Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Matrix Synapse behind HAProxy on pfSense

    Cache/Proxy
    haproxy matrix synapse firewall rules
    3
    3
    826
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      frostys last edited by

      Hello,
      I am currently trying to deploy a Synapse instance behind pfSense with HAProxy.
      Synapse itself works fine, but the federation part of Synapse is not working at all.
      Response from federationtester.matrix.org:

      {
        "WellKnownResult": {
          "m.server": "",
          "result": "Get \"https://matrix.domain.tld/.well-known/matrix/server\": dial tcp MYIP:443: i/o timeout",
          "CacheExpiresAt": 0
        },
        "DNSResult": {
          "SRVSkipped": false,
          "SRVCName": "",
          "SRVRecords": null,
          "SRVError": {
            "Message": "lookup _matrix._tcp.matrix.domain.tld on 8.8.8.8:53: no such host"
          },
          "Hosts": {
            "matrix.domain.tld": {
              "CName": "mycname.",
              "Addrs": [
                "MYIP"
              ],
              "Error": null
            }
          },
          "Addrs": [
            "MYIP:8448"
          ]
        },
        "ConnectionReports": {},
        "ConnectionErrors": {
          "MYIP8448": {
            "Message": "Get \"https://MYIP:8448/_matrix/key/v2/server\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
          }
        },
        "Version": {
          "error": "Get \"matrix://matrix.domain.tld/_matrix/federation/v1/version\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
        },
        "FederationOK": false
      }
      

      For setting up I used this Ansible playbook.

      I also tried multiple different configurations for the federation HAProxy part, but to no avail.

      I am hoping someone here did setup Synapse behind HAProxy on pfSense and can help me out here.

      1 Reply Last reply Reply Quote 0
      • B
        Baker0052 last edited by Baker0052

        Got mine working here with Pfsense, HAProxy and the same Ansible script.
        Matrix Federation Tester Output

        {
          "WellKnownResult": {
            "m.server": "",
            "result": "Get \"https://MYDOMAIN/.well-known/matrix/server\": x509: certificate has expired or is not yet valid: current time 2021-12-30T22:11:39Z is after 2019-07-20T00:20:42Z",
            "CacheExpiresAt": 0
          },
          "DNSResult": {
            "SRVSkipped": false,
            "SRVCName": "_matrix._tcp.MYDOMAIN.",
            "SRVRecords": [
              {
                "Target": "matrix.MYDOMAIN.",
                "Port": 8448,
                "Priority": 10,
                "Weight": 0
              }
            ],
            "SRVError": null,
            "Hosts": {
              "matrix.MYDOMAIN.": {
                "CName": "matrix.MYDOMAIN.",
                "Addrs": [
                  "MY.IP.Addr.Rss"
                ],
                "Error": null
              }
            },
            "Addrs": [
              "MY.IP.Addr.Rss:8448"
            ]
          },
          "ConnectionReports": {
            "MY.IP.Addr.Rss:8448": {
              "Certificates": [
                {
                  "SubjectCommonName": "MYDOMAIN",
                  "IssuerCommonName": "R3",
                  "SHA256Fingerprint": "mNxQhNc5kh0y/m0M/lNmUT6tH/ZagjQ+yd/fHuKqwRA",
                  "DNSNames": [
                    "MYDOMAIN"
                  ]
                },
                {
                  "SubjectCommonName": "R3",
                  "IssuerCommonName": "ISRG Root X1",
                  "SHA256Fingerprint": "Z63RFmsCCuYbj1/JaBPATCqliZYHloZVcqPH5zdhPf0",
                  "DNSNames": null
                },
                {
                  "SubjectCommonName": "ISRG Root X1",
                  "IssuerCommonName": "DST Root CA X3",
                  "SHA256Fingerprint": "bZn7Jl6xxbN0R2X8vGSPPNjhv/r9xML5m51Hz3/xwk8",
                  "DNSNames": null
                }
              ],
              "Cipher": {
                "Version": "TLS 1.3",
                "CipherSuite": "TLS_AES_256_GCM_SHA384"
              },
              "Checks": {
                "AllChecksOK": true,
                "MatchingServerName": true,
                "FutureValidUntilTS": true,
                "HasEd25519Key": true,
                "AllEd25519ChecksOK": true,
                "Ed25519Checks": {
                  "ed25519:a_uphM": {
                    "ValidEd25519": true,
                    "MatchingSignature": true
                  }
                },
                "ValidCertificates": true
              },
              "Errors": [],
              "Ed25519VerifyKeys": {
                "ed25519:a_uphM": "X9d+yyyMpzQ/KmWXvTScn13Iiki/k8H5tyxii9y64rw"
              },
              "Info": {},
              "Keys": {
                "old_verify_keys": {},
                "server_name": "MYDOMAIN",
                "signatures": {
                  "MYDOMAIN": {
                    "ed25519:a_uphM": "huZnEh+oLK2aKPspuQx5iq12e0QO3I1igbx2vZ513awgDHPieRuw1JUitm1z+kvWWFu6ZCT7W1dBFHyIann3Cg"
                  }
                },
                "valid_until_ts": 1640988673800,
                "verify_keys": {
                  "ed25519:a_uphM": {
                    "key": "X9d+yyyMpzQ/KmWXvTScn13Iiki/k8H5tyxii9y64rw"
                  }
                }
              }
            }
          },
          "ConnectionErrors": {},
          "Version": {
            "name": "Synapse",
            "version": "1.49.2"
          },
          "FederationOK": true
        }
        

        Your HAProxy Config would be helpfull

        1 Reply Last reply Reply Quote 0
        • T
          tiran last edited by

          Hi @Baker0052 keen to share your haproxy conf. I have the same problem and cannot figure it out.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post