SIGHUP for TLS cert reloading (#4495)

2025-05-02 11:26:09 -04:00 · 2019-01-30 11:00:02 +00:00 · 2019-01-30 11:00:02 +00:00 · f6813919e8
commit f6813919e8
parent bc5f6e1797
5 changed files with 81 additions and 20 deletions
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@ -17,6 +17,7 @@
 import gc
 import logging
 import os
+import signal
 import sys
 import traceback

@ -27,6 +28,7 @@ from prometheus_client import Gauge

 from twisted.application import service
 from twisted.internet import defer, reactor
+from twisted.protocols.tls import TLSMemoryBIOFactory
 from twisted.web.resource import EncodingResourceWrapper, NoResource
 from twisted.web.server import GzipEncoderFactory
 from twisted.web.static import File
@ -84,6 +86,7 @@ def gz_wrap(r):

 class SynapseHomeServer(HomeServer):
    DATASTORE_CLASS = DataStore
+    _listening_services = []

    def _listener_http(self, config, listener_config):
        port = listener_config["port"]
@ -121,7 +124,7 @@ class SynapseHomeServer(HomeServer):
        root_resource = create_resource_tree(resources, root_resource)

        if tls:
-            listen_ssl(
+            return listen_ssl(
                bind_addresses,
                port,
                SynapseSite(
@ -135,7 +138,7 @@ class SynapseHomeServer(HomeServer):
            )

        else:
-            listen_tcp(
+            return listen_tcp(
                bind_addresses,
                port,
                SynapseSite(
@ -146,7 +149,6 @@ class SynapseHomeServer(HomeServer):
                    self.version_string,
                )
            )
-        logger.info("Synapse now listening on port %d", port)

    def _configure_named_resource(self, name, compress=False):
        """Build a resource map for a named resource
@ -242,7 +244,9 @@ class SynapseHomeServer(HomeServer):

        for listener in config.listeners:
            if listener["type"] == "http":
-                self._listener_http(config, listener)
+                self._listening_services.extend(
+                    self._listener_http(config, listener)
+                )
            elif listener["type"] == "manhole":
                listen_tcp(
                    listener["bind_addresses"],
@ -322,7 +326,19 @@ def setup(config_options):
        # generating config files and shouldn't try to continue.
        sys.exit(0)

-    synapse.config.logger.setup_logging(config, use_worker_options=False)
+    sighup_callbacks = []
+    synapse.config.logger.setup_logging(
+        config,
+        use_worker_options=False,
+        register_sighup=sighup_callbacks.append
+    )
+
+    def handle_sighup(*args, **kwargs):
+        for i in sighup_callbacks:
+            i(*args, **kwargs)
+
+    if hasattr(signal, "SIGHUP"):
+        signal.signal(signal.SIGHUP, handle_sighup)

    events.USE_FROZEN_DICTS = config.use_frozen_dicts

@ -359,6 +375,31 @@ def setup(config_options):

    hs.setup()

+    def refresh_certificate(*args):
+        """
+        Refresh the TLS certificates that Synapse is using by re-reading them
+        from disk and updating the TLS context factories to use them.
+        """
+        logging.info("Reloading certificate from disk...")
+        hs.config.read_certificate_from_disk()
+        hs.tls_server_context_factory = context_factory.ServerContextFactory(config)
+        hs.tls_client_options_factory = context_factory.ClientTLSOptionsFactory(
+            config
+        )
+        logging.info("Certificate reloaded.")
+
+        logging.info("Updating context factories...")
+        for i in hs._listening_services:
+            if isinstance(i.factory, TLSMemoryBIOFactory):
+                i.factory = TLSMemoryBIOFactory(
+                    hs.tls_server_context_factory,
+                    False,
+                    i.factory.wrappedFactory
+                )
+        logging.info("Context factories updated.")
+
+    sighup_callbacks.append(refresh_certificate)
+
    @defer.inlineCallbacks
    def start():
        try: