Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add documentation for forward proxy #10443

Merged
merged 6 commits into from
Aug 5, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply suggestions from code review
Co-authored-by: Patrick Cloke <[email protected]>
dklimpel and clokep authored Jul 26, 2021
commit 569ac59d888b4f2f05aeb9356a49445fb7d51003
2 changes: 1 addition & 1 deletion docs/SUMMARY.md
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@
- [Installation](setup/installation.md)
- [Using Postgres](postgres.md)
- [Configuring a Reverse Proxy](reverse_proxy.md)
- [Configuring a Forward Proxy](setup/forward_proxy.md)
- [Configuring a Forward/Outbound Proxy](setup/forward_proxy.md)
- [Configuring a Turn Server](turn-howto.md)
- [Delegation](delegate.md)

31 changes: 15 additions & 16 deletions docs/setup/forward_proxy.md
Original file line number Diff line number Diff line change
@@ -1,40 +1,39 @@
# Using a forward proxy with Synapse

You can use Synapse with a forward or outbound proxy. This will be neccssary
for expamle in corporate environments behind a DMZ (demilitarized zone).
You can use Synapse with a forward or outbound proxy. An example of when
this is necessary is in corporate environments behind a DMZ (demilitarized zone).
Synapse supports routing outbound HTTP(S) requests via a proxy. Only HTTP(S)
proxy is supported, not SOCKS proxy or anything else.

## Configure

The `http_proxy`, `https_proxy`, `no_proxy` environment variable is used to
The `http_proxy`, `https_proxy`, `no_proxy` environment variables are used to
specify proxy settings. The environment variable is not case sensitive.
- `http_proxy`: Proxy server to use for HTTP requests.
- `https_proxy`: Proxy server to use for HTTPS requests.
- `no_proxy`: Comma-separated list of hosts, IP addresses, or IP ranges in CIDR
format which do not use a proxy and Synapse use a direct connection.
format which should not use the proxy. Synapse will directly connect to these hosts.

The proxy setting has the form: `[scheme://][<username>:<password>@]<host>[:<port>]`
- Supported scheme is `http://` and `https://`. Default scheme is `http://`.
It is recommended to set a scheme. The default value is for compatibility
reasons. If scheme is set to `https://` the connection uses TLS between
Synapse and proxy.
The `http_proxy` and `https_proxy` environment variables have the form: `[scheme://][<username>:<password>@]<host>[:<port>]`
- Supported schemes are `http://` and `https://`. The default scheme is `http://`
for compatibility reasons; it is recommended to set a scheme. If scheme is set
to `https://` the connection uses TLS between Synapse and the proxy.

**NOTE**: Synapse validates the certificates. If the certificate is not
valid, then the connection is dropped.
- Default port if not given is `1080`.
- Username and password is optional and will be used for authenticate against
proxy.
- Username and password are optional and will be used to authenticate against
the proxy.

**Examples**
- HTTP_PROXY=http://USERNAME:[email protected]:8080/
- HTTPS_PROXY=http://USERNAME:[email protected]:8080/
- NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16

**NOTE**:
Blacklisting IP addresses does not work for connections throug a proxy because
the proxy server resolves DNS names and not Synapse. In this case you have to
use your firewall or proxy for blacklisting IP addresses.
Synapse does not apply the IP blacklist to connections through the proxy (since
the DNS resolution is done by the proxy). It is expected that the proxy or firewall
will apply blacklisting of IP addresses.

## Connection types

@@ -52,8 +51,8 @@ It will **not be used** for:
- Identity servers
- Outbound federation
- In worker configurations
- connections from workers to masters
- connections from workers to redis
- connections between workers
- connections from workers to Redis

## Troubleshooting