Question for running the playbook in homelab with no SSL requirement

[mikedolx]

Playbook Configuration:

My vars.yml file looks like this:

matrix_domain: matrix.mydomain.com
matrix_homeserver_implementation: synapse
matrix_homeserver_generic_secret_key: ***
devture_traefik_config_entrypoint_web_secure_enabled: false
matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: ***@***
matrix_client_element_enabled: false
matrix_ssl_lets_encrypt_support_email: ***@***
devture_postgres_connection_password: ***
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ***
matrix_mautrix_discord_enabled: true
matrix_mautrix_telegram_enabled: true
matrix_mautrix_telegram_api_id: ***
matrix_mautrix_telegram_api_hash: ***
matrix_mautrix_whatsapp_enabled: true
matrix_synapse_configuration_extension_yaml: 
    experimental_features:
        msc2716_enabled: true
matrix_mautrix_whatsapp_configuration_extension_yaml:
  bridge:
    history_sync:
      backfill: true
matrix_mautrix_facebook_enabled: false
matrix_mautrix_googlechat_enabled: null
matrix_mautrix_instagram_enabled: true
matrix_mautrix_twitter_enabled: false
matrix_mautrix_signal_enabled: true
matrix_beeper_linkedin_enabled: true
matrix_heisenbridge_enabled: false

Matrix Server:

• OS: Ubuntu 22.04
• Architecture amd64

Ansible: not really Ansible related

Problem description: I have ran the Ansible playbook on my Proxmox Ubuntu VM, with the vars.yaml above. The playbook seem to run successfully, no errors whatsoever. Only, when i verify everything, with ansible-playbook -i inventory/hosts setup.yml --tags=self-check, then i get some errors.

TASK [custom/matrix-synapse : Check Matrix Client API] **************************************************************************************************************************************
fatal: [matrix.mydomain.com -> 127.0.0.1]: FAILED! => changed=false 
  elapsed: 0
  msg: 'Status code was -1 and not [200]: Request failed: <urlopen error [Errno -2] Name does not resolve>'
  redirected: false
  status: -1
  url: https://matrix.matrix.mydomain.com/_matrix/client/versions
...ignoring

TASK [custom/matrix-synapse : Fail if Matrix Client API not working] ************************************************************************************************************************
fatal: [matrix.mydomain.com]: FAILED! => changed=false 
  msg: 'Failed checking Matrix Client API is up at `matrix.matrix.mydomain.com` (checked endpoint: `https://matrix.matrix.mydomain.com/_matrix/client/versions`). Is Synapse running? Is port 443 open in your firewall? Full error: {''redirected'': False, ''url'': ''https://matrix.matrix.mydomain.com/_matrix/client/versions'', ''status'': -1, ''elapsed'': 0, ''changed'': False, ''failed'': True, ''msg'': ''Status code was -1 and not [200]: Request failed: <urlopen error [Errno -2] Name does not resolve>''}'

PLAY RECAP **********************************************************************************************************************************************************************************
matrix.mydomain.com       : ok=7    changed=0    unreachable=0    failed=1    skipped=1    rescued=0    ignored=1   

I guess that's some issue with setting up the reverse proxy.

But, the point is: I already have a ready reverse proxy with SSL termination setup. All i need is the unencrypted enpoint, where i can redirect my reverse proxy to.

I have ssh'ed into the VM after i ran the playbook. I can see, that there are a lot of container setup, and some of them have a port mapping, which are:

container	port mapping(s)
coturn	0.0.0.0:3478->3478/tcp
traefik	0.0.0.0:8448->8448, 0.0.0.0:80->8080/tcp

That basically means, that if i browse within my home network the IP of the VM using either port 8448 or 80, i would expect the matrix synapse frontend to show up (you matrix server is running ...). But i'm gettig the message:

404 page not found

Presented as a simple HTML page. I guess, that this is traefik, that i'm hitting here. But why isn't it forwardig to the synapse container?

Am i missing a vars setting?

Client (please complete the following information):

• Device: Latop
• OS: Fedora 38
• Browser Firefox
• Version 113 (64bit)

Additional context None

[spantaleev]

Self-check doesn't seem to detect your non-HTTPS setup to check it properly. You can ignore it.

Accessing by IP doesn't work in Traefik - it only handles access by hostname.

[mikedolx]

Self-check doesn't seem to detect your non-HTTPS setup to check it properly. You can ignore it.

Accessing by IP doesn't work in Traefik - it only handles access by hostname.

Would it be possible to disable Traefik completely and just rely on th bare docker ports? As already stated i don't need a reverse proxy, as i have my own running with SSL etc.

[spantaleev]

The bare ports are too many ports on too many services that you need to expose manually and hook into your existing reverse proxy.

It's possible by setting matrix_playbook_reverse_proxy_type: other-on-same-host (or other-on-another-host).

See https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/8fbe99ac2a1939c9018209c27e39632d10bd7c69/roles/custom/matrix-base/defaults/main.yml#L282-L325

Our documentation talks about this possibility as well: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#using-no-reverse-proxy-on-the-matrix-side-at-all

---

It's better if you make Traefik front the whole mess and expose it as something like 127.0.0.1:81, so that your other reverse-proxy can just reverse-proxy everything to 127.0.0.1:81 and be done with it.

Note: you'd still probably need to handle federation traffic (8448) and things like Coturn separately, but.. most for most other services, you can just send traffic to that single

[mikedolx]

So i was able to run the playbook, by disabling the traefik reverse proxy with the option

matrix_playbook_reverse_proxy_type: other-on-another-host

Now, i have som other issues, but thats another ticket then 😁