From 149c3db6cd127dc672e2508691e31b420846ca10 Mon Sep 17 00:00:00 2001 From: Brett Bethke <10068296+bb4242@users.noreply.github.com> Date: Tue, 19 Oct 2021 15:41:57 -0500 Subject: [PATCH 1/3] Add domain specific matching for haproxy config I ran into trouble getting federation working properly with the haproxy config specified here. After some debugging, I discovered that many federation HTTP requests, including the ones sent by the [federation tester](https://federationtester.matrix.org/), include the port number in the HTTP Host header field. For example, instead of `Host: matrix.example.com`, these federation requests look like `Host: matrix.example.com:443`. At least on haproxy 2.3, the extra port information causes the `acl matrix-host hdr(host) -i matrix.example.com` match to fail, since this is looking for an exact string match by default according to the [haproxy docs](http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.1). This failure, in turn, causes haproxy to return error codes and causes federation to fail. Using `hdr_dom(host)`, which ignores the port information, fixes the issue in my setup. Signed-off-by: Brett Bethke <10068296+bb4242@users.noreply.github.com> --- changelog.d/11128.doc | 1 + docs/reverse_proxy.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelog.d/11128.doc diff --git a/changelog.d/11128.doc b/changelog.d/11128.doc new file mode 100644 index 000000000000..d377c191abf9 --- /dev/null +++ b/changelog.d/11128.doc @@ -0,0 +1 @@ +Improve example HAProxy config in the docs to properly handle host headers with port information. This is required for federation to work correctly. diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index bc351d604e40..9517123da449 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -188,7 +188,7 @@ frontend https http-request set-header X-Forwarded-For %[src] # Matrix client traffic - acl matrix-host hdr(host) -i matrix.example.com + acl matrix-host hdr_dom(host) -i matrix.example.com acl matrix-path path_beg /_matrix acl matrix-path path_beg /_synapse/client From 445055388b21b4f022346b268352aa327c426b2c Mon Sep 17 00:00:00 2001 From: Brett Bethke <10068296+bb4242@users.noreply.github.com> Date: Thu, 21 Oct 2021 11:51:57 -0500 Subject: [PATCH 2/3] Switch to a different matching syntax `hdr_dom(host) -i matrix.example.com` also allows matching on subdomains like `anything.matrix.example.com`, which we don't want to allow. --- docs/reverse_proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md index 9517123da449..15d46a4adbce 100644 --- a/docs/reverse_proxy.md +++ b/docs/reverse_proxy.md @@ -188,7 +188,7 @@ frontend https http-request set-header X-Forwarded-For %[src] # Matrix client traffic - acl matrix-host hdr_dom(host) -i matrix.example.com + acl matrix-host hdr(host) -i matrix.example.com matrix.example.com:443 acl matrix-path path_beg /_matrix acl matrix-path path_beg /_synapse/client From cabc3897fc2e16e5c00d4fc2ee771d336ec9f1b0 Mon Sep 17 00:00:00 2001 From: reivilibre Date: Mon, 1 Nov 2021 13:48:20 +0000 Subject: [PATCH 3/3] Update changelog.d/11128.doc --- changelog.d/11128.doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/11128.doc b/changelog.d/11128.doc index d377c191abf9..c0246792187c 100644 --- a/changelog.d/11128.doc +++ b/changelog.d/11128.doc @@ -1 +1 @@ -Improve example HAProxy config in the docs to properly handle host headers with port information. This is required for federation to work correctly. +Improve example HAProxy config in the docs to properly handle host headers with port information. This is required for federation over port 443 to work correctly.