From 69dea5827bec884c0ca8c79b49f68e2b554c2ec2 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 22 May 2021 20:45:43 -0500 Subject: [PATCH 1/5] Update CAPTCHA documentation to mention turning off verify origin Signed-off-by: Aaron Raimist --- docs/CAPTCHA_SETUP.md | 48 +++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/docs/CAPTCHA_SETUP.md b/docs/CAPTCHA_SETUP.md index 331e5d059a0e..e9424040fc6f 100644 --- a/docs/CAPTCHA_SETUP.md +++ b/docs/CAPTCHA_SETUP.md @@ -1,31 +1,35 @@ # Overview -Captcha can be enabled for this home server. This file explains how to do that. -The captcha mechanism used is Google's ReCaptcha. This requires API keys from Google. - -## Getting keys - -Requires a site/secret key pair from: - - - -Must be a reCAPTCHA v2 key using the "I'm not a robot" Checkbox option - -## Setting ReCaptcha Keys - -The keys are a config option on the home server config. If they are not -visible, you can generate them via `--generate-config`. Set the following value: - +A captcha can be enabled on your homeserver to help prevent bots from registering +accounts. Synapse currently uses Google's reCAPTCHA service which requires API keys +from Google. + +## Getting API keys + +1. Create a new site at +1. Set the label to anything you want +1. Set the type to reCAPTCHA v2 using the "I'm not a robot" Checkbox option. +This is the only type of captcha that works with Synapse. +1. Add your server name to the list of authorized domains. +1. Agree to the terms of service and submit +1. Copy your site key and secret key and add them to your `homeserver.yaml` +configuration file + ``` recaptcha_public_key: YOUR_SITE_KEY recaptcha_private_key: YOUR_SECRET_KEY - -In addition, you MUST enable captchas via: - + ``` +1. Enable the CAPTCHA for new registrations + ``` enable_registration_captcha: true + ``` +1. Go to the settings page for the CAPTCHA you just created +1. Uncheck the "Verify the origin of reCAPTCHA solutions" checkbox so that the +captcha can be displayed in any client. If you do not disable this option then you +must specify the domains of every client that is allowed to display the CAPTCHA. ## Configuring IP used for auth -The ReCaptcha API requires that the IP address of the user who solved the -captcha is sent. If the client is connecting through a proxy or load balancer, +The reCAPTCHA API requires that the IP address of the user who solved the +CAPTCHA is sent. If the client is connecting through a proxy or load balancer, it may be required to use the `X-Forwarded-For` (XFF) header instead of the origin IP address. This can be configured using the `x_forwarded` directive in the -listeners section of the homeserver.yaml configuration file. +listeners section of the `homeserver.yaml` configuration file. From 7d529a4dac16f49b9a798c5cec20975eae469724 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 22 May 2021 20:49:09 -0500 Subject: [PATCH 2/5] Add changelog Signed-off-by: Aaron Raimist --- changelog.d/10046.doc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/10046.doc diff --git a/changelog.d/10046.doc b/changelog.d/10046.doc new file mode 100644 index 000000000000..c10b964ca088 --- /dev/null +++ b/changelog.d/10046.doc @@ -0,0 +1 @@ +Update CAPTCHA documentation to mention turning off the verify origin feature. \ No newline at end of file From 7055660054fe5e2794ab67d4d630431dec01f788 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 25 May 2021 13:25:24 -0500 Subject: [PATCH 3/5] Update docs/CAPTCHA_SETUP.md Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- docs/CAPTCHA_SETUP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/CAPTCHA_SETUP.md b/docs/CAPTCHA_SETUP.md index e9424040fc6f..07b8d5179afe 100644 --- a/docs/CAPTCHA_SETUP.md +++ b/docs/CAPTCHA_SETUP.md @@ -10,7 +10,7 @@ from Google. 1. Set the type to reCAPTCHA v2 using the "I'm not a robot" Checkbox option. This is the only type of captcha that works with Synapse. 1. Add your server name to the list of authorized domains. -1. Agree to the terms of service and submit +1. Agree to the terms of service and submit. 1. Copy your site key and secret key and add them to your `homeserver.yaml` configuration file ``` From 42126759b97150d79b701d912235c73675acab9b Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 25 May 2021 13:25:43 -0500 Subject: [PATCH 4/5] Update changelog.d/10046.doc Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- changelog.d/10046.doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/10046.doc b/changelog.d/10046.doc index c10b964ca088..995960163b0c 100644 --- a/changelog.d/10046.doc +++ b/changelog.d/10046.doc @@ -1 +1 @@ -Update CAPTCHA documentation to mention turning off the verify origin feature. \ No newline at end of file +Update CAPTCHA documentation to mention turning off the verify origin feature. Contributed by @aaronraimist. From a5d27b7af64912059616ad0ee0b5d9e43e40879f Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Tue, 25 May 2021 13:34:59 -0500 Subject: [PATCH 5/5] Change to public_baseurl Signed-off-by: Aaron Raimist --- docs/CAPTCHA_SETUP.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/CAPTCHA_SETUP.md b/docs/CAPTCHA_SETUP.md index 07b8d5179afe..fabdd7b7265e 100644 --- a/docs/CAPTCHA_SETUP.md +++ b/docs/CAPTCHA_SETUP.md @@ -9,7 +9,9 @@ from Google. 1. Set the label to anything you want 1. Set the type to reCAPTCHA v2 using the "I'm not a robot" Checkbox option. This is the only type of captcha that works with Synapse. -1. Add your server name to the list of authorized domains. +1. Add the public hostname for your server, as set in `public_baseurl` +in `homeserver.yaml`, to the list of authorized domains. If you have not set +`public_baseurl`, use `server_name`. 1. Agree to the terms of service and submit. 1. Copy your site key and secret key and add them to your `homeserver.yaml` configuration file