Closed BettyNutz closed 2 years ago
Using localhost
to talk to Synapse may only work if matrix_nginx_proxy_enabled: false
. In that case, we automatically expose the ports of some containers (like Synapse) on 127.0.0.1
.
http://mydominname.com:8448
would be the federation API. It needs https
too, not http
. The Synapse Admin API is not available on this federation port.
You can access the Synapse Admin API on the Client-Server API port, at https://matrix.DOMAIN
.
Alternatively, you can access it on the container network (named matrix
by default) using http://matrix-synapse:8008
(http
here, not https
).
So accessing the api via this method:
You can access the Synapse Admin API on the Client-Server API port, at https://matrix.DOMAIN.
I have to expose the api with:
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true in the vars.yml file before running the playbook?
Hi @spantaleev sorry for hijacking this issue. I am here to improve synadm
's documentation regarding the usage with matrix-docker-ansible-deploy installed Synapse instances. I tried to summarize in the README what's required: https://github.com/JOJ0/synadm#matrix-docker-ansible-deploy
I'd kindly ask if you could take a minute and confirm that this information is entirely correct :-) Thanks a ton in advance!
One question berforehand: In that sentence, do I understand correctly that the hostname matrix-synapse
is put into the docker host's /etc/hosts file automatically and thus the Synapse container is accessible via the name matrix-synapse
. Furthermore with the name matrix
you are referring to the name of the container network and not to the hostname?
Alternatively, you can access it on the container network (named matrix by default) using http://matrix-synapse:8008 (http here, not https).
There is no special configuration required in vars.yaml. The default settings will do.
I think we need matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
for accessing the Synapse's Admin APIs via the public endpoint (https://matrix.DOMAIN
)
If you access them from within the container network (using http://matrix-synapse:8008
), you can avoid exposing the Synapse Admin APIs publicly on https://matrix.DOMAIN
using matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
. For that, you need to start a container on that network (e.g. docker run -it --rm --network=matrix docker.io/alpine:3.15.2
), install synadm
there and use http://matrix-synapse:8008
to talk to Synapse. Alternatively, you can start a synadam
container image directly, if one is available (e.g. docker run -it --rm --network=matrix docker.io/JOJ0/synadm:v0.34
) and run your synadm
commands there.
From what I see, there are 2 options for using synadm
against a Synapse homeserver. Either in a container, on the same container network as matrix-synapse
(--network=matrix
), or anywhere (on the Matrix server or on some other server) with access happening via the public endpoint (https://matrix.DOMAIN
). For the latter, one needs to expose Synapse's Admin APIs publicly by toggling matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled
to true
.
One question berforehand: In that sentence, do I understand correctly that the hostname
matrix-synapse
is put into the docker host's/etc/hosts
file automatically and thus the Synapse container is accessible via the namematrix-synapse
Actually, containers started on the same network (--network=matrix
in this case - the playbook starts all its containers there), all use the same DNS server (Docker's internal DNS server). When they say matrix-synapse
or some-other-hostname
, Docker's internal DNS server resolves that to the internal IP of the container (e.g. 172.18.0.4
). This way, containers on the same network can reference each other by name. It's not a static reference hardcoded in /etc/hosts
. It's a dynamic answer coming from Docker's internal DNS server. Containers can be restarted and change IPs, and even still Docker's internal DNS server will return the correct address each time you ask it.
Furthermore with the name
matrix
you are referring to the name of the container network and not to the hostname?
Yes. We create a custom Docker bridge network (docker network create --driver=bridge matrix
) and we put all containers that we start in that network (dockr run --network=matrix ...
). That way, they're isolated from any other containers that may run on the host, and they can all easily talk to one another by name (thanks to Docker's internal DNS, described above).
As with all other things, the network name is configurable via the matrix_docker_network
playbook variable (initially defined in roles/matrix-base/defaults/main.yml
).
Thanks for this superdetailed answer @spantaleev. All clear to me now! will adapt the readme and probably even additionally point here directly. Why not.
And thanks for the heads up. It is about time to provide synadm as a container ;-)
The synadm
README is fixed and improved: https://github.com/JOJ0/synadm#matrix-docker-ansible-deploy
Thanks again @spantaleev for your help! Appreciated! And BTW thanks for maintaining matrix-docker-ansible-deploy! Great project helping admins to spread Matrix :-)
Playbook Configuration:
My
vars.yml
file looks like this:Matrix Server:
Ansible: Working fine
Problem description:
Installed the server via the playbook. All good. I need to get the admin api working but its not. Tried the following commands with ' & " in various locations:
sudo curl -H "Authorization: Bearer syt_***" http://localhost:8008/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media
sudo curl -H "Authorization: Bearer syt_***" http://localhost:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media
sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***" http://localhost:8008/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media
sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***" http://localhost:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media
sudo docker exec matrix-synapse curl -H "Authorization: Bearer syt_***" http://mydominname.com:8448/_synapse/admin/v1/room/\!LXxm**********sHphYK:**************.com/media
Do i need to call api from inside the container?
Do i need to use iptables to route from 127.0.0.11 to the backend DNS resolver in the Docker Engine?
I even tied installing synadm. Same issue
Can someone give me an example of an api command.. im not sure if im using the correct commands and there are no real word examples in the doc.
Client (please complete the following information):
Additional context
Getting the following errors (out of synadm) and nothing out of the server with the api:
reply: 'HTTP/1.1 400 Bad Request\r\n' header: Server: nginx header: Date: Sat, 21 May 2022 03:14:40 GMT header: Content-Type: text/html header: Content-Length: 248 header: Connection: close WARNING Synapse returned status code 400 ERROR JSONDecodeError while querying Synapse: Expecting value: line 1 column 1 (char 0) Media list could not be fetched.
These are the ports i have open:
netstat -tnlp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:3478 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:8448 0.0.0.0: LISTEN -
tcp 0 0 0.0.0.0:5349 0.0.0.0: LISTEN -
tcp6 0 0 :::80 ::: LISTEN -
tcp6 0 0 :::3478 ::: LISTEN -
tcp6 0 0 :::22 ::: LISTEN -
tcp6 0 0 :::443 ::: LISTEN -
tcp6 0 0 :::8448 ::: LISTEN -
tcp6 0 0 :::5349 ::: LISTEN -