From 58ca2e7dfddbebbbcde32fdb49de181768033623 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 4 Feb 2019 09:03:43 -0600 Subject: [PATCH 1/2] Turn off IPv6 when using your own Nginx server Docker apparently doesn't like IPv6. --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 1 + roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 734ddb5b2..6417b77ce 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -110,6 +110,7 @@ server { {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; + resolver 127.0.0.1 ipv6=off; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index e6537ef09..2cca864ee 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -144,9 +144,7 @@ listeners: # On Linux and Mac OS, `::` will listen on all IPv4 and IPv6 # addresses by default. For most other OSes, this will only listen # on IPv6. - bind_addresses: - - '::' - - '0.0.0.0' + bind_addresses: ['::'] # This is a 'http' listener, allows us to specify 'resources'. type: http @@ -174,7 +172,7 @@ listeners: # For when matrix traffic passes through loadbalancer that unwraps TLS. - port: 8008 tls: false - bind_addresses: ['::', '0.0.0.0'] + bind_addresses: ['::'] type: http x_forwarded: true From 1f0cc92b330b425ce8da1e9958ea39e797bf5ace Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Mon, 4 Feb 2019 09:49:45 -0600 Subject: [PATCH 2/2] Use IPv4 localhost everywhere (or almost everywhere) --- group_vars/matrix-servers | 8 ++++---- roles/matrix-nginx-proxy/defaults/main.yml | 8 ++++---- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 4 ++-- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 3 +-- roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml | 2 +- 5 files changed, 12 insertions(+), 13 deletions(-) diff --git a/group_vars/matrix-servers b/group_vars/matrix-servers index 9f1d37de2..7b14b4e1b 100644 --- a/group_vars/matrix-servers +++ b/group_vars/matrix-servers @@ -167,7 +167,7 @@ matrix_mxisd_systemd_wanted_services_list: | matrix_nginx_proxy_enabled: true matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ 'localhost:41080' if matrix_corporal_enabled else 'localhost:8008' }}" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_nginx_proxy_proxy_matrix_enabled: true @@ -175,15 +175,15 @@ matrix_nginx_proxy_proxy_riot_enabled: "{{ matrix_riot_web_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "localhost:{{ matrix_synapse_metrics_port }}" +matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7ae4bd001..93e9ffee7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -25,19 +25,19 @@ matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}" # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" +matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false @@ -47,7 +47,7 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "localhost:8008" +matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 578a7e0c3..661a5f31b 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -12,7 +12,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; {% endif %} } @@ -47,7 +47,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8765; + proxy_pass http://127.0.0.1:8765; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6417b77ce..a357e862c 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -12,7 +12,7 @@ server { proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; + proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; {% endif %} } @@ -110,7 +110,6 @@ server { {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; - resolver 127.0.0.1 ipv6=off; {% endif %} proxy_set_header Host $host; diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml index 189c9356a..51a68336e 100644 --- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml +++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml @@ -102,7 +102,7 @@ proxy_pass http://$backend; {% else %} {# Generic configuration for use outside of our container setup #} - proxy_pass http://localhost:8080; + proxy_pass http://127.0.0.1:8080; {% endif %} }