Fix matrix federation

Apparently this has been broken since like March... It seems communication over port 8448 is required for server-to-server comms, even if the client doesn't use it.
2021-06-12 16:47:51 +01:00 · 2021-06-12 16:47:51 +01:00 · 33fcf1a9e5
commit 33fcf1a9e5
parent 94e4592db6
5 changed files with 5 additions and 24 deletions
--- a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
@ -6,11 +6,11 @@ maxretry = 100
 filter   = haproxy-basic
 backend  = systemd
 journalmatch = _COMM=haproxy
-port     = http,https,{{ haproxy.exposed_ports | join(",") }}
+port     = http,https,8448
 ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}

 [traefik]
 enabled = true
 filter = haproxy-basic  # Not actually used
-port     = http,https,{{ haproxy.exposed_ports | join(",") }}
+port     = http,https,8448
 ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
--- a/ansible/roles/gateway/files/haproxy.cfg
+++ b/ansible/roles/gateway/files/haproxy.cfg
@ -35,11 +35,7 @@ listen http
  timeout server  10m
  server default {{ wireguard.clients.ingress.ip }}:880 check

-{% for port in haproxy.exposed_ports %}
-
-listen expose_{{ port }}
-  bind *:{{ port }}
+listen matrix
+  bind *:8448
  mode tcp
-  server default {{ wireguard.clients.ingress.ip }}:{{ port }}
-
-{% endfor %}
+  server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy
--- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml
@ -21,7 +21,6 @@ services:
      - traefik.enable=true
      - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
      - traefik.http.routers.synapse.tls.certresolver=le
-      - traefik.http.routers.synapse.entrypoints=web-secure,matrix

  db:
    image: postgres:12-alpine
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@ -1,8 +1,5 @@
 http:
  middlewares:
-    tls-redirect:
-      redirectScheme:
-        scheme: https
    compress:
      compress: {}

--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -15,23 +15,12 @@ entryPoints:
    address: :443
    http:
      middlewares:
-        - tls-redirect@file
        - floc-block@file
    proxyProtocol:
      trustedIPs:
        - "{{ wireguard.cidr }}"
        - "{{ pve_hosts.internal_cidr }}"
        - "{{ nebula.cidr }}"
-  matrix:
-    address: :8448
-    http:
-      middlewares:
-        - tls-redirect@file
-    proxyProtocol:
-      trustedIPs:
-        - "{{ wireguard.cidr }}"
-        - "{{ pve_hosts.internal_cidr }}"
-        - "{{ nebula.cidr }}"
  traefik:
    address: "{{ private_ip }}:8080"