Spec Host and SNI headers for federated calls (including the media repo)

[turt2live]

It seems as though the Host should at least be set to the target server, with port(?). Eg: Host: matrix.org:8443 despite the SRV returning matrix.org.cdn.cloudflare.net:8443.

[ara4n]

So I think the way this works is that you put the hostname you were intending to talk to in the Host header of the request. So, if you had looked up the SRV of matrix.org, you'd put Host: matrix.org (with no port) in the HTTP request header. You do not put the hostname:port of the resolved SRV request (e.g. matrix.org.cdn.cloudflare.net:8443). I think this makes some level of sense, as the target server cares about how the general public thinks of it (i.e. its server_name aka domain of its matrix IDs), rather than the random internalish host:port that the SRV record happens to point to. And the client should reflect the intent of who it was trying to connect to.

The end result should look like this:

$ SRV_RESULT=`dig +short -t SRV _matrix._tcp.matrix.org | perl -ne '/.* (\d+) (.*)\.$/ && print "$2:$1"'`
$ echo $SRV_RESULT
matrix.org.cdn.cloudflare.net:8443
$ openssl s_client -connect $SRV_RESULT -quiet
GET /_matrix/federation/v1/version HTTP/1.1
Host: matrix.org

HTTP/1.1 200 OK
Date: Sun, 18 Mar 2018 14:26:32 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d401dd2ef877cb6aafb7c74a71be89ce71521383191; expires=Mon, 18-Mar-19 14:26:31 GMT; path=/; domain=.matrix.org; HttpOnly
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 3fd85fe1ffa906ee-LHR

34
{"server": {"version": "0.26.0", "name": "Synapse"}}
0

[ara4n]

Ah, the impl specific variant of this is matrix-org/synapse#2525