synapse icon indicating copy to clipboard operation
synapse copied to clipboard
verified publisher icon matrix-org

Single config option to disable federation.

Open neilisfragile opened this issue 6 years ago • 8 comments

This probably means:-

  • Setting the federation whitelist to an empty string,
  • Disabling the federation listener
  • Auditing all other cases where an outbound federation request might be made.

Also document this more clearly

neilisfragile avatar Nov 22 '19 12:11 neilisfragile

https://github.com/matrix-org/synapse/pull/5078/ does this. The suggestion of making it enable_federation_with_sqlite_can_cause_bad_perfs can probably just be reverted to the original enable_federation.

aaronraimist avatar Nov 22 '19 23:11 aaronraimist

For privacy reasons, if federation is completely disabled, the trusted key servers should automatically be set to the private home server only. Otherwise it seems the riot desktop client establishes connections to cloudflare servers.

bpcurse avatar Dec 10 '19 21:12 bpcurse

Any update about this?

gamelaster avatar Feb 26 '20 20:02 gamelaster

Has there been any movement on this? There are numerous organizations that want this isolation funtionality.

TimFW avatar Dec 15 '20 04:12 TimFW

If this is possible, please provide documentation as well.

drpaneas avatar Jan 21 '21 01:01 drpaneas

I would definitely like this too

ghost avatar Apr 30 '21 01:04 ghost

Any update on this? I would love to have this functionality as well.

ghost avatar Mar 14 '22 00:03 ghost

The easiest way to do this currently is to set federation_domain_whitelist: [] in the config file, though I'd still like there to be a big kill-switch to turn off everything federation-related.

richvdh avatar Oct 05 '22 10:10 richvdh

I didn't know that by default you can be found by anyone using any matrix server. Very useful, thank you!

sigma2017 avatar Oct 18 '22 19:10 sigma2017

is there any guide or any documentation about how to disable federation with this federation_domain_whitelist: []? i added it to my homeserver.yaml, but the logs are still flooded and its impossible to fix another problem, because of this ultimate annoying "feature". i really like synapse/matrix, but this is the worst logging implementation i ever encountered in my 30 years of IT experience.

damnms avatar Nov 27 '22 09:11 damnms

is there any guide or any documentation about how to disable federation with this federation_domain_whitelist: []? i added it to my homeserver.yaml, but the logs are still flooded...

Can you set your firewall to close port 8448 and make sure there's no reverse proxy setting for that port, either? i am getting no inbound traffic at least in the access logs.

marqpdx avatar Dec 21 '22 01:12 marqpdx

when i block it with iptables, i get tons of errors about connection refused. i was able to find my initial problem, and the logging was only hardcore annoying to figure out what was initially going wrong, but this is really nasty. i did not test it with disabling the reverse proxy

damnms avatar Dec 21 '22 10:12 damnms

@tirranaa Which hosts and ip addresses did Synapse connect to when federation was disabled?

reivilibre avatar Apr 06 '23 16:04 reivilibre

how did you disable federation?

damnms avatar Apr 06 '23 17:04 damnms

@tirranaa There should be no federation connection unless you tried to join a remote room or so (and certainly not in any case if federation was disabled by setting the allow list to an empty list), so it's a pity that you don't have any details to share here to look into.

reivilibre avatar Apr 06 '23 19:04 reivilibre

I would guess some of that was due to report_stats being enabled. I don't think any TURN connections are made by default, but maybe a client does that by default.

clokep avatar Apr 06 '23 19:04 clokep

There is already a federation: section. Why not just (analog to other keywords) add an enable keyword?

federation:
    enable: false
    ...

nerdoc avatar Jul 12 '23 20:07 nerdoc