Add authentication to replication endpoints. (#8853)

Authentication is done by checking a shared secret provided in the Synapse configuration file.
2025-08-11 01:40:07 -04:00 · 2020-12-04 10:56:28 -05:00 · 2020-12-04 10:56:28 -05:00 · 96358cb424
commit 96358cb424
parent df4b1e9c74
7 changed files with 184 additions and 15 deletions
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -2589,6 +2589,13 @@ opentracing:
 #
 #run_background_tasks_on: worker1

+# A shared secret used by the replication APIs to authenticate HTTP requests
+# from workers.
+#
+# By default this is unused and traffic is not authenticated.
+#
+#worker_replication_secret: ""
+

 # Configuration for Redis when using workers. This *must* be enabled when
 # using workers (unless using old style direct TCP configuration).
--- a/docs/workers.md
+++ b/docs/workers.md
@ -89,7 +89,8 @@ shared configuration file.
 Normally, only a couple of changes are needed to make an existing configuration
 file suitable for use with workers. First, you need to enable an "HTTP replication
 listener" for the main process; and secondly, you need to enable redis-based
-replication. For example:
+replication. Optionally, a shared secret can be used to authenticate HTTP
+traffic between workers. For example:


 ```yaml
@ -103,6 +104,9 @@ listeners:
    resources:
     - names: [replication]

+# Add a random shared secret to authenticate traffic.
+worker_replication_secret: ""
+
 redis:
    enabled: true
 ```