Removal of NGINX breaks Matrix User Verfication Service functionality

[crapo9000]

Hello everyone,

the latest changes to the reverse proxy setup of the playbook (removal of NGINX) breaks the functionality of the Matrix User Verification Service in Jitsi calls. From what I've checked so far the issue could be related to the docker network changes. Maybe someone else has already solved the problem and could share their solution.

[gnouts]

I'm also experiencing issue with all 3rdparty services, namely :

• matrix-media-repo, because I had devture_traefik_config_entrypoint_web_secure_enabled: false as I'm using my own Caddy as a proxy. I switched to true and told caddy to ignore tls errors while proxying. It's more a hack than a fix. And the default config of media-repo still point to http://matrix-synapse:8008 which works (but breaks media for bridges) but I thought it was supposed to steal path on Traefik.
• hookshot, uses http://matrix-traefik:8008 for hs and media

Jan 24 10:42:01 element matrix-hookshot[4375]: WARN 09:42:01:948 [Bridge] Failed to connect to homeserver, retrying in 5s Error: connect ECONNREFUSED 172.2>
Jan 24 10:42:01 element matrix-hookshot[4375]:     at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1595:16) {
Jan 24 10:42:01 element matrix-hookshot[4375]:   errno: -111,
Jan 24 10:42:01 element matrix-hookshot[4375]:   code: 'ECONNREFUSED',
Jan 24 10:42:01 element matrix-hookshot[4375]:   syscall: 'connect',
Jan 24 10:42:01 element matrix-hookshot[4375]:   address: '172.25.0.7',
Jan 24 10:42:01 element matrix-hookshot[4375]:   port: 8008
Jan 24 10:42:01 element matrix-hookshot[4375]: }

• all mautrix bridges, also uses http://matrix-traefik:8008 everywhere
  Jan 24 10:42:16 element matrix-mautrix-facebook[5866]: mautrix.errors.base.MatrixConnectionError: Cannot connect to host matrix-traefik:8008 ssl:default

I haven't investigate the last two. Let me know if more logs are needed and/or if I should create dedicated issues for each.

[WowSuchRicky]

I am having the same issue as @gnouts. As you pointed out, almost certainly related to 8dadcee.

[venimus]

• matrix-media-repo, because I had devture_traefik_config_entrypoint_web_secure_enabled: false as I'm using my own Caddy as a proxy. I switched to true and told caddy to ignore tls errors while proxying. It's more a hack than a fix. And the default config of media-repo still point to http://matrix-synapse:8008 which works (but breaks media for bridges) but I thought it was supposed to steal path on Traefik.

I also have issues with Caddy as proxy + 'web_secure: false' (I want ssl from Caddy):

Fixed my issues (lots of "invalid entrypoints") with

matrix_media_repo_container_labels_traefik_media_entrypoints: "web"
matrix_media_repo_container_labels_traefik_logout_entrypoints: "web"
matrix_media_repo_container_labels_traefik_admin_entrypoints: "web"
matrix_media_repo_container_labels_traefik_t2bot_entrypoints: "web"

However registration stopped working

# identity server / email login and other
matrix_ma1sd_enabled: true
matrix_ma1sd_verbose_logging: true
#this actually have to be set in the jinja template homeserver.yaml.j2 because there is no var exposed for it
disable_msisdn_registration: true
matrix_synapse_registrations_require_3pid: ['email']

I get:

matrix-ma1sd[844078]: [XNIO-1 task-1] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request POST http://<myserverfqdn>/_matrix/client/r0/register/email/requestToken - Error M_FORBIDDEN: Your email address cannot be used for registration

I have the same configuration on other domain and with a bit older deployment (before nginx deprecation) where it's fine

[crapo9000]

I've played around a bit and found out, that the federation api returns a "404 page not found" error on accessing this URL: https://matrix.domain:8448/_matrix/federation/v1/openid/userinfo?access_token=redacted. (This is what UVS is doing, to check the validity of an access token on joining a jitsi call)

In a working environment (before NGINX removal) there should be a response like "{"errcode":"M_UNKNOWN_TOKEN","error":"Access Token unknown or expired"}"

@spantaleev Have there been any changes regarding the federation API since the switch to the traefik only setup?

[spantaleev]

Is your server federating? If you're getting "not found", it may be that it's not and that /_matrix/federation is not being handled.

For my server, I can see the {"errcode":"M_UNKNOWN_TOKEN","error":"Access Token unknown or expired"} response when calling this URL from outside.

If UVS is doing it from a container, there may be some routing issue, so testing it from the outside is a good first step.

If your server is not federating, then that API may still be made available. We supposedly have this variable override which takes care of it (and even takes UVS into account):

matrix-docker-ansible-deploy/group_vars/matrix_servers

Line 3948 in 8a9a700

matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}"

[crapo9000]

Is your server federating? If you're getting "not found", it may be that it's not and that /_matrix/federation is not being handled.

No, I have explicitly deactivated federation in both instances. (dev -> traefik only + prod-> with NGINX)

The variable

matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}"

is doing what it should and makes the openid available as far as i can tell. But the path /_matrix/federation/openid seems not to be handled in the traefik only environment.(at least in my setup) From my understanding matrix-synapse-reverse-proxy-companion was handling these requests before. So is it possible that there are missing configs at the traefik side?