matrix.org (communication)

yusf

On the topic of App Store inclusion: how relevant is the attack vector of running Matrix and Riot on the same (sub)domain nowadays? I know that the Matrix folks used to recommended against that setup and perhaps they still do.

Is that threat still as relevant with the Cloudron/Docker setup? After all, Cloudron apps are supposed to work out of the box.

msbt

@kasini during the little time I had to try things out I didn't really get anywhere. I was having a talk with @girish a while ago and they're planning to add matrix to the app store at some point. Maybe they can have another look at it since they actually know what they're doing

And yes, it requires a lot of RAM if you want to join bigger channels, but if you keep to yourself, you should be good to go with less.

@yusf good question, if noone else does it, I'll jump on the matrix network and ask if that's still a thing to worry about

yusf

In addition to looking up security concerns of bundling Riot with Matrix, putting it in the app store also calls for a solution to a reverse proxy solution often used in federated software.

What I mean is a way of forwarding certain ports from domain.tld to matrixserver.domain.tld so that user handles follows convention by ommitting the technical placement of the server itself. (Hosting the server on domain.tld sucks for obvious reasons )

This solution would also enable more federated software with similar needs to come aboard the Cloudron ecosystem.

october

Is this app officially provided by Cloudron yet? What's the status? I see the gitlab repo but I don't know what that means.

Btw I would also love to see some bridges included as options. Bridging FB Messenger, whatsapp, telegram etc is essential if one is to use it for personal communication purposes.

murgero

@october As of now you have to build and install using the Cloudron CLI:

1. install Cloudron CLI
2. Install docker (or use cloudron build service)
3. git clone repo
4. cd repo
5. docker build -t dockerhubusername/projectname . (Period is important at the end!)
6. docker push dockerhubusername/projectname
7. cloudron login
8. cloudron install --image dockerhubusername/projectname

That's the general way to install apps not in the cloudron app store. - If using the build service provided by cloudron, replace 5 & 6 with cloudron build

yusf

maubot would be a nice inclusion in the package as well. It's a bot framework, with a GUI.

Not necessary to have inside this package at all. Only Application Services are!

yusf

Hey @msbt, the Synapse package is falling behind on releases. (1.6.0 and 1.6.1)

msbt

my bad, I did update my local repos but forgot to push, here you go

I skipped the 1.6.0 commit since it was a bit weird, wasn't showing the latest version after updating, maybe that's why I didn't push

riot is also at the latest version here

yusf

I looked into the possibility of a new try to host Riot and Synapse on the same (sub)domain. Here’s the reply:

yusf:
Or is there, if it’s decided to host both on same (sub)domain, any method to reduce XSS attack probability?

Riot dude:
Basically the attack surface is such that any code which gets executed with access to that subdomain in a browser will have access to that user's matrix access token. So if you run things like synapse or other things on same subdomain and they end up serving malicious code then bad things can happen.

It's a very narrow surface, csp can make it even more narrow.

How then to use the CSP setting??

yusf

Another useful tool to possibly embed in this app package is matrix-corporal, though as an opt-in by default (enabled but void of policy) https://github.com/devture/matrix-corporal

msbt

just pushed an update for v1.8.0, apparently there were some changes in the config at some point, so when you're using log_file, you might need to remove that in order to be able to start the latest version.

In case it doesn't, jump on a terminal, check if it's actually running (ps -ax) and if not, manually launch with gosu www-data python3 -m synapse.app.homeserver --config-path homeserver.yaml from /app/data/synapse and check the errormessage.

yusf

@msbt said in matrix.org (communication):

when you're using log_file

What do you mean by this?

girish

@msbt Can you put in a LICENSE file into the repo (preferably MIT like the other app packages), so I can get this pushed to unstable?

murgero

@girish Having it in unstable would be awesome.

msbt

@yusf in earlier versions the homeserver.yaml contained a config item

# File to write logging to. Ignored if log_config is specified.
log_file: "/run/synapse/homeserver.log"

This got removed by moving it into the log_config itself which is set in log_config: "/app/data/synapse/..." - apparently the config for my main matrix server had that still in there because it's rather old and always migrated including this setting. Matrix wouldn't start after the latest update if you had this still enabled so I had to #comment it out be able to start afterwards.

@girish sure thing, I'll look into it later today

msbt

@girish there you go: riot and matrix, I hope this is alright

will

I'm pinging for this one as well! NextGen tech on Cloudron would be great!

why42

Hi there,
thanks for all your work to build an app for cloudron.
I am interested in Matrix/Synapse , too. I would like to as to put in the unstable apps section.

girish

@msbt Thanks for updating the license.

OK, this was stupid. I didn't see that you had a riot app, so I ended up making the front end of my own https://git.cloudron.io/cloudron/riot-web-app . It's pretty much the same as yours except I don't use nginx (I will probably put your nginx code into mine).

I have pushed Riot Web to unstable now.

I will push out your matrix in the next few days. Thanks!

will

@girish What are the setup instructions?