From 3b9d5b13e96dd94ee014d0a58bbeeef0b6deb952 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sat, 18 Dec 2021 13:26:31 +0200
Subject: [PATCH] Add support for not serving Dendrite federation APIs on the
 client port

Seems like Dendrite encourages serving both the Client and Federation
API at the same port.

Coming from Synapse and how things are done there, we have separate
ports. Using separate ports probably makes matrix-corporal (etc.)
integration easier, so separating the APIs by default probably makes
sense.
---
 roles/matrix-nginx-proxy/defaults/main.yml             |  3 +++
 .../templates/nginx/conf.d/matrix-dendrite.conf.j2     | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 749d9391d..1feea6b71 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -128,6 +128,9 @@ matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
 matrix_nginx_proxy_proxy_dendrite_enabled: false
 matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"
 matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
+# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.
+# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.
+matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true
 # The addresses where the Matrix Client API is, when using Dendrite.
 matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""
 matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2
index 9776085e1..939156a31 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2
@@ -14,6 +14,16 @@ server {
 		{{- configuration_block }}
 	{% endfor %}
 
+	{% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %}
+	location /_matrix/federation {
+		{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %}
+			return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}';
+		{% else %}
+			return 404 'This Matrix server is running with federation disabled';
+		{% endif %}
+	}
+	{% endif %}
+
 	{# Everything else just goes to the API server ##}
 	location / {
 		{% if matrix_nginx_proxy_enabled %}