Branch: release-v1.15.1

anoa/3pid_check_invite_exemption

anoa/admin_room_account_data

anoa/allow_admins_delist_as_rooms

anoa/as_edu_fixes

anoa/backfill_release

anoa/bbb

anoa/bla

anoa/blablabla

anoa/blacklist_ip_ranges

anoa/blah

anoa/bundle_aggregations_state

anoa/client_secret_ios_test

anoa/content_length_header_none

anoa/create_room_cleanup

anoa/custom_room_presets

anoa/debug_gcc

anoa/debug_poetry

anoa/debug_push

anoa/delete_format_tap

anoa/deprecate_no_device_access_tokens

anoa/devenv

anoa/device_sql_v2

anoa/doc_hierarchy

anoa/docs_header_margin

anoa/docs_version_picker

anoa/dpkg_force

anoa/e2e_as

anoa/e2e_as_device_lists_go

anoa/e2e_as_internal_testing

anoa/e2e_as_new

anoa/e2e_as_room_stream_token_new

anoa/e2e_as_to_device_deletion

anoa/e2e_as_to_device_dirty

anoa/fix_event_return_code

anoa/fix_format_strings

anoa/get_users_in_room_debugging

anoa/halfy_try_this

anoa/halp

anoa/hs_password_reset

anoa/info-mainline-no-check-password-reset-backport

anoa/install_docs

anoa/knock

anoa/leave_rooms_on_forget

anoa/legacy_login_medium

anoa/locally_rejected_invites_fix

anoa/log_11772

anoa/log_exceptions_async_json

anoa/logcontext_warning

anoa/mass_redactions

anoa/mdbook_ci_versions

anoa/migrate_flake

anoa/module_api_callbacks_split

anoa/module_api_federation_requests

anoa/module_api_full_presence_fix_wip

anoa/morgan.software

anoa/move_db_schema_migration

anoa/msc2229

anoa/msc2403_cleanup

anoa/msc3391_future

anoa/msc3480

anoa/msc_1711

anoa/mypy_sqlite3_check

anoa/new_cache

anoa/newsfragment_info

anoa/nix_dev_env_ci

anoa/nix_flake_22.11

anoa/pass_all_users_to_as_edu

anoa/presence_events_as_set

anoa/presence_hook_temp

anoa/presence_join_fix_mkii

anoa/presence_speedups

anoa/public_rooms_module_api

anoa/public_rooms_module_api_backup

anoa/ratelimit_config_perf_wip

anoa/redirect_instances

anoa/regression_proof

anoa/remove_return_parans

anoa/remove_smtp_docker_functionality

anoa/remove_trailing_slashes

anoa/rooms_for_as_edu_handler

anoa/simple_delete_all

anoa/synapse_coap_proxy

anoa/synapse_proxy

anoa/tag_transfer_logging

anoa/temp_working_cache_config

anoa/test

anoa/test_me

anoa/test_to_device

anoa/test_update_presence

anoa/testbla

anoa/testit

anoa/threepid_unbind_callback

anoa/typehint_tests_utils

anoa/typehint_tests_utils_backup

anoa/unread_notif_count

anoa/unsecure_port

anoa/update_upsert_many_test_case

anoa/user_deactivated_code

anoa/user_param_ui_auth

anoa/v2_is

anoa/v2_lookup

anoa/widgets_room_upgrade

anoa/worker_types_phase_1

azren/compressor_integration

azren/port_saml2_mapping_providers

babolivier/avatar_restriction

babolivier/low-bandwidth

babolivier/mau_cache

babolivier/mau_sn_invite

babolivier/media_api_docstring

babolivier/msc3881_device_id_tmp

babolivier/rewrite_is_url

babolivier/sign_json_module

babolivier/sonar_coverage

babolivier/username_reg_v2

bbz/info-mainline-1.15

bbz/info-mainline-1.20.0

bbz/info-mainline-1.20.1

bbz/info-mainline-1.21.2

bbz/info-mainline-1.24.0

bbz/info-mainline-1.27.0

bbz/info-mainline2

bwindels-pep517-instructions

bwindels/adminapibeforepy277

bwindels/registerasregularuser

clokep/blacklisting-endpoint

clokep/bs4

clokep/datastore-rejigger

clokep/db-upgrades

clokep/erikj/rust_lru_cache

clokep/http-conn-pool

clokep/lm

clokep/morg-readme

clokep/no-tcp-repl

clokep/oembed-and-html

clokep/psycopg3

clokep/psycopg3-driver

clokep/push-parallel-2

clokep/push-rule-tags

clokep/ranged-read-receipts-poc

clokep/schema-validate

clokep/setuptools-rust-pyproject

clokep/stable-threads

clokep/statement-timeout

clokep/test-redis

clokep/thread-poc

dbkr/3pid_verification_logging

dbkr/media_erasure

dbkr/room_notifs_use_fakeurl

dbkr/saml_auth0_test

dbkr/saml_custom_attestations

dependabot/cargo/anyhow-1.0.82

dependabot/cargo/log-0.4.21

dependabot/cargo/pyo3-0.20.3

dependabot/cargo/serde-1.0.198

dependabot/cargo/serde_json-1.0.116

dependabot/github_actions/JasonEtco/create-an-issue-2.9.2

dependabot/github_actions/actions/cache-4

dependabot/github_actions/dawidd6/action-download-artifact-3.1.4

dependabot/github_actions/peaceiris/actions-gh-pages-4.0.0

dependabot/github_actions/peaceiris/actions-mdbook-2.0.0

dependabot/pip/black-24.3.0

dependabot/pip/gitpython-3.1.41

dependabot/pip/idna-3.7

dependabot/pip/immutabledict-4.2.0

dependabot/pip/jinja2-3.1.3

dependabot/pip/pillow-10.3.0

develop

dinsic

dinsic_2019-04-05_hotfix

dinsic_anoa/public_rooms

dmr/arm-wheels

dmr/complement-refreshing-tokens-lifetime

dmr/cut-schema

dmr/debug-check-deps

dmr/deflake/TestWriteMDirectAccountData

dmr/docs-tidy

dmr/faster-joins-leave-during-resync

dmr/fix-latest-deps-mypy

dmr/fix-mac-wheels

dmr/gotestfmt-tweak

dmr/help-erik-project-graphql

dmr/importlib-dep-2

dmr/key-requests-from-fed-senders

dmr/log-exceptions-in-tests

dmr/missing_to_device

dmr/oidc-config-pydantic

dmr/poetry-pieces

dmr/pyproject-poetry

dmr/pypy-wheels

dmr/rate-limit-remote-joins

dmr/reject-null-codepoints-user-dir

dmr/release-script-tweaks

dmr/restrict_outbound_federation

dmr/return-request-id

dmr/revert-fts-changes-on-hotfix

dmr/review-hotfixes

dmr/stateres/auth_difference_computation

dmr/stateres/debug

dmr/storage-inheritance-script

dmr/synapse.logging-typing

dmr/sync-tidy-3

dmr/test-mypy-zope-92

dmr/test-poetry-ci

dmr/trim-inheritance

dmr/try-black-cache

dmr/typing/run-interaction

dmr/typing/storage/cache

dmr/typing/tests-server

dmr/typing/tests.util.caches

dmr/typing/tests2

dmr/typing/wip

dmr/unblock-catchup

dmr/unblock-catchup-2

dmr/unhashable-eventbase

dmr/user-dir/dont-remove-local-users

dmr/validate-keys-upload

dmr/warn-missing-metadata

erik-hackery

erikj/acl_perf

erikj/appservice_state

erikj/arm_docker_cache

erikj/as_user_cache

erikj/backfill_fix

erikj/bloom_doorkeeper

erikj/cache_memory_usage

erikj/cache_overrides

erikj/cache_tracking

erikj/check_alias

erikj/chunk_pag_2

erikj/chunk_pag_3

erikj/chunk_pag_4

erikj/chunk_pagination

erikj/chunks_backwards

erikj/chunks_bg_update

erikj/chunks_pagination_token

erikj/chunks_stern

erikj/compact_event

erikj/context_cpu_timing

erikj/create_room_ratelimit

erikj/debug_direct_message_checks

erikj/debug_hs

erikj/device_list_changes_perf

erikj/device_list_sync_update

erikj/disable_catchup_to_hq

erikj/efficient_host_query

erikj/epa_delete

erikj/event_cleanup

erikj/event_rs

erikj/event_token_type

erikj/events_store

erikj/exemplars

erikj/extremeties_txn

erikj/faster_json_response

erikj/faster_purge

erikj/federation_proxy

erikj/file_api

erikj/filter_speed2

erikj/fix_port_script

erikj/fix_remote_join_predecessor

erikj/fix_things

erikj/fix_wait_for_stream

erikj/fixes_batch

erikj/fixup_autotuning_config

erikj/gc_freeze_on_start

erikj/get_domain_from_id

erikj/gha_auto_fixup

erikj/handle_invalid_images

erikj/hope_ratelimit

erikj/initial_sync_perf

erikj/jaeger_measure

erikj/join_logging

erikj/krkn

erikj/less_state_membership

erikj/less_state_on_missing

erikj/log_state_v2

erikj/login_token

erikj/many_edu_logging

erikj/mem_limit_caches

erikj/merge_cache_prs

erikj/minor_auth_chain_perf_improvements

erikj/modular_1.3.2_prerelease

erikj/move_base_store

erikj/move_events

erikj/mypy_ci_speed

erikj/new_profile

erikj/notifier_debug

erikj/only_send_latest_events

erikj/opentracing_db_measure

erikj/paginate_sync

erikj/paranoia_logging

erikj/perf_get_room_members

erikj/perf_room_members_fix

erikj/persist_event_perf

erikj/persisted_upto_command

erikj/profile_rununtilconcurrent

erikj/puppet_tokens

erikj/push_hack

erikj/push_rule_eval_speedup

erikj/py312_asyncio

erikj/pypy

erikj/release_script

erikj/remove_auth_difference_code

erikj/remove_event_auth

erikj/remove_send_queue

erikj/repl_http_timeout

erikj/repl_merge_client_server

erikj/restart_on_explode

erikj/room_chunks

erikj/room_member_worker

erikj/rust_http

erikj/rust_lru_cache

erikj/rust_push_evaluator

erikj/separate_event_creation

erikj/shard_persister

erikj/slow_sync_diag

erikj/smoother

erikj/split_out_fed_stream

erikj/sqlite_min_version

erikj/state_delta_writeup

erikj/state_fast_path

erikj/state_res_v2.1_clousre

erikj/stateless_contexts

erikj/stream_position

erikj/synapse_server_refactor

erikj/test_fixup

erikj/test_old_dep_postgres

erikj/test_send

erikj/tests_move_events

erikj/theseus

erikj/timings

erikj/track_cpu_usage_of_txns

erikj/tree_cache

erikj/tree_cache_typing

erikj/urlencode_paths

erikj/weakref_events

erikj/worker_can_read_streams

erikj/worker_proxy

erikj/workers

experimental2

fosdem-2021

function_tracer

get_state_groups-perf

gh-pages

hawkowl/fsb

hhs-9/hs/log-mods

hotfixes-v0.18.5

hs/allow-as-login

hs/as-server-banlist

hs/as-synthetic-events

hs/deactivate-leave-metadata

hs/default_emails_to_use

hs/hacked-together-event-cache

hs/limit-profile-len

hs/log-unknown-room

hs/many-joined-members

hs/presence-caps

hs/push-reports-to-as

hs/sssh-testing-redis-things

hs/super-wip-edus-down-sync

hs/synapse-as-v1-endpoints

hs/use-malloc-in-docker

hughns/http-listener-cors-response-headers

hughns/msc3882-unstable-r1

hughns/remove-unstable-msc3882

hughns/stable-msc3882-default

improve-sync-delete-device-msgs

initial_sync_perf

jaywink/build-test

jaywink/gitter

jaywink/rav/optimise_maybe_backfill

jaywink/release-v1.77-f09db5c9918b6aaeb1f53ab4fac3a7f05f512c5f

jaywink/v1.74.0-py311

jaywink/v1.91.0-patches

jcgruenhage/nuke-users_who_share_rooms

joriks/3pid_comment_discrepancy

joriks/3pid_config_args

joriks/clearer_logging_file_origin

joriks/config_util

joriks/exit_code_fix

joriks/opentracing_e2e

joriks/opentracing_missing_servlet_wrappers

joriks/opentracing_span_conscription

joriks/opentracing_to_device_messages

joriks/opentracing_trace_sendtime

joriks/opentracing_user

joriks/synctl_config_dir

joriks/uisi_fix_with_opentracing

jryans/3pid-unbind-unstable

jryans/email-sid

jryans/logcontext-spam

jryans/push-rule-reactions

kegan/enable-dirty-runs

luke/get-admins-in-group-first

maddlittlemods/msc2716-many-batches-optimization

madlitlemods/can-we-work-with-less-state

madlittlemods/11025-fix-user-directory-throwing-exception-when-interacting-with-appservice-sender

madlittlemods/11300-refactor-backfilled-pt1

madlittlemods/11850-migrate-to-opentelemetry

madlittlemods/13356-messages-investigation-scratch-v1

madlittlemods/13685-correlate-traces-when-cf-times-out

madlittlemods/13856-scratch-have-seen-event-monolith-invalidation

madlittlemods/14108-optimize-filter_events_for_client

madlittlemods/15603-fix-literal-type

madlittlemods/15657-export-synapse-version-as-metric

madlittlemods/FederationDeniedError-is-not-SynapseError

madlittlemods/add-stable-unstable-version-for-jump-to-date

madlittlemods/appservice-interested-in-local-and-remote

madlittlemods/deflake-msc3030-backfill-test-with-workers

madlittlemods/document-benefit-for-event_id-room_id-pair-for-purging

madlittlemods/event_id_always_failed_to_fetch

madlittlemods/fix-proxy-tls

madlittlemods/gitter-patch-ignore-our-own-events

madlittlemods/msc2716-resolve-state-for-all-historical-events

madlittlemods/msc2716-room-capabilities

madlittlemods/msc3030-backfill-at-remote-event-fetched

madlittlemods/no-more-floating-msc2716-batches

madlittlemods/optimize-have_seen_events

madlittlemods/optimize-msc2716-v1

madlittlemods/re-use-work-to-grab-state-from-previous-group

madlittlemods/register-lower-case-version-of-mxid

madlittlemods/remove-current-state-events-join-from-queries-to-grab-profile-info

madlittlemods/remove-sqlite-tech-debt-in_get_state_groups_from_groups_txn

madlittlemods/response-time-buckets

madlittlemods/simplify-_count_known_servers

madlittlemods/test-backfill-and-messages-still-works-with-many-batches

madlittlemods/use-rust-jaeger-python-client

markjh/event_auth

markjh/split_pusher

markjh/synchrotron

master

matrix-org-hotfixes

matrix-org-hotfixes-identity

matrix-org-hotfixes-refactor

matrix-org-hotfixes-tcp-repl

matrix-org/fix_event_sig_checks

matthew/as_ts

matthew/bodge_device_update_dos

matthew/configurable_default_pl

matthew/custom-edus

matthew/delegate_register

matthew/disable-ll-on-incr-syncs

matthew/e2e_backups

matthew/encrypt-for-invited-users

matthew/fix-4329

matthew/fix-log-redaction

matthew/fix-roomdir-pagination

matthew/fix_filtered_types_in_current_state

matthew/fix_overzealous_ll_state

matthew/free_mau

matthew/free_mau_alt

matthew/heroes-for-avatars

matthew/hide-public-rooms

matthew/ignore-rogue-events

matthew/improve_get_users_in_room_cache_for_as

matthew/lazy_load_yourself

matthew/logging-memleak

matthew/no-as-ratelimit-for-noop-joins

matthew/red_list

matthew/room-summary-on-invites

matthew/sample-config

matthew/shadow-server

matthew/speed-up-dedup

matthew/stats

michaelk/be_liberal_with_info_api

michaelk/remove_log_error_well-known_client

michaelkaye/add_to_dockerignore

michaelkaye/configure_structured_logging

michaelkaye/dinsic_rewrite_identity_server_urls

michaelkaye/docker_optionall_suexec

michaelkaye/link_to_federation_docs

michaelkaye/make_hash_password_clearer

michaelkaye/matrix_org_hotfixes_increase_replication_timeout

michaelkaye/merge_0-33_to_dinsic

michaelkaye/rearrange_docker

michaelkaye/remove_warning

michaelkaye/synapse.storage.TIME_log_level

michaelkaye/synapse_config_check

mv/add-mxid-validation-log

mv/batch-partial-states-lookups-more

mv/cago-test-skippable

mv/complement-pg-data

mv/increase-timeout-joins

mv/key_request_limit

mv/msc3944

mv/mypy-unused-awaitable

mv/non-ll-sync-fast-join

mv/parse-duration

mv/purge-room-when-forgotten-wip

mv/synapse_worker_docker

mv/sync-to-device-limit

mv/test-account-validity

mv/unbind-callback

neilj/1.0-upgrade-notes

neilj/1711faq

neilj/add-r0.5-to-versions

neilj/add_rel_attr_to_index

neilj/add_ua_to_udv_table

neilj/batch-unsert-mau-users

neilj/context_parameter

neilj/default-room-version-v4

neilj/disable-mau-alerting-for-small-instances

neilj/drop_tables_in_1830

neilj/fix_4229

neilj/fix_broken_registration_test

neilj/fix_check_threepid_for_msisdns

neilj/fix_double_counting_mau_reaping

neilj/fix_mau_initial_reserved_users

neilj/fix_trailing_slashes

neilj/improve-federation-docs

neilj/improve_logg_for_4239

neilj/mau-tracking-config-explainer

neilj/mau_phonehome

neilj/notary_server_warning

neilj/readme-wellknown

neilj/remove_logging_password

neilj/update_limits_error_codes

paul/SYN-560

paul/schema_breaking_changes

pr/9803

pull/3184/merge

quenting/fix-device-deletion

quenting/hotfix-delegated-auth-admin

rav/drop_event_edges_cols

rav/drop_state_events

rav/faster_joins/work

rav/log_invalid_bodies

rav/out_of_keys_claims

rav/sw1v-hotfixes

readme-client-link-fix

rei/1.50.1_viztracer

rei/12281_reproduce

rei/2528_catchup_fed_outage

rei/429s_in_msc3878_conflict

rei/DEMO-test-logging-noise

rei/TOOLS/workers_setup

rei/admin_setadmin

rei/ci_par_4

rei/complement_workers_knives_and_forks

rei/cwas_extension

rei/dev-lsp

rei/df_sync_sentinel

rei/docker_workers_for_testing

rei/efv_as_enum

rei/fetch_evt_report_slight_query_optimi

rei/fix_hotserve_breakage

rei/flake

rei/flake_gcc

rei/flake_gcc_etc

rei/forget_nobody_warn

rei/fork_comp-worker-shorthand

rei/frrj_safecomponent_prevevents

rei/grafana_fix_request_times

rei/gsgfg

rei/gsgfg2

rei/improve_debuggability_docker_ghost

rei/jumptodate_statement_limit

rei/librepush.net-stcache

rei/logging_1_64_0_ic1294

rei/lpnet

rei/lt_launch

rei/measure_servlet_time

rei/modapi_gg_stricter_types

rei/moh-commit_span

rei/moh-orjson-replication

rei/not_null_drop_indices_after

rei/p/2021-12-29_develop_PLUS_msc3202_otks_fbks

rei/p/stcache

rei/p/stcache-1.57

rei/phonehome_r30_tests

rei/psql_lint_ensure_pkey

rei/room_dir

rei/room_stats_dodgy_if

rei/room_stats_separated

rei/room_stats_total_events

rei/roomdir_alt

rei/rss_inc1

rei/rss_inc2

rei/rss_inc3

rei/rss_inc4

rei/rss_inc5

rei/rss_inc6

rei/rss_inc7

rei/rss_target

rei/selective_scalene

rei/strict_json_types

rei/synwork_TestMembersLocal

rei/synwork_TestSendPartialJoinState

rei/synwork_rr_join_flake

rei/testignore

rei/type_tlcfc

rei/update_client_ips_bgw_de1

rei/userdirpriv3_queue_to_refresh_initialpop

rei/uvloop

rei/worker_endpoint_factory

release-v0.12.0

release-v0.12.1

release-v0.14.0

release-v0.18.5

release-v0.19.0

release-v0.19.1

release-v0.19.2

release-v0.19.3

release-v0.20.0

release-v0.21.0

release-v0.22.0

release-v0.23.0

release-v0.24.0

release-v0.24.1

release-v0.25.0

release-v0.25.1

release-v0.26.0

release-v0.27.0

release-v0.28.0-rc1

release-v0.28.1

release-v0.29.0

release-v0.30.0

release-v0.31.0

release-v0.31.1

release-v0.31.2

release-v0.32.0

release-v0.32.1

release-v0.32.2

release-v0.33.0

release-v0.33.1

release-v0.33.2

release-v0.33.2.1

release-v0.33.3

release-v0.33.3.1

release-v0.33.4

release-v0.33.5

release-v0.33.5.1

release-v0.33.6

release-v0.33.7

release-v0.33.8

release-v0.33.9

release-v0.34.0

release-v0.34.0.1

release-v0.34.1

release-v0.34.1.1

release-v0.9.4

release-v0.99.0

release-v0.99.1

release-v0.99.2

release-v0.99.3

release-v0.99.3.1

release-v0.99.3.2

release-v0.99.4

release-v0.99.5

release-v1.0.0

release-v1.1.0

release-v1.10.0

release-v1.10.1

release-v1.11.0

release-v1.11.1

release-v1.12.0

release-v1.12.1

release-v1.12.2

release-v1.12.3

release-v1.12.4

release-v1.13.0

release-v1.14.0

release-v1.15.0

release-v1.15.1

release-v1.15.2

release-v1.16.0

release-v1.16.1

release-v1.17.0

release-v1.18.0

release-v1.19.0

release-v1.19.1

release-v1.19.2

release-v1.19.3

release-v1.2.0

release-v1.2.1

release-v1.20.0

release-v1.20.1

release-v1.21.0

release-v1.21.1

release-v1.21.2

release-v1.21.3

release-v1.22.0

release-v1.22.1

release-v1.23.0

release-v1.23.1

release-v1.24.0

release-v1.25.0

release-v1.26.0

release-v1.27.0

release-v1.28.0

release-v1.29.0

release-v1.3.0

release-v1.3.1

release-v1.30.0

release-v1.30.1

release-v1.31.0

release-v1.32.0

release-v1.32.1

release-v1.32.2

release-v1.33.0

release-v1.33.1

release-v1.33.2

release-v1.34.0

release-v1.35

release-v1.35.0

release-v1.36

release-v1.37

release-v1.38

release-v1.39

release-v1.4.0

release-v1.4.1

release-v1.40

release-v1.41

release-v1.42

release-v1.43

release-v1.44

release-v1.45

release-v1.46

release-v1.47

release-v1.48

release-v1.49

release-v1.5.0

release-v1.5.1

release-v1.50

release-v1.51

release-v1.52

release-v1.53

release-v1.54

release-v1.55

release-v1.56

release-v1.57

release-v1.58

release-v1.59

release-v1.6.0

release-v1.6.1

release-v1.60

release-v1.61

release-v1.62

release-v1.63

release-v1.64

release-v1.65

release-v1.66

release-v1.67

release-v1.68

release-v1.69

release-v1.7.0

release-v1.7.1

release-v1.7.1_modular_profile_hotfix

release-v1.7.2

release-v1.7.3

release-v1.70

release-v1.71

release-v1.72

release-v1.73

release-v1.74

release-v1.75

release-v1.76

release-v1.77

release-v1.78

release-v1.79

release-v1.8.0

release-v1.80

release-v1.81

release-v1.82

release-v1.83

release-v1.84

release-v1.85

release-v1.86

release-v1.87

release-v1.88

release-v1.89

release-v1.9.0

release-v1.9.1

release-v1.90

release-v1.91

release-v1.91.0

release-v1.92

release-v1.93

release-v1.94

release-v1.95

release-v1.96

release-v1.97

release-v1.98

revert-14404-partial-join-filter-non-local

revert-2037-fix_readme_centos_issues

room-publishing

shay/add_check_constraint

shay/add_types_opentracing.py

shay/batch_membership_event

shay/batch_state_groups

shay/dh-poetry

shay/experimental_flags_part_2

shay/fix_batch_history

shay/fix_dependency

shay/fix_git_hx_batch

shay/fix_sqlite

shay/more_batching

shay/more_no_read

shay/mx_map_to_module

shay/pyupgrade

shay/ratelimit

shay/remove_trust_id_server

shay/revoke_token

shay/rework_module

shay/stop_writing_user_id

shay/super_docs

shhs

squah/add_endpoint_cancellation_flag

squah/cancel_disconnected_requests

squah/expand_localpart_columns_1

squah/faster_room_joins_handle_second_join_while_resyncing

squah/faster_room_joins_unblock_lazy_loading_sync_1

squah/faster_room_joins_unblock_lazy_loading_sync_2

squah/leave_space_admin_api

squah/pyproject-poetry-contribs

squah/test_device_list_tracking

squah/trial_memory_leak_tracking

squah/unrevert-fts-changes-on-hotfix

t3chguy/do_not_create_room_invalid_power_level_content_override

t3chguy/fix_contains-url_filtering

t3chguy/hide-join-parts

tc-disrupt-london-midi

toml/keycloak_hints

travis/alt-todev-masq-otk-fbkey

travis/fake-soft-logout

travis/fix-stuck-invites

travis/fosdem/admin-api-groups

travis/fosdem/hotfixes

travis/group-admin

travis/hidden_rr

travis/intentional-timeout

travis/nullable-relation

travis/saml-dev-docs

ts/spam-errors

uhoreg/cross_signing_bulk

uhoreg/dehydration_release

uhoreg/e2e_backup_hash

uhoreg/e2e_cross-signing

uhoreg/e2e_cross-signing2

v1.23.1-multiarch

v1.24.0-multiarch

yoric/throttling-invites-doc

ACME

From version 1.0 (June 2019) onwards, Synapse requires valid TLS certificates for communication between servers (by default on port 8448) in addition to those that are client-facing (port 443). To help homeserver admins fulfil this new requirement, Synapse v0.99.0 introduced support for automatically provisioning certificates through Let's Encrypt using the ACME protocol.

Deprecation of ACME v1

In March 2019, Let's Encrypt announced that they were deprecating version 1 of the ACME protocol, with the plan to disable the use of it for new accounts in November 2019, and for existing accounts in June 2020.

Synapse doesn't currently support version 2 of the ACME protocol, which means that:

for existing installs, Synapse's built-in ACME support will continue to work until June 2020.
for new installs, this feature will not work at all.

Either way, it is recommended to move from Synapse's ACME support feature to an external automated tool such as certbot (or browse this list for an alternative ACME client).

It's also recommended to use a reverse proxy for the server-facing communications (more documentation about this can be found here) as well as the client-facing ones and have it serve the certificates.

In case you can't do that and need Synapse to serve them itself, make sure to set the tls_certificate_path configuration setting to the path of the certificate (make sure to use the certificate containing the full certification chain, e.g. fullchain.pem if using certbot) and tls_private_key_path to the path of the matching private key. Note that in this case you will need to restart Synapse after each certificate renewal so that Synapse stops using the old certificate.

If you still want to use Synapse's built-in ACME support, the rest of this document explains how to set it up.

Initial setup

In the case that your server_name config variable is the same as the hostname that the client connects to, then the same certificate can be used between client and federation ports without issue.

If your configuration file does not already have an acme section, you can generate an example config by running the generate_config executable. For example:

~/synapse/env3/bin/generate_config

You will need to provide Let's Encrypt (or another ACME provider) access to your Synapse ACME challenge responder on port 80, at the domain of your homeserver. This requires you to either change the port of the ACME listener provided by Synapse to a high port and reverse proxy to it, or use a tool like authbind to allow Synapse to listen on port 80 without root access. (Do not run Synapse with root permissions!) Detailed instructions are available under "ACME setup" below.

If you already have certificates, you will need to back up or delete them (files example.com.tls.crt and example.com.tls.key in Synapse's root directory), Synapse's ACME implementation will not overwrite them.

ACME setup

The main steps for enabling ACME support in short summary are:

Allow Synapse to listen for incoming ACME challenges.
Enable ACME support in homeserver.yaml.
Move your old certificates (files example.com.tls.crt and example.com.tls.key out of the way if they currently exist at the paths specified in homeserver.yaml.
Restart Synapse.

Detailed instructions for each step are provided below.

Listening on port 80

In order for Synapse to complete the ACME challenge to provision a certificate, it needs access to port 80. Typically listening on port 80 is only granted to applications running as root. There are thus two solutions to this problem.

Using a reverse proxy

A reverse proxy such as Apache or nginx allows a single process (the web server) to listen on port 80 and proxy traffic to the appropriate program running on your server. It is the recommended method for setting up ACME as it allows you to use your existing webserver while also allowing Synapse to provision certificates as needed.

For nginx users, add the following line to your existing server block:

location /.well-known/acme-challenge {
    proxy_pass http://localhost:8009;
}

For Apache, add the following to your existing webserver config:

ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge

Make sure to restart/reload your webserver after making changes.

Now make the relevant changes in homeserver.yaml to enable ACME support:

acme:
    enabled: true
    port: 8009

Authbind

authbind allows a program which does not run as root to bind to low-numbered ports in a controlled way. The setup is simpler, but requires a webserver not to already be running on port 80. This includes every time Synapse renews a certificate, which may be cumbersome if you usually run a web server on port 80. Nevertheless, if you're sure port 80 is not being used for any other purpose then all that is necessary is the following:

Install authbind. For example, on Debian/Ubuntu:

sudo apt-get install authbind

Allow authbind to bind port 80:

sudo touch /etc/authbind/byport/80
sudo chmod 777 /etc/authbind/byport/80

When Synapse is started, use the following syntax:

authbind --deep <synapse start command>

Make the relevant changes in homeserver.yaml to enable ACME support:

acme:
    enabled: true

(Re)starting synapse

Ensure that the certificate paths specified in homeserver.yaml (tls_certificate_path and tls_private_key_path) do not currently point to any files. Synapse will not provision certificates if files exist, as it does not want to overwrite existing certificates.

Finally, start/restart Synapse.

ACME.md 5.8 KB Permalink History Raw