Outgoing federation to servers using SRV record redirect does not seem to work over SOCKS5 proxy #246
Labels
No labels
Android
CS::needs customer feedback
CS::needs follow up
CS::needs on prem installation
CS::waiting
Chrome
Design:: Ready
Design:: in progress
Design::UX
E2EE
Edge
Firefox
GDPR
Iteration 13 IM
Linux
MacOS
Need::Discussion
Need::Steps to reproduce
Need::Upstream fix
Needs:: Planning
Needs::Dev-Team
Needs::More information
Needs::Priority
Needs::Product
Needs::Refinement
Needs::Severity
Priority::1-Critical
Priority::2-Max
Priority::3-Impending
Priority::4-High
Priority::5-Medium
Priority::6-Low
Priority::7-None
Progress::Backlog
Progress::Review
Progress::Started
Progress::Testing
Progress::Triage
Progress::Waiting
Reporter::Sentry
Safari
Target::Community
Target::Customer
Target::Internal
Target::PoC
Target::Security
Team:Customer-Success
Team:Design
Team:Infrastructure
Team:Instant-Messaging
Team:Product
Team:Workflows
Type::Bug
Type::Design
Type::Documentation
Type::Feature
Type::Improvement
Type::Support
Type::Tests
Windows
blocked
blocked-by-spec
cla-signed
conduit
contribution::advanced
contribution::easy
contribution::help needed
from::review
iOS
p::ti-tenant
performance
product::triage
proposal
refactor
release-blocker
s: dart_openapi_codegen
s::Famedly-Patient
s::Org-Directory
s::Passport-Generator
s::Requeuest
s:CRM
s:Famedly-App
s:Famedly-Web
s:Fhiroxide
s:Fhiroxide-cli
s:Fhiroxide-client
s:Fhirs
s:Hedwig
s:LISA
s:Matrix-Dart-SDK
s:Role-Manager
s:Synapse
s:User-Directory
s:WFS-Matrix
s:Workflow Engine
s:dtls
s:famedly-error
s:fcm-shared-isolate
s:matrix-api-lite
s:multiple-tab-detector
s:native-imaging
severity::1
severity::2
severity::3
severity::4
technical-debt
voip
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Matthias/conduit#246
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Conduit, when configured to proxy traffic over SOCKS5, seems to fail when talking to a remote server that redirects to a different subdomain via a SRV record.
I was trying to communicate to a remote homeserver with a setup like the following:
https://example.com/.well-known/matrix/server
returns{"m.server": "example.com"}
SRV
for_matrix._tcp.example.com
is10 0 8448 matrix.example.com
example.com
does not respond on 8448 (Connection Refused), butmatrix.example.com
does respond on 8448As far as I understand, this is an acceptable setup per spec.
I have a proxy configured as in the following example:
The proxy is Dante running on a different machine. The relevant DNS records are resolvable via
dig
on this machine. Conduit has been successfully talking to a number of remote servers over this proxy for a couple of days.When trying to accept an invite from someone on the
example.com
server, Element would fail and report Connection Refused to ahttps://example.com:8448/…
URL. Conduit also logged "error trying to connect: socks connect error: Connection refused" when trying to fetch ahttps://example.com:8448/_matrix/media/r0/…
URL, which I assume is the user's icon, since the icon did not show up in Element. This happened using both asocks5h
and asocks5
proxy URL.Removing the proxy configuration line from config made it possible to both accept the invite, and also made Conduit succeed at fetching the remote user's icon (it showed up in Element).
System Configuration
Conduit Version: 0.3.0
Database backend (default is sqlite): rocksdb
.well-known/matrix/server
takes precedence over the DNS SRV record (https://spec.matrix.org/v1.2/server-server-api/#resolving-server-names), so the described setup of the remote homeserver (well-known pointing toexample.com
, butexample.com
not listening on 8448) seems incorrect to me.The third bullet point of section 3 in that section says:
By that reading, if you receive
{"m.server": "example.com"}
, thendelegated_hostname
becomesexample.com
, you have no<delegated_port>
, and you should do a SRV lookup. This is actually what Conduit does as of now, but I suspect the overrides it adds are not applied when using a proxy.changed the description
I just tried setting up a homeserver instance with the delegation setup as closely similar as what you described, but I cannot reproduce the issue. For reference, my instance is at
tst.cyberdi.sk
. The differences are that I use port 443 instead of 8448, and my delegated_hostname has the port open, but returns 401 for everything. (I am not in a position to get another server with a different IP address just for this.)Note, though, that this seems to be an invalid configuration at least according to https://federationtester.matrix.org/api/report?server_name=tst.cyberdi.sk, which wants to talk to the
delegated_hostname
(tst.cyberdi.sk
). My other synapse server also refuses to federate with this server unless I make the homeserver available also on thetst.cyberdi.sk
hostname.Maybe I'm doing something wrong, feel free to check my setup and suggest improvements.
maunium.net is available for testing the full .well-known + SRV resolution spec and will return fancy error responses if you do anything wrong.
Note that per the spec, "Requests should be made to the resolved IP address and port with
a
Host
header containing the<delegated_hostname>
", so that's why the tester is going to send aHost
header oftst.cyberdi.sk
instead ofmatrix.tst.cyberdi.sk
(and also expect a cert that's valid fortst.cyberdi.sk
), and for maunium.net it accepts a cert forfederation.mau.chat
.Thanks, apparently I need to learn better how nginx routes traffic based on the TLS hostname and the Host header.
Anyway, it seems that this bug is reproducible directly on maunium.net - trying to fetch media via conduit with proxy disabled works (
M_NOT_FOUND
of course), but with proxy enabled, the response is:Thanks @tulir 😄, now to find out what is going wrong...
Best I can tell, with proxy enabled, reqwest does not go through the resolve function of
federation_client
(https://gitlab.com/famedly/conduit/-/blob/next/src/database/globals.rs#L140), so it ends up trying to connect to the wrong hostname.With proxy enabled, it is equivalent to simple
curl https://delegated_hostname/...
while with proxy disabled, it does something like
curl --connect-to delegated_hostname:443:actual_destination:443 https://delegated_hostname/...
(yes, that is a horrible way to send custom SNI with curl, but I don't think a better one exists)
Conduit uses reqwest's ClientBuilder::proxy to configure the proxy and a custom DNS resolver to make SRV redirects work. Does the proxy have to use a custom resolver too?
Maybe this is relevant: https://github.com/matrix-org/matrix-spec/issues/561
Yes, the outgoing proxy would have to use the same custom resolver, because right now, the proxied requests can end up in wrong destination for anything besides the simplest delegation setups.
mentioned in issue #395