Closed kbrantley closed 5 years ago
I think this is actually working correctly. From the spec:
If
<delegated_hostname>
is not an IP literal, and<delegated_port>
is present, an IP address is discovered by looking up an AAAA or A record for<delegated_hostname>
. The resulting IP address is used, alongside the<delegated_port>
. Requests must be made with a Host header of<delegated_hostname>:<delegated_port>
. The target server must present a valid certificate for<delegated_hostname>
.
https://matrix.org/docs/spec/server_server/r0.1.2#resolving-server-names
@turt2live If I understand the problem correctly, the issue is that the tester is not sending a Host header along with the request. To quote from your quote:
Requests must be made with a Host header of
: .
(emphasis mine)
So it sounds to me like when a request to a home server is made, a Host header must be present in the request. Else, how would a reverse proxy know where to forward requests to when it's proxying a bunch of domains on the same ports.
I'm running into a similar issue where evaluating whether federation is working over port 443 is proving difficult because the default site is swallowing the requests made by the federation tester.
the federation tester does send a Host header as per the spec. Your problems lie elsewhere.
I have a relatively simple config, where
example.com/.well-known/matrix/server
points tomatrix.example.com:443
, and the SRV record points tomatrix.example.com:443
as well. In short, matrix connectivity for example.com is handled bymatrix.example.com:443
.homeserver.yaml
hasserver_name
configured asexample.com
as well.This works! It works well. It works in the browser, it works in the desktop "app," and it works for the android app as well.
However, it doesn't work in the federation tester, likely because
matrix.example.com:443
is a haproxy instance, which only passes requests where both the SNI parameter and theHost:
header are set tomatrix.example.com
. Sample config:A way to summarize this config is "if the client is connecting to
matrix.example.com
, then use the matrix backend. There are some other services that should be used if they are requested. Lastly, require authentication for anything that isn't the matrix endpoint."Likewise, what I'm seeing, is that the federation tester fails to verify that the federation is capable of working, and instead presets
"msg=Failed to GET JSON to : <html><body><h1>503 Service Unavailable</h1>\nNo server is available to handle this request.[...]"
which is a scenario where it very plainly isn't passingHost: matrix.example.com
to the backend.A potential workaround is for me to add a
use_backend matrix
line, which changes the default handler to be matrix when no other matchingHost:
header is found. When I do this, the federation tester works great and says that everything is just fine. However, this proves to me that theHost:
header isn't being properly sent by the federation tester. It also means that any random time the IP address is accessed directly it'll be synapse responding, which is not what I want to have happen.I performed a packet capture and was able to confirm that SNI is being sent properly, but logging the
Host:
header is proving to be annoying, so I don't have a 100% guarantee that it isn't being sent properly, aside from the behavior that I've described here.It's possible that I'm misunderstanding the requirements for federation, but "clients trying to connect to
matrix.example.com:443
should negotiate SNI and send an appropriateHost:
header" seems like a rational thing to be doing.Because I don't want to be "that person" who only provides sanitized/redacted configs and examples, my actual haproxy-fronted synapse instance is here. It's currently throwing a "no backend available" error for... the reasons described above.
Lastly, here is the output of the federation tester with the default backend configured, showing a success state: successful-federation.json.txt