\matrix-org#10623](matrix-org#10623))

Improved Documentation
----------------------

- Add documentation for configuring a forward proxy. ([\matrix-org#10443](matrix-org#10443))
- Updated the reverse proxy documentation to highlight the homserver configuration that is needed to make Synapse aware that is is intentionally reverse proxied. ([\matrix-org#10551](matrix-org#10551))
- Update CONTRIBUTING.md to fix index links and the instructions for SyTest in docker. ([\matrix-org#10599](matrix-org#10599))

Deprecations and Removals
-------------------------

- No longer build `.deb` packages for Ubuntu 20.10 Groovy Gorilla, which has now EOLed. ([\matrix-org#10588](matrix-org#10588))
- The `template_dir` configuration settings in the `sso`, `account_validity` and `email` sections of the configuration file are now deprecated in favour of the global `templates.custom_template_directory` setting. See the [upgrade notes](https://matrix-org.github.io/synapse/latest/upgrade.html) for more information. ([\matrix-org#10596](matrix-org#10596))

Internal Changes
----------------

- Improve event caching mechanism to avoid having multiple copies of an event in memory at a time. ([\matrix-org#10119](matrix-org#10119))
- Reduce errors in PostgreSQL logs due to concurrent serialization errors. ([\matrix-org#10504](matrix-org#10504))
- Include room ID in ignored EDU log messages. Contributed by @ilmari. ([\matrix-org#10507](matrix-org#10507))
- Add pagination to the spaces summary based on updates to [MSC2946](matrix-org/matrix-spec-proposals#2946). ([\matrix-org#10527](matrix-org#10527), [\matrix-org#10530](matrix-org#10530))
- Fix CI to not break when run against branches rather than pull requests. ([\matrix-org#10529](matrix-org#10529))
- Mark all events stemming from the [MSC2716](matrix-org/matrix-spec-proposals#2716) `/batch_send` endpoint as historical. ([\matrix-org#10537](matrix-org#10537))
- Clean up some of the federation event authentication code for clarity. ([\matrix-org#10539](matrix-org#10539), [\matrix-org#10591](matrix-org#10591))
- Convert `Transaction` and `Edu` objects to attrs. ([\matrix-org#10542](matrix-org#10542))
- Update `/batch_send` endpoint to only return `state_events` created by the `state_events_from_before` passed in. ([\matrix-org#10552](matrix-org#10552))
- Update contributing.md to warn against rebasing an open PR. ([\matrix-org#10563](matrix-org#10563))
- Remove the unused public rooms replication stream. ([\matrix-org#10565](matrix-org#10565))
- Clarify error message when failing to join a restricted room. ([\matrix-org#10572](matrix-org#10572))
- Remove references to BuildKite in favour of GitHub Actions. ([\matrix-org#10573](matrix-org#10573))
- Move `/batch_send` endpoint defined by [MSC2716](matrix-org/matrix-spec-proposals#2716) to the `/v2_alpha` directory. ([\matrix-org#10576](matrix-org#10576))
- Allow multiple custom directories in `read_templates`. ([\matrix-org#10587](matrix-org#10587))
- Re-organize the `synapse.federation.transport.server` module to create smaller files. ([\matrix-org#10590](matrix-org#10590))
- Flatten the `synapse.rest.client` package by moving the contents of `v1` and `v2_alpha` into the parent. ([\matrix-org#10600](matrix-org#10600))
- Build Debian packages for Debian 12 (Bookworm). ([\matrix-org#10612](matrix-org#10612))
- Fix up a couple of links to the database schema documentation. ([\matrix-org#10620](matrix-org#10620))
- Fix a broken link to the upgrade notes. ([\matrix-org#10631](matrix-org#10631))
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for HTTPS proxy for federation requests
5 participants