Disable TLS by default (#4614)

changelog.d/4614.feature

@@ -0,0 +1 @@
+The default configuration no longer requires TLS certificates.

synapse/config/server.py

@@ -387,28 +387,24 @@ class ServerConfig(Config):
         #   webclient: A web client. Requires web_client_location to be set.
         #
         listeners:
-          # Main HTTPS listener.
+          # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
-          # For when matrix traffic is sent directly to synapse.
+          #
-          - port: %(bind_port)s
+          # Disabled by default. To enable it, uncomment the following. (Note that you
-            type: http
+          # will also need to give Synapse a TLS key and certificate: see the TLS section
-            tls: true
+          # below.)
+          #
+          # - port: %(bind_port)s
+          #   type: http
+          #   tls: true
+          #   resources:
+          #     - names: [client, federation]
 
-            # List of HTTP resources to serve on this listener.
+          # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
-            resources:
+          # that unwraps TLS.
-              - names: [client]
+          #
-                compress: true
+          # If you plan to use a reverse proxy, please see
-              - names: [federation]
+          # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst.
-                compress: false
+          #
-
-            # example addional_resources:
-            #
-            # additional_resources:
-            #   "/_matrix/my/custom/endpoint":
-            #     module: my_module.CustomRequestHandler
-            #     config: {}
-
-          # Unsecure HTTP listener
-          # For when matrix traffic passes through a reverse-proxy that unwraps TLS.
           - port: %(unsecure_port)s
             tls: false
             bind_addresses: ['::1', '127.0.0.1']
@@ -416,18 +412,22 @@ class ServerConfig(Config):
             x_forwarded: true
 
             resources:
-              - names: [client]
+              - names: [client, federation]
-                compress: true
-              - names: [federation]
                 compress: false
 
+            # example additonal_resources:
+            #
+            # additional_resources:
+            #   "/_matrix/my/custom/endpoint":
+            #     module: my_module.CustomRequestHandler
+            #     config: {}
+
           # Turn on the twisted ssh manhole service on localhost on the given
           # port.
           # - port: 9000
           #   bind_addresses: ['::1', '127.0.0.1']
           #   type: manhole
 
-
         # Homeserver blocking
         #
         # How to reach the server admin, used in ResourceLimitError

synapse/config/tls.py

@@ -176,10 +176,10 @@ class TlsConfig(Config):
         # See 'ACME support' below to enable auto-provisioning this certificate via
         # Let's Encrypt.
         #
-        tls_certificate_path: "%(tls_certificate_path)s"
+        # tls_certificate_path: "%(tls_certificate_path)s"
 
         # PEM-encoded private key for TLS
-        tls_private_key_path: "%(tls_private_key_path)s"
+        # tls_private_key_path: "%(tls_private_key_path)s"
 
         # ACME support: This will configure Synapse to request a valid TLS certificate
         # for your configured `server_name` via Let's Encrypt.
@@ -204,7 +204,7 @@ class TlsConfig(Config):
         #
         acme:
             # ACME support is disabled by default. Uncomment the following line
-            # to enable it.
+            # (and tls_certificate_path and tls_private_key_path above) to enable it.
             #
             # enabled: true