search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.79k stars 2.13k forks source link

Apache reverse proxy location syntax maybe leads to errors #4841

Closed dev4223 closed 5 years ago

dev4223 commented 5 years ago

Description

I have a matrix synapse and mxisd installation on debian stretch working. Only thing is, that I can't validate any email address. Email is sent but after clicking on the link i get the backend page with this message:

´´´ {"errcode":"M_NO_VALID_SESSION","error":"No valid session was found matching that sid and client secret","success":false} ´´´

Please read here https://github.com/kamax-matrix/mxisd/issues/141

Version information

Debian Stretch

I've installed the lates matrix synapse package for debian stretch: Package: matrix-synapse-py3 Version: 0.99.2+stretch1

and installed the latest stable mxisd package for stretch: mxisd_1.3.1_all.deb

Solution

@pexus in https://github.com/kamax-matrix/mxisd/issues/142 brought me to the Idea: My apache config was 

ProxyPreserveHost On
ProxyPass /_matrix/identity http://127.0.0.1:8090/_matrix/identity
ProxyPassReverse /_matrix/identity http://127.0.0.1:8090/_matrix/identity
<Location /_matrix>
  ProxyPass http://127.0.0.1:8008/_matrix nocanon
  ProxyPassReverse http://127.0.0.1:8008/_matrix
</Location>

Now I have changed it to

ProxyPreserveHost On
ProxyPass /_matrix/identity http://127.0.0.1:8090/_matrix/identity
ProxyPassReverse /_matrix/identity http://127.0.0.1:8090/_matrix/identity
ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix

This solved the problem. This Location-syntax for synapse comes frome here https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst And after the description here https://httpd.apache.org/docs/2.4/mod/core.html#location it seems not a good idea to do so.

richvdh commented 5 years ago

Your problem was the mix of ProxyPass directives inside and outside Location directives.

The example came from https://github.com/matrix-org/synapse/pull/3783. @cwmke : was there a reason to prefer Location directives here?

dev4223 commented 5 years ago

I came from the issue kamax-matrix/mxisd#141 and kamax-matrix/mxisd#142. First try was to put the ProxyPass Directives both into different Location-Tags, one for /_matrix and one for /_matrix/identity. Then matrix identity didn't work so i tried it without Location syntax. In matrix identity INSTALL readme it is put this way, in your readme for reverse_proxy it is with Location syntax. So I mixed it. Last try was both without Location and it worked.

cwmke commented 5 years ago

@richvdh no reason in particular. I was attempting to figure out how to get things working with apache and must have found an example that worked. From the linked documentation it sounds like location tags are an issue if the below is true.

This has several consequences. Most importantly, directives should not be used to control access to filesystem locations. Since several different URLs may map to the same filesystem location, such access controls may by circumvented.

@dev4223: your solution works well (just confirmed on my server.) I'll just submit a pull request to update the documentation using that syntax if that's agreeable?

dev4223 commented 5 years ago

Oh yes, I'm glad I could help.

richvdh commented 5 years ago

fixed by #4870