search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.83k stars 2.13k forks source link

federation seems to work, server available but clients unable to connect. #7093

Closed poetaster closed 4 years ago

poetaster commented 4 years ago

Description

Clients cannot connect although the server is available via proxy and dns srv records are in place.

https://federationtester.matrix.org/ also shows all green???

Steps to reproduce

try to connect with riot.im to https://matrix.netzpolitik.org (https proxy)

The old (sqlite, direct port 8448) method worked. After moving to postgres (all fine) and putting a proxy in front, no go.

The proxy is running on one private jail (443 traffic forwarded to it) and the synapse server is running on it's own jail with 8008 and 8448 forwarded to it. Both proxy and synapse share the same certs.

Version information

matrix.netzpolitik.org { "python_version": "3.7.6", "server_version": "1.7.2" }

-debug

``{

"WellKnownResult": {
    "m.server": "",
    "result": "No .well-known found"
},
"DNSResult": {
    "SRVCName": "_matrix._tcp.matrix.netzpolitik.org.",
    "SRVRecords": [
        {
            "Target": "matrix.netzpolitik.org.",
            "Port": 443,
            "Priority": 10,
            "Weight": 5
        }
    ],
    "SRVError": null,
    "Hosts": {
        "matrix.netzpolitik.org.": {
            "CName": "matrix.netzpolitik.org.",
            "Addrs": [
                "91.102.13.7"
            ],
            "Error": null
        }
    },
    "Addrs": [
        "91.102.13.7:443"
    ]
},
"ConnectionReports": {
    "91.102.13.7:443": {
        "Certificates": [
            {
                "SubjectCommonName": "matrix.netzpolitik.org",
                "IssuerCommonName": "Let's Encrypt Authority X3",
                "SHA256Fingerprint": "n4LGqQYS42eD2KZgaCNrYJSdKWoRDeapH3QttSX5Noo",
                "DNSNames": [
                    "matrix.netzpolitik.org"
                ]
            },
            {
                "SubjectCommonName": "Let's Encrypt Authority X3",
                "IssuerCommonName": "DST Root CA X3",
                "SHA256Fingerprint": "JYR9Zo608E/dQLErawdAxWfafQJDCOtsLJb+QdneIY0",
                "DNSNames": null
            }
        ],
        "Cipher": {
            "Version": "TLS 1.2",
            "CipherSuite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        },
        "Checks": {
            "AllChecksOK": true,
            "MatchingServerName": true,
            "FutureValidUntilTS": true,
            "HasEd25519Key": true,
            "AllEd25519ChecksOK": true,
            "Ed25519Checks": {
                "ed25519:a_sANA": {
                    "ValidEd25519": true,
                    "MatchingSignature": true
                }
            },
            "ValidCertificates": true
        },
        "Errors": [ ],
        "Ed25519VerifyKeys": {
            "ed25519:a_sANA": "js9k95dU/5VAELzJkjH0Lgqu14F5NOzy0yFmTG4lDTc"
        },
        "Info": { },
        "Keys": {
            "old_verify_keys": { },
            "server_name": "matrix.netzpolitik.org",
            "signatures": {
                "matrix.netzpolitik.org": {
                    "ed25519:a_sANA": "ZSYUmSeqyptfbdlURDFyrSks5F4nswCzqlcBMn5tUQktyYj/kObn+LK8hR7rTswppiXWS0u5inUHggJ3QxuqAQ"
                }
            },
            "tls_fingerprints": [
                {
                    "sha256": "n4LGqQYS42eD2KZgaCNrYJSdKWoRDeapH3QttSX5Noo"
                }
            ],
            "valid_until_ts": 1584543210770,
            "verify_keys": {
                "ed25519:a_sANA": {
                    "key": "js9k95dU/5VAELzJkjH0Lgqu14F5NOzy0yFmTG4lDTc"
                }
            }
        }
    }
},
"ConnectionErrors": { },
"Version": {
    "name": "Synapse",
    "version": "1.7.2"
},
"FederationOK": true

}

poetaster commented 4 years ago

log output logins work:


(2): 0.001%, users_set_deactivated_flag(0): 0.000%}
2020-03-17 15:32:51,992 - synapse.access.http.8008 - 233 - INFO - GET-47- 10.0.0.8 - 8008 - Received request: GET /_matrix/client/versions

2020-03-17 15:32:51,993 - synapse.access.http.8008 - 302 - INFO - GET-47- 10.0.0.8 - 8008 - {None} Processed request: 0.001sec/0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 187B 200 "GET /_matrix/client/versions HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" [0 dbevts]

2020-03-17 15:32:52,052 - synapse.access.http.8008 - 233 - INFO - GET-48- 10.0.0.8 - 8008 - Received request: GET /_matrix/client/versions

2020-03-17 15:32:52,053 - synapse.access.http.8008 - 302 - INFO - GET-48- 10.0.0.8 - 8008 - {None} Processed request: 0.001sec/0.000sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 187B 200 "GET /_matrix/client/versions HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) 
Gecko/20100101 Firefox/74.0" [0 dbevts]

2020-03-17 15:32:52,095 - synapse.access.http.8008 - 233 - INFO - GET-49- 10.0.0.8 - 8008 - Received request: GET /_matrix/client/versions

2020-03-17 15:32:52,096 - synapse.access.http.8008 - 302 - INFO - GET-49- 10.0.0.8 - 8008 - {None} Processed request: 0.001sec/0.000sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 187B 200 "GET /_matrix/client/versions HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" [0 dbevts]

2020-03-17 15:32:52,147 - synapse.access.http.8008 - 233 - INFO - GET-50- 10.0.0.8 - 8008 - Received request: GET /_matrix/client/r0/login

2020-03-17 15:32:52,148 - synapse.access.http.8008 - 302 - INFO - GET-50- 10.0.0.8 - 8008 - {None} Processed request: 0.001sec/0.000sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 59B 200 "GET /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" [0 dbevts]

2020-03-17 15:32:55,583 - synapse.access.http.8008 - 233 - INFO - OPTIONS-51- 10.0.0.8 - 8008 - Received request: OPTIONS /_matrix/client/r0/login

2020-03-17 15:32:55,585 - synapse.access.http.8008 - 302 - INFO - OPTIONS-51- 10.0.0.8 - 8008 - {None} Processed request: 0.001sec/0.000sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 22B 200 "OPTIONS /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" [0 dbevts]

2020-03-17 15:32:55,637 - synapse.access.http.8008 - 233 - INFO - POST-52- 10.0.0.8 - 8008 - Received request: POST /_matrix/client/r0/login

2020-03-17 15:32:55,638 - synapse.rest.client.v1.login - 176 - INFO - POST-52- Got login request with identifier: {'type': 'm.id.user', 'user': 'mwa'}, medium: None, address: None, user: None

2020-03-17 15:32:56,257 - synapse.handlers.auth - 495 - INFO - POST-52- Logging in user @mwa:matrix.netzpolitik.org on device AAEJBQGVEO
2020-03-17 15:32:56,358 - synapse.access.http.8008 - 302 - INFO - POST-52- 10.0.0.8 - 8008 - {None} Processed request: 0.721sec/0.000sec (0.418sec, 0.000sec) (0.001sec/0.303sec/5) 362B 200 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" [0 dbevts]
`
richvdh commented 4 years ago

the federation tester is unrelated to client connections. Likewise SRV records are not used by clients.

From your log sample, it looks like at least one client has successfully connected and logged in.

What exactly are the symptoms you are seeing?

poetaster commented 4 years ago

it looks like I hade overlooked the x_forwarded: true setting, but having corrected that I still get network errors:

2020-03-18 07:58:05,653 - synapse.handlers.auth - 495 - INFO - POST-5- Logging in user @mwa:matrix.netzpolitik.org on device OBIGJQAUUK

2020-03-18 07:58:05,667 - synapse.access.http.8008 - 302 - INFO - POST-5- 95.90.235.89 - 8008 - {None} Processed request: 0.413sec/0.000sec (0.345sec, 0.002sec) (0.002sec/0.064sec/8) 365B 200 "POST /_matrix/client/r0/login HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" [0 dbevts]

Visible here is that the ip of my home connection is making it through the reverse proxy.

If I simply use a browser to feed commands to matrix, I get results: for instance: https://matrix.netzpolitik.org/_matrix/client/r0/login

results in:

{ "flows": [ { "type": "m.login.password" } ] }

poetaster commented 4 years ago

I got it. clients are stuck because of CORS headers. The debug console using the riot web client shows: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://matrix.netzpoilitik.org/_matrix/client/versions. (Reason: CORS request did not succeed).