From 33fcf1a9e5732859f82e30e196428d0cdc0aa03d Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 12 Jun 2021 16:47:51 +0100 Subject: [PATCH] Fix matrix federation Apparently this has been broken since like March... It seems communication over port 8448 is required for server-to-server comms, even if the client doesn't use it. --- .../roles/gateway/files/haproxy-fail2ban-jail.conf | 4 ++-- ansible/roles/gateway/files/haproxy.cfg | 10 +++------- .../roles/pve_docker/files/synapse/docker-compose.yml | 1 - ansible/roles/traefik/files/file-provider-main.yml | 3 --- ansible/roles/traefik/files/traefik.yml | 11 ----------- 5 files changed, 5 insertions(+), 24 deletions(-) diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf index 2fe3fcb..aece157 100644 --- a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf @@ -6,11 +6,11 @@ maxretry = 100 filter = haproxy-basic backend = systemd journalmatch = _COMM=haproxy -port = http,https,{{ haproxy.exposed_ports | join(",") }} +port = http,https,8448 ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} [traefik] enabled = true filter = haproxy-basic # Not actually used -port = http,https,{{ haproxy.exposed_ports | join(",") }} +port = http,https,8448 ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg index 128a6f7..3daae8f 100644 --- a/ansible/roles/gateway/files/haproxy.cfg +++ b/ansible/roles/gateway/files/haproxy.cfg @@ -35,11 +35,7 @@ listen http timeout server 10m server default {{ wireguard.clients.ingress.ip }}:880 check -{% for port in haproxy.exposed_ports %} - -listen expose_{{ port }} - bind *:{{ port }} +listen matrix + bind *:8448 mode tcp - server default {{ wireguard.clients.ingress.ip }}:{{ port }} - -{% endfor %} + server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy diff --git a/ansible/roles/pve_docker/files/synapse/docker-compose.yml b/ansible/roles/pve_docker/files/synapse/docker-compose.yml index c6bc605..c362c66 100644 --- a/ansible/roles/pve_docker/files/synapse/docker-compose.yml +++ b/ansible/roles/pve_docker/files/synapse/docker-compose.yml @@ -21,7 +21,6 @@ services: - traefik.enable=true - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) - traefik.http.routers.synapse.tls.certresolver=le - - traefik.http.routers.synapse.entrypoints=web-secure,matrix db: image: postgres:12-alpine diff --git a/ansible/roles/traefik/files/file-provider-main.yml b/ansible/roles/traefik/files/file-provider-main.yml index 929795b..013625a 100644 --- a/ansible/roles/traefik/files/file-provider-main.yml +++ b/ansible/roles/traefik/files/file-provider-main.yml @@ -1,8 +1,5 @@ http: middlewares: - tls-redirect: - redirectScheme: - scheme: https compress: compress: {} diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index b9c4d03..0dc0910 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -15,23 +15,12 @@ entryPoints: address: :443 http: middlewares: - - tls-redirect@file - floc-block@file proxyProtocol: trustedIPs: - "{{ wireguard.cidr }}" - "{{ pve_hosts.internal_cidr }}" - "{{ nebula.cidr }}" - matrix: - address: :8448 - http: - middlewares: - - tls-redirect@file - proxyProtocol: - trustedIPs: - - "{{ wireguard.cidr }}" - - "{{ pve_hosts.internal_cidr }}" - - "{{ nebula.cidr }}" traefik: address: "{{ private_ip }}:8080"