Allow different URL for Admin API for security reasons

[erebion]

The Synapse docs state:

For security reasons, we recommend that the Admin API (/_synapse/admin/...) should be hidden from public view using a reverse proxy. This means you should typically query the Admin API from a terminal on the machine which runs Synapse.

( https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/ )

Following that recommendation, the Admin API should only be available locally or used with SSH port forwarding.

While this works with Synapse Admin and without SSO, it becomes more difficult with SSO.

If I enter http://localhost:8008, which is a port forwarded via SSH, I cannot login via SSO.

I just don't get offered SSO login as an option.

Here, my current workaround is:

1. Logging in using the domain
2. Changing the value of the cookie base_url from the domain to http://localhost:8008
3. Reloading the page

I think it would be useful if there was a way to be able to enter a seperate URL for the Admin API.

Or maybe there is a better way?

[dklimpel]

IMO you need this patch:

• Fix SSO-login for base urls with explicit port #337

[dklimpel]

This issue is certainly already fixed.

[awesome-manuel]

@erebion please re-open if the issue still exists.