draupnir can't reach the synapse admin API

HarHarLinks commented 5 months ago

Describe the bug

Per the docs, draupnir can poll abuse reports from the synapse admin API. This used to work back in matrix-nginx-proxy times :older_man:.

https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bot-draupnir.md#abuse-reports

According to the docs, what is needed, is to enable the admin API (e.g. by configuring directly, or indirectly be enabling synapse-admin), the darupnir user being an admin, and the draupnir config extension.

However it does not work: draupnir bot will spam the control room:

‼ | failed to poll events: Error: Error during MatrixClient request GET /_synapse/admin/v1/event_reports?dir=f&from=0: 404 Not Found -- "404 page not found\n"

So I dug around.

Finding the issue With my config, which should be basically default in that regard...

draupnir config includes:

homeserverUrl: http://matrix-traefik:8008
rawHomeserverUrl: http://matrix-traefik:8008

which is just the main reverse proxy traefik container's name

draupnir service connects networks:

--network=matrix-addons

docker network connect traefik matrix-bot-draupnir

traefik service connects networks:

--network=traefik \

which connects it to draupnir such that it should be able to reach matrix-traefik, and

docker network connect matrix-container-socket-proxy matrix-traefik

which is just a firewall between traefik and the host docker socket

traefik.yml defines as only entryPoint on 8008:

  matrix-internal-matrix-client-api:
    address: :8008

synapse reverse proxy companion is the only router on that entrypoint i can find:

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-api.entrypoints=matrix-internal-matrix-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-api.rule=PathPrefix(`/_matrix`)

but it's on the wrong path

meanwhile, the _synapse/admin_ API is only on

traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-admin-api.entrypoints=web-secure

buuuut you can really skip reading most of this if instead we read the draupnir docs at https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml

# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
rawHomeserverUrl: "https://matrix.org"

which clearly has not been done if you scroll all the way up.

Proposed Solution There are two options that I see:

Make the admin API also accessibly through internal routing, on the matrix-internal-matrix-client-api entrypoint. The rest should then fall into place. This seems to be the way the playbook prefers to do things, though strictly speaking it goes against draupnir's docs.
Configure draupnir's rawHomeserverUrl to call the C2S and admin APIs through web-secure (public internet), as its docs say. This might have a slight performance impact and is not strictly necessary.

FSG-Cat commented 5 months ago

Ok so Draupnir docs are maby a bit confusing i will concede that. What we are actually asking for a path to reach the admin API and not reach pantalaimon the CS API proxy. So if solution 1 gives us an address to reach the Admin API Draupnir will be happy and if that causes a bug well i will have to go and bother Gnuxie to get that fixed because that is a bug at that point.

HarHarLinks commented 5 months ago

I added the following blocks to my synapse reverse proxy companion labels:

############################################################
#                                                          #
# Internal Synapse Admin API (/_synapse/client)            #
#                                                          #
############################################################

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.rule=PathPrefix(`/_synapse/client`)

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.entrypoints=matrix-internal-matrix-client-api

############################################################
#                                                          #
# /Internal Synapse Admin API (/_synapse/client)           #
#                                                          #
############################################################

############################################################
#                                                          #
# Internal Synapse Admin API (/_synapse/admin)             #
#                                                          #
############################################################

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.rule=PathPrefix(`/_synapse/admin`)

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.entrypoints=matrix-internal-matrix-client-api

############################################################
#                                                          #
# /Internal Synapse Admin API (/_synapse/admin)            #
#                                                          #
############################################################

and so far that made it stop complaining.

HarHarLinks commented 5 months ago

according to https://matrix.to/#/!IaWNErZAgQUhGqJXjX:matrix.org/$n0CH1nAI791tE1AU6ofznnw_Njw4yGzg9qitcFhvXiI?via=matrix.org&via=envs.net&via=ubuntu.com polling is broken anyway, so until fixed something else entirely should be done

spantaleev / matrix-docker-ansible-deploy

draupnir can't reach the synapse admin API #3308