Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated nginx configuration information required for recent versions of synapse #64

Open
tgurr opened this issue Oct 19, 2020 · 4 comments

Comments

@tgurr
Copy link

tgurr commented Oct 19, 2020

matrix-org/synapse#8227 replaced the previous

location /_matrix {

with

location ~* ^(\/_matrix|\/_synapse\/client) {

which now seems to interfer with the configuration required for ma1sd. When doing the change above riot/element complains about not being able to reach the identity server, if I revert it back to just /_matrix it works again but I wonder what problems I'll run into with not following the recent upstream change.

I'm not an nginx and/or regex expert so any advice here is greatly appreciated, here's the relevant part of my configuration:

        # ma1sd
        location /_matrix/client/r0/user_directory/ {
            proxy_pass http://localhost:8090/_matrix/client/r0/user_directory/;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        # ma1sd
        location /_matrix/identity {
            proxy_pass http://localhost:8090/_matrix/identity;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        # synapse
        location /_matrix {
#        location ~* ^(\/_matrix|\/_synapse\/client) {
            proxy_pass http://localhost:8008;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        location /.well-known/matrix/server {
            access_log off;
            add_header Access-Control-Allow-Origin *;
            add_header Content-Type application/json;
            return 200 '{"m.server": "matrix.domain.local:443"}';
        }

        location /.well-known/matrix/client {
            access_log off;
            add_header Access-Control-Allow-Origin *;
            add_header Content-Type application/json;
            return 200 '{"m.homeserver": {"base_url": "https://matrix.domain.local/"}, "m.identity_server": {"base_url": "https://matrix.domain.local"}, "im.vector.riot.e2ee": {"default": false}}';
        }
@lbeltrame
Copy link

matrix-ansible-deploy uses a different, non-regex based solution which uses separate /_matrix and /_synapse locations. I wonder if that might work. See https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 (note: this is a template for ansible to use, so it can' be used verbatim).

@q-wertz
Copy link

q-wertz commented Nov 6, 2020

For me the

# ma1sd
location /_matrix/client/r0/user_directory/ {
    proxy_pass http://localhost:8090/_matrix/client/r0/user_directory/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

# ma1sd
location /_matrix/identity {
    proxy_pass http://localhost:8090/_matrix/identity;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

part did not work. I have to use

# ma1sd
location ^~ /_matrix/client/r0/user_directory/ {
    proxy_pass http://localhost:8090/_matrix/client/r0/user_directory/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

# ma1sd
location ^~ /_matrix/identity {
    proxy_pass http://localhost:8090/_matrix/identity;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

Is this a bug in the description, or predictable behavior due to the new location ~* ^(\/_matrix|\/_synapse\/client) { line or am I missing something here?
also see https://docs.nginx.com/nginx/admin-guide/web-server/web-server/#configuring-locations
I think

Higher priority is given to regular expressions, unless the ^~ modifier is used. Among the prefix strings NGINX Plus selects the most specific one (that is, the longest and most complete string).

is the problem here as with the new version a regular expression was introduced and that's why the old config does not work anymore (match by order)

One more thought:
I think they use the new regex to match /_matrix/ AND /_synapse/client as at some point they want to change to /_synapse/client as endpoint (I think i read that somewhere and also some things are at this endpoint see matrix-org/synapse#8154). Especially the /_synapse/admin is excluded in that case (security reasons)

@tgurr
Copy link
Author

tgurr commented Mar 1, 2021

@q-wertz huge thanks for your suggestion, I also had to add ^~ to the ma1sd locations for things to work.
As you've already predicted, this issue is becomming more and more important and now was a real problem for me because of matrix-org/synapse@8f75bf1 which changes the saml2 endpoint from _matrix to _synapse/client for which the new location ~* ^(\/_matrix|\/_synapse\/client) { is strictly required which in turn broke the ma1sd lookups for me without the change you posted above. With adding ^~ to the ma1sd locations things appear to work, meaning both saml login, ma1sd lookups and the regular chat. I didn't test much or in more depth as I've just upgraded and made the saml endpoint and the changes to the nginx configuration, but things look good. Again thanks for posting the solution above!

@q-wertz
Copy link

q-wertz commented Mar 1, 2021

You're welcome 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants