Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Matrix Synapse behind HAProxy on pfSense

    Cache/Proxy
    haproxy matrix synapse firewall rules
    3
    3
    826
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      frostys last edited by

      Hello,
      I am currently trying to deploy a Synapse instance behind pfSense with HAProxy.
      Synapse itself works fine, but the federation part of Synapse is not working at all.
      Response from federationtester.matrix.org:

      {
  "WellKnownResult": {
    "m.server": "",
    "result": "Get \"https://matrix.domain.tld/.well-known/matrix/server\": dial tcp MYIP:443: i/o timeout",
    "CacheExpiresAt": 0
  },
  "DNSResult": {
    "SRVSkipped": false,
    "SRVCName": "",
    "SRVRecords": null,
    "SRVError": {
      "Message": "lookup _matrix._tcp.matrix.domain.tld on 8.8.8.8:53: no such host"
    },
    "Hosts": {
      "matrix.domain.tld": {
        "CName": "mycname.",
        "Addrs": [
          "MYIP"
        ],
        "Error": null
      }
    },
    "Addrs": [
      "MYIP:8448"
    ]
  },
  "ConnectionReports": {},
  "ConnectionErrors": {
    "MYIP8448": {
      "Message": "Get \"https://MYIP:8448/_matrix/key/v2/server\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
    }
  },
  "Version": {
    "error": "Get \"matrix://matrix.domain.tld/_matrix/federation/v1/version\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
  },
  "FederationOK": false
}

      For setting up I used this Ansible playbook.

      I also tried multiple different configurations for the federation HAProxy part, but to no avail.

      I am hoping someone here did setup Synapse behind HAProxy on pfSense and can help me out here.

      1 Reply Last reply Reply Quote 0
      • B
        Baker0052 last edited by Baker0052

        Got mine working here with Pfsense, HAProxy and the same Ansible script.
        Matrix Federation Tester Output

        {
  "WellKnownResult": {
    "m.server": "",
    "result": "Get \"https://MYDOMAIN/.well-known/matrix/server\": x509: certificate has expired or is not yet valid: current time 2021-12-30T22:11:39Z is after 2019-07-20T00:20:42Z",
    "CacheExpiresAt": 0
  },
  "DNSResult": {
    "SRVSkipped": false,
    "SRVCName": "_matrix._tcp.MYDOMAIN.",
    "SRVRecords": [
      {
        "Target": "matrix.MYDOMAIN.",
        "Port": 8448,
        "Priority": 10,
        "Weight": 0
      }
    ],
    "SRVError": null,
    "Hosts": {
      "matrix.MYDOMAIN.": {
        "CName": "matrix.MYDOMAIN.",
        "Addrs": [
          "MY.IP.Addr.Rss"
        ],
        "Error": null
      }
    },
    "Addrs": [
      "MY.IP.Addr.Rss:8448"
    ]
  },
  "ConnectionReports": {
    "MY.IP.Addr.Rss:8448": {
      "Certificates": [
        {
          "SubjectCommonName": "MYDOMAIN",
          "IssuerCommonName": "R3",
          "SHA256Fingerprint": "mNxQhNc5kh0y/m0M/lNmUT6tH/ZagjQ+yd/fHuKqwRA",
          "DNSNames": [
            "MYDOMAIN"
          ]
        },
        {
          "SubjectCommonName": "R3",
          "IssuerCommonName": "ISRG Root X1",
          "SHA256Fingerprint": "Z63RFmsCCuYbj1/JaBPATCqliZYHloZVcqPH5zdhPf0",
          "DNSNames": null
        },
        {
          "SubjectCommonName": "ISRG Root X1",
          "IssuerCommonName": "DST Root CA X3",
          "SHA256Fingerprint": "bZn7Jl6xxbN0R2X8vGSPPNjhv/r9xML5m51Hz3/xwk8",
          "DNSNames": null
        }
      ],
      "Cipher": {
        "Version": "TLS 1.3",
        "CipherSuite": "TLS_AES_256_GCM_SHA384"
      },
      "Checks": {
        "AllChecksOK": true,
        "MatchingServerName": true,
        "FutureValidUntilTS": true,
        "HasEd25519Key": true,
        "AllEd25519ChecksOK": true,
        "Ed25519Checks": {
          "ed25519:a_uphM": {
            "ValidEd25519": true,
            "MatchingSignature": true
          }
        },
        "ValidCertificates": true
      },
      "Errors": [],
      "Ed25519VerifyKeys": {
        "ed25519:a_uphM": "X9d+yyyMpzQ/KmWXvTScn13Iiki/k8H5tyxii9y64rw"
      },
      "Info": {},
      "Keys": {
        "old_verify_keys": {},
        "server_name": "MYDOMAIN",
        "signatures": {
          "MYDOMAIN": {
            "ed25519:a_uphM": "huZnEh+oLK2aKPspuQx5iq12e0QO3I1igbx2vZ513awgDHPieRuw1JUitm1z+kvWWFu6ZCT7W1dBFHyIann3Cg"
          }
        },
        "valid_until_ts": 1640988673800,
        "verify_keys": {
          "ed25519:a_uphM": {
            "key": "X9d+yyyMpzQ/KmWXvTScn13Iiki/k8H5tyxii9y64rw"
          }
        }
      }
    }
  },
  "ConnectionErrors": {},
  "Version": {
    "name": "Synapse",
    "version": "1.49.2"
  },
  "FederationOK": true
}

        Your HAProxy Config would be helpfull

        1 Reply Last reply Reply Quote 0
        • T
          tiran last edited by

          Hi @Baker0052 keen to share your haproxy conf. I have the same problem and cannot figure it out.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post