From 12dc6b102f071eb2eb84f2cff4cf92903276ffbb Mon Sep 17 00:00:00 2001
From: Eric Eastwood <erice@element.io>
Date: Mon, 17 Feb 2025 10:23:04 -0600
Subject: [PATCH] Add support to proxy outbound requests from Synapse in tests
 (#18158)

Adds new environment variables that can be used with the Docker image
(`SYNAPSE_HTTP_PROXY`/`SYNAPSE_HTTPS_PROXY`/`SYNAPSE_NO_PROXY`)

Useful for things like the [Secure Border
Gateway](https://element.io/server-suite/secure-border-gateways)


### Why is this necessary?

You can already configure the `HTTP_PROXY`/`HTTPS_PROXY` environment
variables to proxy outbound requests but setting this globally in the
Docker image affects all processes which isn't always desirable or
workable in the case where the proxy is running in the Docker image
itself (because the Debian packages will fail to download because the
proxy isn't up and running yet) . Adding Synapse specific environment
variables
(`SYNAPSE_HTTP_PROXY`/`SYNAPSE_HTTPS_PROXY`/`SYNAPSE_NO_PROXY`) makes
things much more targetable.
---
 changelog.d/18158.docker                        | 1 +
 docker/README.md                                | 3 +++
 docker/conf-workers/synapse.supervisord.conf.j2 | 3 +++
 docker/configure_workers_and_start.py           | 7 +++++++
 synapse/http/proxyagent.py                      | 6 ++++++
 5 files changed, 20 insertions(+)
 create mode 100644 changelog.d/18158.docker

diff --git a/changelog.d/18158.docker b/changelog.d/18158.docker
new file mode 100644
index 00000000000..60469690ffb
--- /dev/null
+++ b/changelog.d/18158.docker
@@ -0,0 +1 @@
+Add `SYNAPSE_HTTP_PROXY`/`SYNAPSE_HTTPS_PROXY`/`SYNAPSE_NO_PROXY` environment variables to pass through specifically to the Synapse process (instead of needing to apply [`http_proxy`/`https_proxy`/`no_proxy`](https://element-hq.github.io/synapse/latest/setup/forward_proxy.html) globally).
diff --git a/docker/README.md b/docker/README.md
index 8dba6fdb051..3438e9c441c 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -114,6 +114,9 @@ The following environment variables are supported in `run` mode:
   is set via `docker run --user`, defaults to `991`, `991`. Note that this user
   must have permission to read the config files, and write to the data directories.
 * `TZ`: the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) the container will run with. Defaults to `UTC`.
+* `SYNAPSE_HTTP_PROXY`: Passed through to the Synapse process as the `http_proxy` environment variable.
+* `SYNAPSE_HTTPS_PROXY`: Passed through to the Synapse process as the `https_proxy` environment variable.
+* `SYNAPSE_NO_PROXY`: Passed through to the Synapse process as `no_proxy` environment variable.
 
 For more complex setups (e.g. for workers) you can also pass your args directly to synapse using `run` mode. For example like this:
 
diff --git a/docker/conf-workers/synapse.supervisord.conf.j2 b/docker/conf-workers/synapse.supervisord.conf.j2
index 481eb4fc92f..4fb11b259e5 100644
--- a/docker/conf-workers/synapse.supervisord.conf.j2
+++ b/docker/conf-workers/synapse.supervisord.conf.j2
@@ -1,5 +1,6 @@
 {% if use_forking_launcher %}
 [program:synapse_fork]
+environment=http_proxy="%(ENV_SYNAPSE_HTTP_PROXY)s",https_proxy="%(ENV_SYNAPSE_HTTPS_PROXY)s",no_proxy="%(ENV_SYNAPSE_NO_PROXY)s"
 command=/usr/local/bin/python -m synapse.app.complement_fork_starter
   {{ main_config_path }}
   synapse.app.homeserver
@@ -20,6 +21,7 @@ exitcodes=0
 
 {% else %}
 [program:synapse_main]
+environment=http_proxy="%(ENV_SYNAPSE_HTTP_PROXY)s",https_proxy="%(ENV_SYNAPSE_HTTPS_PROXY)s",no_proxy="%(ENV_SYNAPSE_NO_PROXY)s"
 command=/usr/local/bin/prefix-log /usr/local/bin/python -m synapse.app.homeserver
   --config-path="{{ main_config_path }}"
   --config-path=/conf/workers/shared.yaml
@@ -36,6 +38,7 @@ exitcodes=0
 
   {% for worker in workers %}
 [program:synapse_{{ worker.name }}]
+environment=http_proxy="%(ENV_SYNAPSE_HTTP_PROXY)s",https_proxy="%(ENV_SYNAPSE_HTTPS_PROXY)s",no_proxy="%(ENV_SYNAPSE_NO_PROXY)s"
 command=/usr/local/bin/prefix-log /usr/local/bin/python -m {{ worker.app }}
   --config-path="{{ main_config_path }}"
   --config-path=/conf/workers/shared.yaml
diff --git a/docker/configure_workers_and_start.py b/docker/configure_workers_and_start.py
index 15d8d7b5586..6d73e8feaa7 100755
--- a/docker/configure_workers_and_start.py
+++ b/docker/configure_workers_and_start.py
@@ -1099,6 +1099,13 @@ def main(args: List[str], environ: MutableMapping[str, str]) -> None:
     else:
         log("Could not find %s, will not use" % (jemallocpath,))
 
+    # Empty strings are falsy in Python so this default is fine. We just can't have these
+    # be undefined because supervisord will complain about our
+    # `%(ENV_SYNAPSE_HTTP_PROXY)s` usage.
+    environ.setdefault("SYNAPSE_HTTP_PROXY", "")
+    environ.setdefault("SYNAPSE_HTTPS_PROXY", "")
+    environ.setdefault("SYNAPSE_NO_PROXY", "")
+
     # Start supervisord, which will start Synapse, all of the configured worker
     # processes, redis, nginx etc. according to the config we created above.
     log("Starting supervisord")
diff --git a/synapse/http/proxyagent.py b/synapse/http/proxyagent.py
index c91cf30fd1b..fd16ee42dd1 100644
--- a/synapse/http/proxyagent.py
+++ b/synapse/http/proxyagent.py
@@ -150,6 +150,12 @@ def __init__(
             http_proxy = proxies["http"].encode() if "http" in proxies else None
             https_proxy = proxies["https"].encode() if "https" in proxies else None
             no_proxy = proxies["no"] if "no" in proxies else None
+            logger.debug(
+                "Using proxy settings: http_proxy=%s, https_proxy=%s, no_proxy=%s",
+                http_proxy,
+                https_proxy,
+                no_proxy,
+            )
 
         self.http_proxy_endpoint, self.http_proxy_creds = http_proxy_endpoint(
             http_proxy, self.proxy_reactor, contextFactory, **self._endpoint_kwargs