search

spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.74k stars 1.02k forks source link

Synapse refuses to find ntfy service - needs to be whitelisted #2587

Open ToeiRei opened 1 year ago

ToeiRei commented 1 year ago

Describe the bug

ntfy does not receive notifications

Mar 18 23:30:14 matrix matrix-synapse[2213]: 2023-03-18 22:30:14,267 - synapse.push.httppusher - 432 - WARNING - httppush.process-17 - Failed to push event $bLGuzRj3t4p6Z6h16aTmfw9YA5gEhZZ0fZOebFToL04 to @user:domain/im.vector.app.android/https://ntfy.domain/upv5aFQWe5uAHe?up=1: <class 'twisted.internet.error.DNSLookupError'> DNS lookup failed: no results for hostname lookup: ntfy.domain.

To Reproduce My vars.yml file looks like this:

...
# Push Gateway
ntfy_enabled: true
ntfy_container_http_host_bind_port: '0.0.0.0:2586'
ntfy_web_root: app
...

Expected behavior I would expect the synapse process to find the ntfy container

Matrix Server:

Additional context

Diagnosis so far:

  1. DNS is configured correctly host can resolve ntfy.domain and push using curl

  2. journald spits out the error message about DNS so I went into the synapse container and tried pushing via curl - it works

  3. Problem with twisted? Alright - got me https://docs.twistedmatrix.com/en/twisted-16.1.1/_downloads/testdns.py into the container (curl > file) - works.

ToeiRei commented 1 year ago

Digging through the code I found "ip_range_blacklist" in the homeserver templates which denies communication with an internal DNS server or anything on a private IP according to the docs:

# Prevent outgoing requests from being sent to the following blacklisted IP address
# CIDR ranges. If this option is not specified then it defaults to private IP
# address ranges (see the example below).
#
# The blacklist applies to the outbound requests for federation, identity servers,
# push servers, and for checking key validity for third-party invite events.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
#
# Note: The value is ignored when an HTTP proxy is in use
#
#ip_range_blacklist:
#  - '127.0.0.0/8'
#  - '10.0.0.0/8'
#  - '172.16.0.0/12'
#  - '192.168.0.0/16'
#  - '100.64.0.0/10'
#  - '192.0.0.0/24'
#  - '169.254.0.0/16'
#  - '192.88.99.0/24'
#  - '198.18.0.0/15'
#  - '192.0.2.0/24'
#  - '198.51.100.0/24'
#  - '203.0.113.0/24'
#  - '224.0.0.0/4'
#  - '::1/128'
#  - 'fe80::/10'
#  - 'fc00::/7'
#  - '2001:db8::/32'
#  - 'ff00::/8'
#  - 'fec0::/10'

# List of IP address CIDR ranges that should be allowed for federation,
# identity servers, push servers, and for checking key validity for
# third-party invite events. This is useful for specifying exceptions to
# wide-ranging blacklisted target IP ranges - e.g. for communication with
# a push server only visible in your network.
#
# This whitelist overrides ip_range_blacklist and defaults to an empty
# list.
#
#ip_range_whitelist:
#   - '192.168.1.1'

As my DNS and NTFY services were sitting in those networks and DNS resolving goes into that direction....

The solution for my specific case was adding my push gateway to the whitelist

matrix_synapse_configuration_extension_yaml: |
  ip_range_whitelist:
    - 'ip.of.ntfy.server'

Wouldn't it make sense to add this whitelist globally to deal with issues like push gateways in general?

akdk7 commented 7 months ago

That helped me solving a long-standing NTFY issue on my server. Thank you very much!