Use federation blacklist for requests to identity servers

[anoadragon453]

Now that we're getting rid of the concept of trusted identity servers, we need to make sure that people can't try and poke at internal addresses when sending identity server-related requests.

The plan is to reuse the federation blacklist for these requests which by default blocks internal CIDR ranges.

[anoadragon453]

@richvdh @erikjohnston Should matrixfederationclient be used for these requests so we get blacklisting for free? Or does that muddy the definition of the client?

[richvdh]

Previously, using the MatrixFederationClient would have meant that you'd get .well-known and SRV routing, which you don't want for an IS. But now I'm not so sure. @erikjohnston do your recent changes to the agent mean that https urls skip the federation routing?

[erikjohnston]

do your recent changes to the agent mean that https urls skip the federation routing?

That should be the case, though I haven't tested it.

[richvdh]

I guess another question: do we want the options relating to TLS certs to also apply to connections to the IS? (I think we probably do?)

[anoadragon453]

Would the federation_domain_whitelist config option affect this?

[richvdh]

fixed by #6000

[richvdh]

(which did nothing to address the tls certs stuff: you'll have to use a real cert on your ID server)