bessw
commented
1 week ago Server works after rollback to 4bb16fe (did not test anything in between due to lack of time)
Closed bessw closed 1 week ago
bessw
commented
1 week ago Server works after rollback to 4bb16fe (did not test anything in between due to lack of time)
spantaleev
commented
1 week ago We recently had someone report and solve the same issue to our Matrix room.
The problem is that the Traefik role now defines a compression middleware in the provider.yml file. This file is loaded from the main configuration (traefik.yml) using the file configuration provider.
The introduction and usage of this compression middleware is related to new feature we've added: HTTP-compression support for Traefik-based setups.
Your configuration:
traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true.. points Traefik's file provider to the certificates.yml file. The default configuration (in traefik.yml) normally points it to the provider.yml file (managed by the playbook) which defines the compression middlware (among other things).
You having overriden where the file provider loads its configuration, means you don't get the compression middleware in your setup and other services which try to use it will fail.
You can generally make Traefik load multiple file provider files by pointing it to a directory, instead of a single file.
However, it's better to relocate your custom config (which you put in certificates.yml) to the default provider.yml file.
To do this, you can use the traefik_provider_configuration_extension_yaml variable which directly extends the default provider.yml file (not to be confused with the other traefik_configuration_extension_yaml variable, which extends the main Traefik configuration file - traefik.yml).
The person in our Matrix room who suffered from this problem ended up with a configuration like this:
traefik_provider_configuration_extension_yaml: |
tls:
certificates:
- certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/cert.pem
keyFile: /ssl/privkey.pem
aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ traefik_ssl_dir_path }}/privkey.pem"
src: /path/to/privkey.pem
# Create the cert.pem file on the server
# uploading a file from the computer where Ansible is running.
- dest: "{{ traefik_ssl_dir_path }}/cert.pem"
src: /path/to/cert.pem
# Create the custom Traefik configuration.
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!This matches the configuration recommended in the Using your own SSL certificates section of our documentation (docs/configuring-playbook-ssl-certificates.md). This section is already up-to-date with these instructions and has been for a while.
It seems like you're not installing the SSL certificate files via Ansible (with the help of the AUX role, via aux_file_definitions), so you may need to adjust this.
Perhaps you can replace your usage of traefik_configuration_extension_yaml and aux_file_definitions variables with this:
traefik_provider_configuration_extension_yaml: |
tls:
certificates:
- certFile: /ssl/example.com/fullchain.pem
keyFile: /ssl/example.com/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/example.com/fullchain.pem
keyFile: /ssl/example.com/privkey.pemI guess that your setup predates these new configuration recommendations (seen in the Using your own SSL certificates section of our documentation). You've been doing things another way which used to work until now, but now breaks because of the new HTTP-compression feature.
Describe the bug After the update synapse, element-web, etc. aren't reachable any more (Error 404). Server logs error middleware compression@file does not exist.
To Reproduce
My `vars.yml` file looks like this
```yaml # data path matrix_base_data_path: '/opt/matrix' #matrix_playbook_docker_installation_enabled: false matrix_domain: example.com ############################## # reverse proxy config ## enable trafik matrix_playbook_reverse_proxy_type: playbook-managed-traefik # Disable automatic ACME / Let's Encrypt cert renewal. #traefik_config_certificatesResolvers_acme_enabled: false traefik_config_certificatesResolvers_acme_enabled: true traefik_config_certificatesResolvers_acme_use_staging: false traefik_config_certificatesResolvers_acme_email: max@example.com ############################## # DNS SRV record based server discovery # docs/howto-srv-server-delegation.md # Tell Traefik to load our custom configuration file (certificates.yml). # The file is created below, in `aux_file_definitions`. # The `/config/..` path is an in-container path, not a path on the host (like `/traefik/config`). Do not change it! traefik_configuration_extension_yaml: | providers: file: filename: /config/certificates.yml watch: true # Use the Auxiliary file role to create our custom files on the server. aux_file_definitions: # Create the custom Traefik configuration. # The `/ssl/..` paths below are in-container paths, not paths on the host (/`traefik/ssl/..`). Do not change them! - dest: "{{ traefik_config_dir_path }}/certificates.yml" content: | tls: certificates: - certFile: /ssl/example.com/fullchain.pem keyFile: /ssl/example.com/privkey.pem stores: default: defaultCertificate: certFile: /ssl/example.com/fullchain.pem keyFile: /ssl/example.com/privkey.pem matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_domain }}" # DNS SRV record based server discovery ############################## # end reverse proxy config ############################# # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [ 'email' ] # Whether clients can request to include message content in push notifications # sent through third party servers. Setting this to false requires mobile clients # to load message content directly from the homeserver. matrix_synapse_push_include_content: false ## public room directory to allow userers to view spaces matrix_synapse_allow_public_rooms_without_auth: true matrix_synapse_allow_public_rooms_over_federation: true ###################### ## my optional configs ###################### # decrease disk usage by system journal traefik_config_accessLog_enabled: false #traefik_config_log_level: DEBUG matrix_synapse_reverse_proxy_companion_access_log_enabled: false #matrix_synapse_log_level: ERROR #matrix_synapse_max_upload_size_mb: 512 #matrix_synapse_presence_enabled: false #admin webinterface (exposes the admin api) matrix_synapse_admin_enabled: true matrix_bot_maubot_enabled: true matrix_bot_maubot_login: rss.bot matrix_bot_maubot_admins: - someone: abc # if not own identity server #matrix_identity_server_url: # Your identity server is private by default. # To ensure maximum discovery, you can make your identity server # also forward lookups to the central matrix.org Identity server # (at the cost of potentially leaking all your contacts information). # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups #matrix_ma1sd_matrixorg_forwarding_enabled: false ```Update from a version before compression was enabled to the latest version.
Expected behavior The server is reachable after the update and the changelog tells me in case I have to do something manually.
Matrix Server: