Add warnings to ip_range_blacklist usage with proxies (#10129)

Kentokamoto · web-flow · commit 72935b7c5053 · 2021-08-03T18:13:34.000Z
Per issue #9812 using `url_preview_ip_range_blacklist` with a proxy via `HTTPS_PROXY` or `HTTP_PROXY` environment variables has some inconsistent bahavior than mentioned. This PR changes the following: - Changes the Sample Config file to include a note mentioning that `url_preview_ip_range_blacklist` and `ip_range_blacklist` is ignored when using a proxy - Changes some logic in synapse/config/repository.py to send a warning when both `*ip_range_blacklist` configs and a proxy environment variable are set and but no longer throws an error. Signed-off-by: Kento Okamoto <kentokamoto@protonmail.com>
diff --git a/changelog.d/10129.bugfix b/changelog.d/10129.bugfix
@@ -0,0 +1 @@
+Add some clarification to the sample config file. Contributed by @Kentokamoto.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -210,6 +210,8 @@ presence:
 #
 # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
 #
+# Note: The value is ignored when an HTTP proxy is in use
+#
 #ip_range_blacklist:
 #  - '127.0.0.0/8'
 #  - '10.0.0.0/8'
@@ -972,6 +974,8 @@ media_store_path: "DATADIR/media_store"
 # This must be specified if url_preview_enabled is set. It is recommended that
 # you uncomment the following list as a starting point.
 #
+# Note: The value is ignored when an HTTP proxy is in use
+#
 #url_preview_ip_range_blacklist:
 #  - '127.0.0.0/8'
 #  - '10.0.0.0/8'
diff --git a/synapse/config/repository.py b/synapse/config/repository.py
@@ -12,16 +12,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
 import os
 from collections import namedtuple
 from typing import Dict, List
+from urllib.request import getproxies_environment  # type: ignore
 
 from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
 from synapse.python_dependencies import DependencyException, check_requirements
 from synapse.util.module_loader import load_module
 
 from ._base import Config, ConfigError
 
+logger = logging.getLogger(__name__)
+
 DEFAULT_THUMBNAIL_SIZES = [
     {"width": 32, "height": 32, "method": "crop"},
     {"width": 96, "height": 96, "method": "crop"},
@@ -36,6 +40,9 @@
         #    method: %(method)s
 """
 
+HTTP_PROXY_SET_WARNING = """\
+The Synapse config url_preview_ip_range_blacklist will be ignored as an HTTP(s) proxy is configured."""
+
 ThumbnailRequirement = namedtuple(
     "ThumbnailRequirement", ["width", "height", "method", "media_type"]
 )
@@ -180,12 +187,17 @@ def read_config(self, config, **kwargs):
                     e.message  # noqa: B306, DependencyException.message is a property
                 )
 
+            proxy_env = getproxies_environment()
             if "url_preview_ip_range_blacklist" not in config:
-                raise ConfigError(
-                    "For security, you must specify an explicit target IP address "
-                    "blacklist in url_preview_ip_range_blacklist for url previewing "
-                    "to work"
-                )
+                if "http" not in proxy_env or "https" not in proxy_env:
+                    raise ConfigError(
+                        "For security, you must specify an explicit target IP address "
+                        "blacklist in url_preview_ip_range_blacklist for url previewing "
+                        "to work"
+                    )
+            else:
+                if "http" in proxy_env or "https" in proxy_env:
+                    logger.warning("".join(HTTP_PROXY_SET_WARNING))
 
             # we always blacklist '0.0.0.0' and '::', which are supposed to be
             # unroutable addresses.
@@ -292,6 +304,8 @@ def generate_config_section(self, data_dir_path, **kwargs):
         # This must be specified if url_preview_enabled is set. It is recommended that
         # you uncomment the following list as a starting point.
         #
+        # Note: The value is ignored when an HTTP proxy is in use
+        #
         #url_preview_ip_range_blacklist:
 %(ip_range_blacklist)s
 
diff --git a/synapse/config/server.py b/synapse/config/server.py
@@ -960,6 +960,8 @@ def generate_config_section(
         #
         # This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
         #
+        # Note: The value is ignored when an HTTP proxy is in use
+        #
         #ip_range_blacklist:
 %(ip_range_blacklist)s
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Add some clarification to the sample config file. Contributed by @Kentokamoto.`
Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,8 @@ presence:`
`210`	`210`	`#`
`211`	`211`	`# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.`
`212`	`212`	`#`
	`213`	`+# Note: The value is ignored when an HTTP proxy is in use`
	`214`	`+#`
`213`	`215`	`#ip_range_blacklist:`
`214`	`216`	`# - '127.0.0.0/8'`
`215`	`217`	`# - '10.0.0.0/8'`
`@@ -972,6 +974,8 @@ media_store_path: "DATADIR/media_store"`
`972`	`974`	`# This must be specified if url_preview_enabled is set. It is recommended that`
`973`	`975`	`# you uncomment the following list as a starting point.`
`974`	`976`	`#`
	`977`	`+# Note: The value is ignored when an HTTP proxy is in use`
	`978`	`+#`
`975`	`979`	`#url_preview_ip_range_blacklist:`
`976`	`980`	`# - '127.0.0.0/8'`
`977`	`981`	`# - '10.0.0.0/8'`
Original file line number	Diff line number	Diff line change
`@@ -960,6 +960,8 @@ def generate_config_section(`
`960`	`960`	`#`
`961`	`961`	`# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.`
`962`	`962`	`#`
	`963`	`+ # Note: The value is ignored when an HTTP proxy is in use`
	`964`	`+ #`
`963`	`965`	`#ip_range_blacklist:`
`964`	`966`	`%(ip_range_blacklist)s`
`965`	`967`