spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.93k stars 1.05k forks source link

Fronting the integrated reverse-proxy with another reverse-proxy results 502 error #2651

Open NablaMetal opened 1 year ago

NablaMetal commented 1 year ago

Describe the bug:

I'm trying to deploy a matrix (synapse/element) server on an existing server. I have already an nginx (SWAG instance) installed on the server, so I'm trying to go for a solution where I keep the default traefik playbook-managed reverse proxy behind my host existing reverse proxy as described here. Unfortunately I get 502 Bad Gateway Errors, when I try to connect to matrix.mydomain.com.

The (anonynmized) nginx error log:

[error] 621#621: 2 connect() failed (111: Connection refused) while connecting to upstream, client: XX.XXX.XXX.XX, server: matrix., request: "GET / HTTP/2.0", upstream: "http://172.25.0.10:81/502.html", host: "matrix.mydomain.com" the 172.25.0.10 ip address is the matrix-traefik container ip address (wich the nginx of the host is able to resolve).

The (anonynmized) vars.yml:

matrix_domain: mydomain.com 
matrix_homeserver_implementation: synapse 
matrix_homeserver_generic_secret_key: 'xxx'
devture_postgres_connection_password: 'yyy'
devture_playbook_state_preserver_commit_hash_preservation_enabled: false
matrix_playbook_docker_installation_enabled: false
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_entrypoint_web_secure_enabled: false
devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
devture_traefik_additional_entrypoints_auto:
  - name: matrix-federation 
    port: "{{ matrix_federation_public_port }}"
    host_bind_port: "127.0.0.1:{{      matrix_federation_public_port }}"
    config: {}

My matrix.subdomain.conf in my host nginx conf folder:

I use a domain wildcard cert.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name matrix.* element.*;
    include /config/nginx/ssl.conf; 

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;

        proxy_pass http://matrix-traefik:81;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        client_max_body_size 50M;
    }
}

# settings for matrix federation
server {
    listen 8448 ssl http2 default_server;
    listen [::]:8448 ssl http2 default_server;

    server_name matrix.*;
    include /config/nginx/ssl.conf; 

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;

        proxy_pass http://matrix-traefik:8449;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 50M;
    }
}
Matrix Server:

OS: Ubuntu 22.04 Architecture: x86_64

Ansible:

I'm using Ansible:2.13.6-r0-3 on docker from within the host according to the documentation.

I don't if it does matter or not, but the bare domain itself (mydomain.com) hosts a wordpress website, also behind the host nginx reverse proxy, which is accessible. All matrix containers are up and running.

I would highly appreciate any help, I spent two days trying various things but I can't get it working. Thank you!

watzfatz commented 1 year ago

edit: ok i dont know how tf youre supposed to format your post here.. ill try to mark it in text

i have it working like this:

vars.yaml: ############# START ########### matrix_domain: yourdomain.tld matrix_homeserver_implementation: synapse matrix_homeserver_generic_secret_key: 'xxx' matrix_playbook_reverse_proxy_type: playbook-managed-traefik devture_postgres_connection_password: 'yyy' matrix_playbook_ssl_enabled: true devture_traefik_config_entrypoint_web_secure_enabled: false devture_traefik_container_web_host_bind_port: '0.0.0.0:81' devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP_OF_REVERSE_PROXY'] devture_traefik_additional_entrypoints_auto:

matrix.domain.conf:

############# START ########### server { listen 443 ssl http2; listen [::]:443 ssl http2;

server_name yourdomain.tld matrix.yourdomain.tld element.yourdomain.tld;

location / {
    proxy_pass http://INTERNAL_MATRIX_IP:81;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;

    access_log /var/log/nginx/matrix.access.log;
    error_log /var/log/nginx/matrix.error.log;

    client_max_body_size 50M;
}

paths to well-knowns for server and client

location /.well-known/matrix/server {
    return 200 '{"m.server": "matrix.yourdomain.tld:8448"}';
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
}

location /.well-known/matrix/client {
    return 200 '{"m.[homeserver][7]": {"base_url": "https://matrix.yourdomain.tld"}}'; default_type application/>
    add_header Access-Control-Allow-Origin *;
}

}

server { listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server;

server_name matrix.yourdomain.tld;

location / {
    proxy_pass http://INTERNAL_MATRIX_IP:8449;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;

    access_log /var/log/nginx/matrix.access.log;
    error_log /var/log/nginx/matrix.error.log;

    client_max_body_size 50M;

}

}

redirects

server { if ($host = yourdomain.tld) { return 301 https://$host$request_uri; }

server_name yourdomain.tld;
listen 80;
return 404; # managed by Certbot

}

server { if ($host = matrix.yourdomain.tld) { return 301 https://$host$request_uri; }

server_name matrix.yourdomain.tld;
listen 80;
return 404; # managed by Certbot

}

server { if ($host = element.yourdomain.tld) { return 301 https://$host$request_uri; }

server_name element.yourdomain.tld;
listen 80;
return 404; # managed by Certbot

} ############# END ###########

i think you dont have your ports configured correctly. the ports in my example should fit together, you should only need to insert the lan ips of your servers and your domain name.

hope this helps

rltas commented 1 year ago

I'm trying to go for a solution where I keep the default traefik playbook-managed reverse proxy behind my host existing reverse proxy as described here. Unfortunately I get 502 Bad Gateway Errors, when I try to connect to matrix.mydomain.com.

As a start I believe you didn't strictly follow the docs, because for example I don't see a directive that allows Traefik to digest the headers sent by nginx. In the docs that's devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true, in @watzfatz config it's a more specific devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP_OF_REVERSE_PROXY'] Without the contents of those headers Traefik won't know how to route the incoming traffic.

NablaMetal commented 1 year ago

Thank you both of you for your feedback. Unfortunately I don't have enough time currently to get back on this. I will post my insights here as soon as I get my life back :)

TheShadowBanned commented 1 year ago

Hi!

Posting this here first, because when reading up on my problem this thread seemed related.

I set up a synapse server with several bridges on a vserver, trying to front the matrix traefik proxy with nginx proxy manager, where the nginx serves as gateway and holds the certificates. After the usual hassle I have it working quite nicely except for federation.

The relevant playbook settings I changed from default are the following:

`matrix_playbook_reverse_proxy_type: playbook-managed-traefik devture_traefik_config_entrypoint_web_secure_enabled: false

devture_traefik_config_entrypoint_web_port: 8181

matrix_playbook_ssl_enabled: false

devture_traefik_container_web_host_bind_port: '8181'

devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true

devture_traefik_additional_entrypoints_auto:

Now, as you may have noticed I set matrix_playbook_ssl_enabled: false . Whenever I set it to true I can't reach the synapse server anymore.

I have my nginx proxy mananger pointed to the docker network endpoints and set up .well-known according to this tutorial:

https://www.gravee.dev/en/matrix-ansible-with-nginx-proxy-manager/

To my understand this should work? I does return proper responses in the browser.

When I try to access the federation ports, I only get a 404 response at best.

Any ideas what I am doing wrong?

Greetz