Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

draupnir can't reach the synapse admin API #3308

Open
HarHarLinks opened this issue May 6, 2024 · 3 comments · May be fixed by #3389
Open

draupnir can't reach the synapse admin API #3308

HarHarLinks opened this issue May 6, 2024 · 3 comments · May be fixed by #3389
Labels

Comments

@HarHarLinks
Copy link
Contributor

HarHarLinks commented May 6, 2024

Describe the bug

Per the docs, draupnir can poll abuse reports from the synapse admin API. This used to work back in matrix-nginx-proxy times 👴.

https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bot-draupnir.md#abuse-reports

According to the docs, what is needed, is to enable the admin API (e.g. by configuring directly, or indirectly be enabling synapse-admin), the darupnir user being an admin, and the draupnir config extension.

However it does not work: draupnir bot will spam the control room:

‼ | failed to poll events: Error: Error during MatrixClient request GET /_synapse/admin/v1/event_reports?dir=f&from=0: 404 Not Found -- "404 page not found\n"

So I dug around.

Finding the issue
With my config, which should be basically default in that regard...

draupnir config includes:

homeserverUrl: http://matrix-traefik:8008
rawHomeserverUrl: http://matrix-traefik:8008

which is just the main reverse proxy traefik container's name


draupnir service connects networks:

--network=matrix-addons
docker network connect traefik matrix-bot-draupnir

traefik service connects networks:

--network=traefik \

which connects it to draupnir such that it should be able to reach matrix-traefik, and

docker network connect matrix-container-socket-proxy matrix-traefik

which is just a firewall between traefik and the host docker socket


traefik.yml defines as only entryPoint on 8008:

  matrix-internal-matrix-client-api:
    address: :8008

synapse reverse proxy companion is the only router on that entrypoint i can find:

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-api.entrypoints=matrix-internal-matrix-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-api.rule=PathPrefix(`/_matrix`)

but it's on the wrong path

meanwhile, the _synapse/admin_ API is only on

traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-admin-api.entrypoints=web-secure

buuuut you can really skip reading most of this if instead we read the draupnir docs at https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml

# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
rawHomeserverUrl: "https://matrix.org"

which clearly has not been done if you scroll all the way up.

Proposed Solution
There are two options that I see:

  1. Make the admin API also accessibly through internal routing, on the matrix-internal-matrix-client-api entrypoint. The rest should then fall into place. This seems to be the way the playbook prefers to do things, though strictly speaking it goes against draupnir's docs.
  2. Configure draupnir's rawHomeserverUrl to call the C2S and admin APIs through web-secure (public internet), as its docs say. This might have a slight performance impact and is not strictly necessary.
@FSG-Cat
Copy link
Contributor

FSG-Cat commented May 6, 2024

Ok so Draupnir docs are maby a bit confusing i will concede that. What we are actually asking for a path to reach the admin API and not reach pantalaimon the CS API proxy. So if solution 1 gives us an address to reach the Admin API Draupnir will be happy and if that causes a bug well i will have to go and bother Gnuxie to get that fixed because that is a bug at that point.

@HarHarLinks
Copy link
Contributor Author

I added the following blocks to my synapse reverse proxy companion labels:

############################################################
#                                                          #
# Internal Synapse Admin API (/_synapse/client)            #
#                                                          #
############################################################

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.rule=PathPrefix(`/_synapse/client`)


traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.entrypoints=matrix-internal-matrix-client-api

############################################################
#                                                          #
# /Internal Synapse Admin API (/_synapse/client)           #
#                                                          #
############################################################


############################################################
#                                                          #
# Internal Synapse Admin API (/_synapse/admin)             #
#                                                          #
############################################################

traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.rule=PathPrefix(`/_synapse/admin`)


traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.entrypoints=matrix-internal-matrix-client-api

############################################################
#                                                          #
# /Internal Synapse Admin API (/_synapse/admin)            #
#                                                          #
############################################################

and so far that made it stop complaining.

@HarHarLinks
Copy link
Contributor Author

according to https://matrix.to/#/!IaWNErZAgQUhGqJXjX:matrix.org/$n0CH1nAI791tE1AU6ofznnw_Njw4yGzg9qitcFhvXiI?via=matrix.org&via=envs.net&via=ubuntu.com polling is broken anyway, so until fixed something else entirely should be done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants