Matrix push gateway doesn't send/receive notification from the clients in SchildiChat: Self-hosting, reverse proxy, unix-socket

[michalszmidt]

:lady_beetle: Describe the bug

Matrix push gateway doesn't send/receive notification from the clients in SchildiChat

:computer: Components impacted

• SchildiChat Matrix Client
• ntfy server
• nginx reverse proxy

:bulb: Screenshots and/or logs

• ntfy log: error=ParseAddr(""): unable to parse IP, http_method=GET
• ntfy log 2: same us ^ but with 0.0.0.0 in ParseAddr
• SchildiChat Android: java.lang.RuntimeException: HTTP 403:

  {
  "code": 40301, 
  "http": 403,
  "error": "forbidden",
  "link": "https://ntfy.sh/docs/publish/#authentication"
  }

:crystal_ball: Additional context

• FreeBSD 14.0
• ntfy 2.7.0
• nginx 1.25.3
• dendrite 0.13.4
• acl was configured to allow up* for user my_user_formatted (also tested with * all topics)
• ntfy android app succeeds with some manually subscribed topic like up-test, test notification works (method: websocket)

ntfy config:

base-url: "https://my-domain-formatted"
attachment-cache-dir: "/usr/local/etc/ntfy/cache"
attachment-total-size-limit: "4G"
attachment-file-size-limit: "40M"
attachment-expiry-duration: "6h"
visitor-attachment-total-size-limit: "500M"
visitor-attachment-daily-bandwidth-limit: "1G"
auth-file: "/usr/local/etc/ntfy/user.db"
auth-default-access: "deny-all"
listen-http: "-"
listen-unix: "/var/sockets/ntfy/ntfy.sock"
behind-proxy: true
listen-unix-mode: 0777
log-level: info
log-format: text
log-file: /var/log/ntfy/ntfy.log

nginx config of :

upstream ntfysock {
    server unix:/var/sockets/ntfy/ntfy.sock;
}

server {
  listen 443 ssl;
  http2 on;

  server_name mydomain
  ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
  ssl_certificate /usr/local/etc/letsencrypt/live/mydomain/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/mydomain/privkey.pem;
  include /usr/local/etc/letsencryptoptions-ssl-nginx.conf;
  ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;

  location / {
    proxy_pass http://ntfysock;
    proxy_http_version 1.1;

#    proxy_buffering off;
#    proxy_request_buffering off;
#    proxy_redirect off;

    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_connect_timeout 3m;
    proxy_send_timeout 3m;
    proxy_read_timeout 3m;

    client_max_body_size 0; # Stream request body to backend
  }
}

server {
    if ($host = mydomain) {
        return 301 https://$host$request_uri;
    }

        listen 80;
        server_name
    return 404;
}

other variation of http server was tested, just copy-paste from documentation config

The only thing different I need from the common use scenario is:

• https only communication client-server

Guess what might be the problem:

1. nginx config for http and redirect to https
2. http request made by schildichat with http not https
3. ntfy server with unix socket listening

[escix]

Notification works when the up* is given read-write access