From 631b7cc6a673f74c7edcdb286ff5e0a843e82adb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Apr 2019 21:40:14 +0300 Subject: [PATCH] Add support for adjusting Synapse rate-limiting configuration --- docs/configuring-playbook-matrix-corporal.md | 16 +++++++++++++- roles/matrix-synapse/defaults/main.yml | 22 +++++++++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 8 +++++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 4afb0065..cba68f74 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -36,6 +36,20 @@ matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" # If you need to change the reconciliator user's id from the default (matrix-corporal).. # In any case, you need to make sure this Matrix user is created on your server. matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" + +# Because Corporal peridoically performs lots of user logins from the same IP, +# you may need raise Synapse's ratelimits. +# The values below are just an example. Tweak to your use-case (number of users, etc.) +matrix_synapse_rc_login: + address: + per_second: 50 + burst_count: 300 + account: + per_second: 0.17 + burst_count: 3 + failed_attempts: + per_second: 0.17 + burst_count: 3 ``` Matrix Corporal operates with a specific Matrix user on your server. @@ -57,4 +71,4 @@ The following local filesystem paths are mounted in the `matrix-corporal` contai - `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write) -As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` \ No newline at end of file +As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container path `/etc/matrix-corporal` diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0748027b..49525a75 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -68,6 +68,28 @@ matrix_synapse_root_log_level: "INFO" matrix_synapse_rc_messages_per_second: 0.2 matrix_synapse_rc_message_burst_count: 10.0 +matrix_synapse_rc_registration: + per_second: 0.17 + burst_count: 3 + +matrix_synapse_rc_login: + address: + per_second: 0.17 + burst_count: 3 + account: + per_second: 0.17 + burst_count: 3 + failed_attempts: + per_second: 0.17 + burst_count: 3 + +matrix_synapse_federation_rc_window_size: 1000 +matrix_synapse_federation_rc_sleep_limit: 10 +matrix_synapse_federation_rc_sleep_delay: 500 +matrix_synapse_federation_rc_reject_limit: 50 +matrix_synapse_federation_rc_concurrent: 3 +matrix_synapse_federation_rr_transactions_per_room_per_second: 50 + # Controls whether the TLS federation listener is enabled (tcp/8448). # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`). # Note that federation may potentially be enabled as non-TLS on tcp/8048 as well. diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index a9c398bd..6b24ae8b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -409,6 +409,7 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} #rc_registration: # per_second: 0.17 # burst_count: 3 +rc_registration: {{ matrix_synapse_rc_registration|to_json }} # #rc_login: # address: @@ -420,30 +421,36 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} # failed_attempts: # per_second: 0.17 # burst_count: 3 +rc_login: {{ matrix_synapse_rc_login|to_json }} # The federation window size in milliseconds # #federation_rc_window_size: 1000 +federation_rc_window_size: {{ matrix_synapse_federation_rc_window_size }} # The number of federation requests from a single server in a window # before the server will delay processing the request. # #federation_rc_sleep_limit: 10 +federation_rc_sleep_limit: {{ matrix_synapse_federation_rc_sleep_limit }} # The duration in milliseconds to delay processing events from # remote servers by if they go over the sleep limit. # #federation_rc_sleep_delay: 500 +federation_rc_sleep_delay: {{ matrix_synapse_federation_rc_sleep_delay }} # The maximum number of concurrent federation requests allowed # from a single server # #federation_rc_reject_limit: 50 +federation_rc_reject_limit: {{ matrix_synapse_federation_rc_reject_limit }} # The number of federation requests to concurrently process from a # single server # #federation_rc_concurrent: 3 +federation_rc_concurrent: {{ matrix_synapse_federation_rc_concurrent }} # Target outgoing federation transaction frequency for sending read-receipts, # per-room. @@ -452,6 +459,7 @@ rc_message_burst_count: {{ matrix_synapse_rc_message_burst_count }} # into fewer transactions. # #federation_rr_transactions_per_room_per_second: 50 +federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_transactions_per_room_per_second }}