spantaleev
draupnir can't reach the synapse admin API
Describe the bug
Per the docs, draupnir can poll abuse reports from the synapse admin API. This used to work back in matrix-nginx-proxy times :older_man:.
https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bot-draupnir.md#abuse-reports
According to the docs, what is needed, is to enable the admin API (e.g. by configuring directly, or indirectly be enabling synapse-admin), the darupnir user being an admin, and the draupnir config extension.
However it does not work: draupnir bot will spam the control room:
‼ | failed to poll events: Error: Error during MatrixClient request GET /_synapse/admin/v1/event_reports?dir=f&from=0: 404 Not Found -- "404 page not found\n"
So I dug around.
Finding the issue With my config, which should be basically default in that regard...
draupnir config includes:
homeserverUrl: http://matrix-traefik:8008
rawHomeserverUrl: http://matrix-traefik:8008
which is just the main reverse proxy traefik container's name
draupnir service connects networks:
--network=matrix-addons
docker network connect traefik matrix-bot-draupnir
traefik service connects networks:
--network=traefik \
which connects it to draupnir such that it should be able to reach matrix-traefik, and
docker network connect matrix-container-socket-proxy matrix-traefik
which is just a firewall between traefik and the host docker socket
traefik.yml defines as only entryPoint on 8008:
matrix-internal-matrix-client-api:
address: :8008
synapse reverse proxy companion is the only router on that entrypoint i can find:
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-api.entrypoints=matrix-internal-matrix-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-api.rule=PathPrefix(`/_matrix`)
but it's on the wrong path
meanwhile, the _synapse/admin_ API is only on
traefik.http.routers.matrix-synapse-reverse-proxy-companion-public-client-synapse-admin-api.entrypoints=web-secure
buuuut you can really skip reading most of this if instead we read the draupnir docs at https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
rawHomeserverUrl: "https://matrix.org"
which clearly has not been done if you scroll all the way up.
Proposed Solution There are two options that I see:
- Make the admin API also accessibly through internal routing, on the
matrix-internal-matrix-client-apientrypoint. The rest should then fall into place. This seems to be the way the playbook prefers to do things, though strictly speaking it goes against draupnir's docs. - Configure draupnir's
rawHomeserverUrlto call the C2S and admin APIs through web-secure (public internet), as its docs say. This might have a slight performance impact and is not strictly necessary.
Ok so Draupnir docs are maby a bit confusing i will concede that. What we are actually asking for a path to reach the admin API and not reach pantalaimon the CS API proxy. So if solution 1 gives us an address to reach the Admin API Draupnir will be happy and if that causes a bug well i will have to go and bother Gnuxie to get that fixed because that is a bug at that point.
I added the following blocks to my synapse reverse proxy companion labels:
############################################################
# #
# Internal Synapse Admin API (/_synapse/client) #
# #
############################################################
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.rule=PathPrefix(`/_synapse/client`)
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-client-api.entrypoints=matrix-internal-matrix-client-api
############################################################
# #
# /Internal Synapse Admin API (/_synapse/client) #
# #
############################################################
############################################################
# #
# Internal Synapse Admin API (/_synapse/admin) #
# #
############################################################
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.rule=PathPrefix(`/_synapse/admin`)
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-internal-client-synapse-admin-api.entrypoints=matrix-internal-matrix-client-api
############################################################
# #
# /Internal Synapse Admin API (/_synapse/admin) #
# #
############################################################
and so far that made it stop complaining.
according to https://matrix.to/#/!IaWNErZAgQUhGqJXjX:matrix.org/$n0CH1nAI791tE1AU6ofznnw_Njw4yGzg9qitcFhvXiI?via=matrix.org&via=envs.net&via=ubuntu.com polling is broken anyway, so until fixed something else entirely should be done