Documentation for using Sygnal behind a reverse proxy

[hmanzer]

I am looking at some guidance for running the sygnal server with https using caddy or any other reverse_proxy server

[hmanzer]

I am trying to use let's encrypt certificate (Caddy reverse proxy) same caddyfile as my matrix server but additional lines

xx.xx.com{
  reverse_proxy /_matrix/v1/notify localhost:5000/
}

so our push gateway url in the client is https://xx.xx.com/_matrix/v1/notify However the let's encrypt certificate doesn't work with push gateway but it works fine with matrix server. If we remove push gateway from reverse proxy and directly hit push gateway with its staticip http://staticip:5000/_matrix/v1/notfiy the push notification reaches sygnal.

Don't know why let's encrypt/reverse proxy isn't working for our push gateway configuration.

The error we get if we use https with push gateway is JSONDecode error

[clokep]

However the let's encrypt certificate doesn't work with push gateway but it works fine with matrix server.

Can you expand more about what "doesn't work"? Are you getting an error somewhere? From the homeserver logs perhaps?

There should not be anything special about the reverse proxy for Sygnal, not that the URL is /_matrix/push/v1/notify, not /_matrix//v1/notify.

[hmanzer]

sorry it was manually typed, and not copy pasted. We are using the URL /_matrix/push/v1/notify

The error when used with https is JSONDecode Error. Shown below, we get a 200 code and then JSONDecode error if we use reverse proxy. The 200 code confirms that it is working fine but when matrix server tries to send the message it can't. This error is not there if we bypass the reverse proxy and use http only.

2023-09-04 11:52:54,842 - synapse.http.client - 414 - INFO - http_pusher.on_new_receipts-55 - Received response to POST https://xx.xx.com/_matrix/push/v1/notify: 200
2023-09-04 11:52:54,842 - synapse.push.httppusher - 527 - WARNING - http_pusher.on_new_receipts-55 - Failed to send badge count to @myname:xx.xx.com.my/im.zz.app/onb+OSOY7qAcGWm5H7DxscYw2pClY5PvQBvK5wb5r5M=: <class 'json.decoder.JSONDecodeError'> Expecting value: line 1 column 1 (char 0)

[clokep]

What are the sygnal logs? Do they show that a request comes in?

From the response I would guess that caddy is either responding directly or that it is sending it to the wrong process. Without showing more of your caddy file it is hard to know which it is.

[hmanzer]

There is nothing in sygnal logs when caddy/https is used. I saw that there is 200 code in matrix logs for pusher log which tells us that matrix is able to reach sygnal but the actual POST fails from matrix, sygnal logs nothing (while using https).

Caddyfile

zz.xx.com {
  reverse_proxy /_matrix/* localhost:8008
  reverse_proxy /_synapse/client/* localhost:8008
  reverse_proxy localhost:8008
}

xx.xx.com {
  reverse_proxy /_matrix/v1/notify localhost:5000/
}
server.xx.com:8448 {
  reverse_proxy localhost:8008
}

Where zz.xx.com is our main matrix URL and zz.xx.com is the pusher URL (sharing subdomain xx.com) I have a thought that caddy is generating a let's encrypt certificate for zz.xx.com fine, I checked on browser, is there a conflict for xx.xx.com?. Can pusher and matrix share same reverse proxy?

[clokep]

Can pusher and matrix share same reverse proxy?

They should be able to. Are zz and xx different subdomains? (I'm wondering if there's any chance that the /_matrix/* is matching first as it encompasses /_matrix/v1.... I'm not sure how caddy resolves that.)

Note that again you've typed /_matrix/v1/notify instead of /_matrix/push/v1/notify -- this makes me very uncertain your config is correct.

[hmanzer]

zz and xx are subdomains and share the same domain name of xx.com yes it does seem there is a mistake in caddyfile as I copied as it is and find and replaced keywords. Let me make the changes and get back here if all is working.

[DMRobertson]

@hmanzer did you manage to get this working?

[hmanzer]

Yes. Thanks

Humayun Manzer email: @.***

On Fri, Nov 24, 2023 at 12:02 AM, David Robertson @.***(mailto:On Fri, Nov 24, 2023 at 12:02 AM, David Robertson < wrote:

@.***(https://github.com/hmanzer) did you manage to get this working?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>