77 lines
2.8 KiB
Plaintext
77 lines
2.8 KiB
Plaintext
---
|
|
summary: Synapse should support vhosting multiple domains off a single server someday
|
|
---
|
|
created: 2015-01-12 00:22:52.0
|
|
creator: matthew
|
|
description: ''
|
|
id: '10911'
|
|
key: SYN-233
|
|
number: '233'
|
|
priority: '4'
|
|
project: '10000'
|
|
reporter: matthew
|
|
resolution: '3'
|
|
resolutiondate: 2016-10-07 13:08:20.0
|
|
status: '5'
|
|
type: '2'
|
|
updated: 2016-10-07 13:08:33.0
|
|
votes: '1'
|
|
watches: '5'
|
|
workflowId: '11011'
|
|
---
|
|
actions:
|
|
- author: erikj
|
|
body: |-
|
|
This comes down to the question of how featureful we want the synapse implementation to be. I'm not convinced we want to add these sorts of features to the reference/basic server implementation.
|
|
|
|
|
|
How does this work with SSL certificates anyway?
|
|
created: 2015-01-15 11:17:29.0
|
|
id: '11124'
|
|
issue: '10911'
|
|
type: comment
|
|
updateauthor: erikj
|
|
updated: 2015-01-15 11:17:29.0
|
|
- author: mbrancaleoni
|
|
body: |-
|
|
for SSL is trivial, just add as many alternative names in the certificate subjectAltName as needed.
|
|
|
|
everytime a domain is added/removed, the certificate must be issued again.
|
|
|
|
OR use SNI, but twisted does not supports it out of the box, so 2 ways here:
|
|
|
|
* use a SNI ssl proxy like nginx in front
|
|
* use txSNI https://github.com/glyph/txsni
|
|
(reference: http://stackoverflow.com/questions/24994701/2-ssl-certificates-in-twisted )
|
|
created: 2016-05-18 10:47:11.0
|
|
id: '12921'
|
|
issue: '10911'
|
|
type: comment
|
|
updateauthor: mbrancaleoni
|
|
updated: 2016-05-18 10:47:11.0
|
|
- author: nitrux
|
|
body: |-
|
|
I'd very much like Synapse/Matrix to have a VHost feature, too. However I think that relying on subjectAltName to make the SSL cert valid can give away sensitive information.
|
|
For example if you have one internal VHost with an internal subdomain and another public facing VHost, anybody on the public instance could see the internal domain and target attacks (e.g. privilege escalation, injection) against it.
|
|
|
|
Since Prosody already "kind of solved" this issue in the XMPP world, I recommend taking their approach:
|
|
They have a config file where you could specify a location for the public/private keys for each VHost individually. See also: https://prosody.im/doc/configure#encryption_and_security_settings
|
|
|
|
If the Matrix protocol supports STARTTLS, which is not the case, we shouldn't need SNI: https://prosody.im/issues/issue/409
|
|
|
|
Sadly my programming style isn't good enough for security-related tasks, so I won't be able to implement such drastic changes myself. I'd be more than willing to let a few Euros change hands if anybody volunteers to add VHost+SSL support though.
|
|
created: 2016-09-06 21:03:23.0
|
|
id: '13115'
|
|
issue: '10911'
|
|
type: comment
|
|
updateauthor: nitrux
|
|
updated: 2016-09-06 21:03:23.0
|
|
- author: richvdh
|
|
body: Superceded by SYN-620
|
|
created: 2016-10-07 13:08:20.0
|
|
id: '13179'
|
|
issue: '10911'
|
|
type: comment
|
|
updateauthor: richvdh
|
|
updated: 2016-10-07 13:08:20.0
|