spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.84k stars 1.04k forks source link

containers do not expose ports to host, with external nginx #2494

Closed Bergruebe closed 1 year ago

Bergruebe commented 1 year ago

Describe the bug I have already nginx installed on the server, so I'm using matrix_nginx_proxy_enabled: false and included /matrix/nginx-proxy/conf.d in the nginx-config. It worked fine until the last rerun of the playbook. Now I get 502 Bad Gateway Errors, when I try to connect to Matrix over the Element App or Synapse-Admin.

The nginx error log:

[error] 839#839: *19043 connect() failed (111: Connection refused) while connecting to upstream, client: 127.0.0.1, server: , request: "POST /_matrix/client/r0/keys/query HTTP/1.0", upstream: "http://127.0.0.1:8008/_matrix/client/r0/keys/query", host: "matrix.XXX.tld"

The port 8008 isn't in use (sudo netstat -tunlp | grep 8008 returns nothing)

To Reproduce My vars.yml file looks like this:

matrix_domain: XX.tld

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certifites (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
matrix_ssl_lets_encrypt_support_email: 'XX@XXX.tld'

# A shared secret (between Coturn and Synapse) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: 'XXX'

# A secret used to protect access keys issued by the server.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_synapse_macaroon_secret_key: 'XXX'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
devture_postgres_connection_password: 'XXX'

# Aktiviere Synapse-Admin
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-synapse-admin.md
matrix_synapse_admin_enabled: true

# nginx deaktivieren
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy
matrix_nginx_proxy_enabled: false

# weitere Zertifikate
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains
matrix_ssl_additional_domains_to_obtain_certificates_for:
  - 'XXX'

# matrix-regestrierung
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-matrix-registration.md
matrix_registration_enabled: true

# Generate a strong secret using: `pwgen -s 64 1`.
matrix_registration_admin_secret: "XXX"

# Discord Bot
matrix_appservice_discord_enabled: true
matrix_appservice_discord_client_id: "XXX"
matrix_appservice_discord_bot_token: "XXXX"

# Docker nicht mitinstallieren
matrix_playbook_docker_installation_enabled: false

# Whatsapp Bot
matrix_mautrix_whatsapp_enabled: true

matrix_mautrix_whatsapp_configuration_extension_yaml: |
  permissions:
    "@XX:XX.tld": admin
matrix_mautrix_whatsapp_login_shared_secret: XXX

# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-shared-secret-auth.md
# Shared Secret Auth password provider module 
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: XXX

# Mautrix Signal
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-signal.md
matrix_mautrix_signal_enabled: true

matrix_mautrix_signal_login_shared_secret: XXX'

matrix_mautrix_signal_configuration_extension_yaml: |
  permissions:
    "@XX:XX.tld": "admin"

# Element Config
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-client-element/defaults/main.yml
matrix_client_element_default_theme: 'theme-dark'

# Synaps Mitteilungen
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-synapse/defaults/main.yml#L567-L582
matrix_synapse_configuration_extension_yaml: |
   server_notices:
     system_mxid_localpart: server
     system_mxid_display_name: "Server Mitteilungen"
     system_mxid_avatar_url: "XXX"
     room_name: "Server Mitteilungen"

# Mautrix Telegram
# https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-telegram.md
matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_api_id: XXX
matrix_mautrix_telegram_api_hash: XXX
matrix_mautrix_telegram_bot_token: XXX

matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"
My (not manually changed) /matrix/nginx-proxy/conf.d/matrix-domain.conf ```nginx server { listen 80; listen [::]:80; server_name matrix.XX; server_tokens off; root /dev/null; location /.well-known/acme-challenge { proxy_pass http://127.0.0.1:2402; } location / { return 301 https://$http_host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name matrix.XX.tld; server_tokens off; root /dev/null; ssl_certificate /matrix/ssl/config/live/matrix.XX/fullchain.pem; ssl_certificate_key /matrix/ssl/config/live/matrix.XX/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /matrix/ssl/config/live/matrix.XX.tld/chain.pem; ssl_session_tickets off; ssl_session_cache shared:MozSSL:10m; ssl_session_timeout 1d; gzip on; gzip_types text/plain application/json; add_header Permissions-Policy interest-cohort=() always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; location /.well-known/matrix { root /matrix/static-files; expires 4h; default_type application/json; add_header Access-Control-Allow-Origin *; } location /eb6a210b-4480-5c37-821a-ffd62d3e3c0e { proxy_pass http://127.0.0.1:9006; } rewrite ^/synapse-admin$ $scheme://$server_name/synapse-admin/ permanent; location ~ ^/synapse-admin/(.*) { proxy_pass http://127.0.0.1:8766/$1; } rewrite ^/matrix-registration$ $scheme://$server_name/matrix-registration/ permanent; rewrite ^/matrix-registration/$ $scheme://$server_name/matrix-registration/register redirect; location ~ ^/matrix-registration/(.*) { proxy_pass http://127.0.0.1:8767/$1; sub_filter_once off; sub_filter_types text/css; sub_filter "/static/" "/matrix-registration/static/"; } location ~* ^(/_matrix|/_synapse/client|/_synapse/admin) { proxy_pass http://127.0.0.1:12080; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; client_body_buffer_size 25M; client_max_body_size 50M; proxy_max_temp_file_size 0; } location ~* ^/$ { return 302 $scheme://element.XX.tld$request_uri; } } server { listen 8448 ssl http2; listen [::]:8448 ssl http2; server_name matrix.XX; server_tokens off; root /dev/null; gzip on; gzip_types text/plain application/json; ssl_certificate /matrix/ssl/config/live/matrix.XX/fullchain.pem; ssl_certificate_key /matrix/ssl/config/live/matrix.XX/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /matrix/ssl/config/live/matrix.XX.tld/chain.pem; ssl_session_tickets off; ssl_session_cache shared:MozSSL:10m; ssl_session_timeout 1d; location / { proxy_pass http://127.0.0.1:12088; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; client_body_buffer_size 25M; client_max_body_size 150M; proxy_max_temp_file_size 0; } } ```

My (not manually changed) /matrix/nginx-proxy/conf.d/matrix-synapse.conf ```nginx server { listen 12080; server_tokens off; root /dev/null; gzip on; gzip_types text/plain application/json; location / { proxy_pass http://127.0.0.1:8008; proxy_set_header Host $host; client_body_buffer_size 25M; client_max_body_size 50M; proxy_max_temp_file_size 0; } } server { listen 12088; server_tokens off; root /dev/null; gzip on; gzip_types text/plain application/json; location / { proxy_pass http://127.0.0.1:8048; proxy_set_header Host $host; client_body_buffer_size 25M; client_max_body_size 150M; proxy_max_temp_file_size 0; } } ```

Matrix Server:

Ansible: I'm using Ansible 2.14.2 on macOS 13.2.1 (Ventura)

Additional context I'm not sure, if a container named matrix-synapse-reverse-proxy-companionshould be running whiteout any ports, in my configuration.

It would be great, if you could help me. Thank you!

spantaleev commented 1 year ago

This is related to our recent changelog entry, (Backward Compatibility) Reverse-proxy configuration changes and initial Traefik support.

See the updated documentation about Using your own nginx reverse-proxy running on the same machine

In short, you should stop using matrix_nginx_proxy_enabled: false and go for matrix_playbook_reverse_proxy_type: other-nginx-non-container

Bergruebe commented 1 year ago

Thank you very much for you help! That was the problem, now everything works as aspected again.

Now I will read every changelog entry twice. 😀