From 44b7d4c6d6d5e8d78bd0154b407defea4a35aebd Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Wed, 16 Dec 2020 14:40:47 -0500
Subject: [PATCH] Fix the sample config location for the ip_range_whitelist
 setting. (#8954)

Move it from the federation section to the server section to match
ip_range_blacklist.
---
 changelog.d/8954.feature     |  1 +
 docs/sample_config.yaml      | 24 ++++++++++++------------
 synapse/config/federation.py | 12 ------------
 synapse/config/server.py     | 12 ++++++++++++
 4 files changed, 25 insertions(+), 24 deletions(-)
 create mode 100644 changelog.d/8954.feature

diff --git a/changelog.d/8954.feature b/changelog.d/8954.feature
new file mode 100644
index 0000000000..39f53174ad
--- /dev/null
+++ b/changelog.d/8954.feature
@@ -0,0 +1 @@
+Apply an IP range blacklist to push and key revocation requests.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index f196781c1c..75a01094d5 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -173,6 +173,18 @@ pid_file: DATADIR/homeserver.pid
 #  - 'fe80::/10'
 #  - 'fc00::/7'
 
+# List of IP address CIDR ranges that should be allowed for federation,
+# identity servers, push servers, and for checking key validity for
+# third-party invite events. This is useful for specifying exceptions to
+# wide-ranging blacklisted target IP ranges - e.g. for communication with
+# a push server only visible in your network.
+#
+# This whitelist overrides ip_range_blacklist and defaults to an empty
+# list.
+#
+#ip_range_whitelist:
+#   - '192.168.1.1'
+
 # List of ports that Synapse should listen on, their purpose and their
 # configuration.
 #
@@ -671,18 +683,6 @@ acme:
 #  - nyc.example.com
 #  - syd.example.com
 
-# List of IP address CIDR ranges that should be allowed for federation,
-# identity servers, push servers, and for checking key validity for
-# third-party invite events. This is useful for specifying exceptions to
-# wide-ranging blacklisted target IP ranges - e.g. for communication with
-# a push server only visible in your network.
-#
-# This whitelist overrides ip_range_blacklist and defaults to an empty
-# list.
-#
-#ip_range_whitelist:
-#   - '192.168.1.1'
-
 # Report prometheus metrics on the age of PDUs being sent to and received from
 # the following domains. This can be used to give an idea of "delay" on inbound
 # and outbound federation, though be aware that any delay can be due to problems
diff --git a/synapse/config/federation.py b/synapse/config/federation.py
index a03a419e23..9f3c57e6a1 100644
--- a/synapse/config/federation.py
+++ b/synapse/config/federation.py
@@ -56,18 +56,6 @@ class FederationConfig(Config):
         #  - nyc.example.com
         #  - syd.example.com
 
-        # List of IP address CIDR ranges that should be allowed for federation,
-        # identity servers, push servers, and for checking key validity for
-        # third-party invite events. This is useful for specifying exceptions to
-        # wide-ranging blacklisted target IP ranges - e.g. for communication with
-        # a push server only visible in your network.
-        #
-        # This whitelist overrides ip_range_blacklist and defaults to an empty
-        # list.
-        #
-        #ip_range_whitelist:
-        #   - '192.168.1.1'
-
         # Report prometheus metrics on the age of PDUs being sent to and received from
         # the following domains. This can be used to give an idea of "delay" on inbound
         # and outbound federation, though be aware that any delay can be due to problems
diff --git a/synapse/config/server.py b/synapse/config/server.py
index f3815e5add..7242a4aa8e 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -832,6 +832,18 @@ class ServerConfig(Config):
         #ip_range_blacklist:
 %(ip_range_blacklist)s
 
+        # List of IP address CIDR ranges that should be allowed for federation,
+        # identity servers, push servers, and for checking key validity for
+        # third-party invite events. This is useful for specifying exceptions to
+        # wide-ranging blacklisted target IP ranges - e.g. for communication with
+        # a push server only visible in your network.
+        #
+        # This whitelist overrides ip_range_blacklist and defaults to an empty
+        # list.
+        #
+        #ip_range_whitelist:
+        #   - '192.168.1.1'
+
         # List of ports that Synapse should listen on, their purpose and their
         # configuration.
         #
-- 
GitLab