Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Infinte Redirect Loop For SSO Login When Behind A Reverse Proxy
See original GitHub issueDescription
When SSO is enabled, the public_baseurl is set to an https scheme endpoint, and the site is running
behind a reverse proxy that terminates ssl and forwards all traffic as http the SSO login redirect will
infinitely loop because the request is for an http endpoint but the public_baseurl is pointed at an
https endpoint. The root of the issue is the simple startswith bytes check inside the SSO redirect
that is meant to make sure that cookies are set on the right domain (#9436).
The public_baseurl mentions that it should be set to the same scheme as what is behind the reverse proxy
however that results in clients like element web being unable to resolve resources behind the reverse proxy
as they aren’t always obeying 301 and 302 redirects for resources and exposing the http endpoint externally is
undesirable.
Workaround
The current work around used on my homeserver (matrix.nulloctet.com) is to point the reverse proxy at the https
backend for synapse and leave the public_baseurl as https://matrix.nulloctet.com/. This results in no loop because
the web request is on the same scheme as the public_baseurl. However I am not a fan of terminating an TLS connection only to remote proxy another TLS connection behind the scene. I also do not want to run synapse
completely public as that would be a regression in functionality and would be a special snowflake among the other
services I run.
Proposed Solution
The check of the request and the public_baseurl should completely ignore the scheme, as only the dns name
is required to match for cookies to be correctly set.
Steps to reproduce
- Set public_baseurl to use
httpsscheme - Setup; reverse proxy that forwards all https traffic to the http endpoint of synapse
- Enable an SSO provider
- Attempt to login with that provider
Version information
- Homeserver: matrix.nulloctet.com
If not matrix.org:
Versions Tested:
-
Version: 1.38.1
-
Version: 1.37.1
-
Version: 1.35.0
-
Install method: Docker-Compose
- Platform: Ubuntu Linux 20.04 HWE with Docker CE
Issue Analytics
- State:
- Created 2 years ago
- Comments:14 (14 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
great, glad you got it sorted.
I think it’s a shame that https://matrix-org.github.io/synapse/latest/reverse_proxy.html#homeserver-configuration is easy to overlook. It might be better to move that section above the “Reverse-proxy configuration examples”. If you’d like to make a PR to do so, that would be great!
Not a silly question at all. I don’t know how I missed this configuration parameter for the http port. With
x_forwarded: trueset, redirecting is working correctly. Thank you @richvdh and @clokep for your help!This syanpse configuration file is a few years old, I’ll need to go through it again to make sure I haven’t missed other settings as I’ve upgraded and enabled additional functionality.