Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is installing riot in subdomain of the domain used by synapse a problem? #10799

Closed
eauchat opened this issue Sep 9, 2019 · 9 comments
Closed

Is installing riot in subdomain of the domain used by synapse a problem? #10799

eauchat opened this issue Sep 9, 2019 · 9 comments

Comments

@eauchat
Copy link

eauchat commented Sep 9, 2019

In this issue it's explained that you shouldn't run riot with the same domain where synapse is running. I posted this question to get details about it but never got any comment on that, so I thought maybe I can create a proper issue for this question.

The thread mentions (from what I understand) that having Riot and Synapse served in matrix.domain.tld and riot.domain.tld doesn't bring security issues.
I was wondering if the same apply to Synapse serving in domain.tld and riot in riot.domain.tld, since Synapse is then in a parent domain.

Also, it's mentioned that it's better to run Synapse and Riot in different machines (whether physical or virtual).
What are the security implications of running Synapse and Riot on the same machine?

Thanks a lot for the attention :)
@t3chguy
Copy link
Member

t3chguy commented Sep 9, 2019

This is more a support question for #riot:matrix.org which is why it never got attention on an already closed issue.

@eauchat
Copy link
Author

eauchat commented Sep 9, 2019

I could ask it on #riot:matrix.org yep. I asked here because seeing the reactions on my previous comment, it seemed that other people were interested as well.
So I thought it'd be useful to have the answer more widely accessible.

@turt2live
Copy link
Member

Subdomains are different domains as far as CORS is concerned, however do be cautious about running your homeserver on example.org and riot on riot.example.org

@eauchat
Copy link
Author

eauchat commented Oct 16, 2019

Thank you for the precision @turt2live.
Any further precision on what means "being cautious" and what are the risks is still very welcome :)

@turt2live
Copy link
Member

You theoretically can open yourself up to XSS and similar attacks if using the same domain. It's generally considered a very bad practice.

@Josue-T
Copy link

Josue-T commented Nov 7, 2019

Hello,

And how about this follow configurations:

  • Riot installed on riot.domain_1.tld.
  • Synapse installed on synapse.domain_1.tld.
  • And the username for this synapse instance is user#domain_1.tld. With this following dns registry:
_matrix._tcp.domain_1.tld     3600    IN SRV   10   0   8448   synapse.domain.tld

@turt2live
Copy link
Member

@Josue-T this is not the place to verify your configuration. Please visit #riot-web:matrix.org or #synapse:matrix.org instead.

@eauchat
Copy link
Author

eauchat commented Nov 12, 2019

I find @Josue-T's question useful and still feel not so clear about this issue.

@eauchat eauchat mentioned this issue May 7, 2020
Open
@brendan-mccoy
Copy link

I don't understand the insistence on keeping an issue extant on the repo just says "hey ask here on this other place that isn't going to be indexed by google"

@element-hq element-hq locked as resolved and limited conversation to collaborators Apr 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@turt2live @t3chguy @Josue-T @brendan-mccoy @eauchat