Solved matrix.org (communication)

msbt

This message is on app-level but valid nonetheless. In a week (10th of June) there should be the release of v1.0 and I'll do a rebuild of the container with python 3 and hopefully audio/video support. I'll keep you posted.

yusf

That is great, thank you!

msbt

fyi, v1.0.0 got released earlier and I'm working on it. Everything is looking good so far, the only things that aren't working at the moment are videocalls (audio is working) and the integration server, not sure why. Will keep you posted and eventually push the "final" version so people can test it.

yusf

That’s exciting. Your work is much appreciated, @msbt .

msbt

alright alright alright, v1.0.0 is (mostly) working, as far as I can see only the videochat feature is missing, I'll further investigate when I have the time. Other than that it seems to be looking good, changed to python3, registration including email & activation is working, url preview (which wasn't always before), introduced a new healthcheck page.

Grab it from here and let me know if you encounter any other issues. Not sure if upgrading from older versions work flawlessly, since quite a few config items got introduced and some are required. So if it doesn't work from scratch, install a fresh one on another domain and compare with your current one before upgrading.

Possible things that might need changing if you want the features (depending on the the version you first installed it) in homeserver.yaml:

enable_notifs: true
comment #template_dir
require_transport_security: false
comment #riot_base_url
add public_base_url: https://yourmatrixserver.com
change case url_preview_enabled: true
comment '172.18.0.0/12' in url_preview_ip_range_blacklist

The Riot app also got pushed to 1.2.2, available here as usual.

msbt

ok this is embarrassing, videochat was working all along, only my strict windows settings prohibited me from using it

yusf

Nice work! From a glance I can't see anything breaking when upgrading the Matrix package.

Is federation working for you though?

Log.

technotame

Thanks for working on this! I've tested it out and it works great so far, both Matrix and Riot.

One issue I see, and this may just be me not being very familiar with Matrix, is that when I go to search the room directory for Matrix.org, I get Riot failed to get the public room list. Internal server error. I don't know if I am supposed to be able to search and connect to Matrix.org rooms, but I thought I should be able to. Is this a bug or just me?

Thanks again!

msbt

Ah nice catch, I haven't tested federation because it used to work. This could be for a number of reasons, either new regular homeserver settings, nginx config or cors related issues. I'll try to narrow it down, thanks for reporting!

murgero

@msbt I can test if there is a need for that.

murgero

@msbt I noticed this app does not actually have Riot front end? Also is the identity server implemented?

Edit: for the federation errors, here is my relevant log line(s):

2019-06-21 19:25:33,552 - synapse.http.matrixfederationclient - 433 - INFO - POST-317 - {GET-O-4} [matrix.org] Got response headers: 401 Unauthorized
2019-06-21 19:25:33,553 - synapse.http.matrixfederationclient - 517 - WARNING - POST-317 - {GET-O-4} [matrix.org] Request failed: GET matrix://matrix.org/_matrix/federation/v1/publicRooms?include_all_networks=true&limit=20: HttpResponseException("401: b'Unauthorized'",)
2019-06-21 19:25:33,554 - synapse.http.server - 112 - ERROR - POST-317 - Failed handle request via 'PublicRoomListRestServlet': <XForwardedForRequest at 0x7f13e8464ba8 method='POST' uri='/_matrix/client/r0/publicRooms?server=matrix.org' clientproto='HTTP/1.0' site=8008>
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/synapse/http/server.py", line 81, in wrapped_request_handler
    yield h(self, request)
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1416, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/usr/local/lib/python3.6/dist-packages/twisted/python/failure.py", line 512, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.6/dist-packages/synapse/http/server.py", line 316, in _async_render
    callback_return = yield callback(request, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1416, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/usr/local/lib/python3.6/dist-packages/twisted/python/failure.py", line 512, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.6/dist-packages/synapse/rest/client/v1/room.py", line 387, in on_POST
    third_party_instance_id=third_party_instance_id,
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1416, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/usr/local/lib/python3.6/dist-packages/twisted/python/failure.py", line 512, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.6/dist-packages/synapse/handlers/room_list.py", line 467, in get_remote_public_room_list
    third_party_instance_id=third_party_instance_id,
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1416, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/usr/local/lib/python3.6/dist-packages/twisted/python/failure.py", line 512, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.6/dist-packages/synapse/federation/transport/client.py", line 348, in get_public_rooms
    ignore_backoff=True,
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1416, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/usr/local/lib/python3.6/dist-packages/twisted/python/failure.py", line 512, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.6/dist-packages/synapse/http/matrixfederationclient.py", line 760, in get_json
    timeout=timeout,
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1416, in _inlineCallbacks
    result = result.throwExceptionIntoGenerator(g)
  File "/usr/local/lib/python3.6/dist-packages/twisted/python/failure.py", line 512, in throwExceptionIntoGenerator
    return g.throw(self.type, self.value, self.tb)
  File "/usr/local/lib/python3.6/dist-packages/synapse/http/matrixfederationclient.py", line 248, in _send_request_with_optional_trailing_slash
    request, **send_request_args
  File "/usr/local/lib/python3.6/dist-packages/twisted/internet/defer.py", line 1418, in _inlineCallbacks
    result = g.send(result)
  File "/usr/local/lib/python3.6/dist-packages/synapse/http/matrixfederationclient.py", line 472, in _send_request
    raise e
synapse.api.errors.HttpResponseException: 401: b'Unauthorized'

msbt

@murgero yes, the riot frontend is here: https://git.cloudron.io/msbt/riot-app - the devs suggested not to run both on the same machine, splitting the apps was the way to go. The identity server is also not implemented (yet), so the registration uses vector.im at the moment.

Thanks for your input, I'll review the changes and try to figure out the point where the federation stopped working.

yusf

Also check my log records in https://forum.cloudron.io/post/3817

murgero

Any news on federation?

Edit: I know the devs for Cloudron recommended that these apps be separated, however I believe they would be better together (maybe a 3rd app that includes both?) because:

• Users can get confused on the domains (logging into riot.example.com, but user is matrix.example.com)
• Having them in the same place can allow for better troubleshooting, and in some cases, is just more convenient.
• Easier to update both at the same time, then to have to rebuild the app twice.

msbt

This is no recommendation from cloudron, but from the riot-devs themselves: https://github.com/vector-im/riot-web#important-security-note

I didn't have time to look further into the federation issue, maybe I'll find some time this weekend, sorry for the delay.

murgero

@msbt Ah my bad on misinterpreting that. and No worries. This is awesome work and worth the wait!

yusf

Recently learned that federation is needed for integrations to work so it's important for any integrations as well.

msbt

Weirdly enough, integrations are working, but federation is not... Is it possible, that the requests are being denied by cloudron and not the app @nebulon @girish? I remember we had the embedding feature which got removed and will eventually be replaced with CSP. I've tried several things, but I don't really know how to fix it... I'll jump on the matrix network and ask there if they have a clue.

girish

@msbt Is there anything in the browser console? CSP/X-Frame related issue will be printed in browser console.

msbt

federation is working, thanks to the help of the synapse admins and community! Please grab the latest version from here and let me know if it also works for you. You might need to adjust the homeserver.yaml again, probably best if you install a fresh one and compare the config. There might be some finetuning required for preview and such, but since I'm on vacation, that's a topic for another day

murgero

@msbt That's weird, I installed a fresh Matrix server, still getting error 500 XHR requests when trying to federate to another room off-server. (though I can list rooms now???)

murgero

Alright so federation is working but some rooms don't (maybe they time out because a bridge is down??)

yusf

@msbt Many thanks! Can’t wait to try it.

technotame

I have the same issue as @murgero, I can now see federated rooms, but I get an error when trying to join them.

murgero

@technotame what's weirder for me is that a few rooms work.

msbt

I've tried several channels in both directions and it was looking good. Make sure to clear your caches and maybe give the servers more ressources regarding ram, bigger channels are very hungry.

murgero

@msbt yea, my container has 4GB ram. Cache was cleared and new app installed (to avoid configuration issues)

msbt

@murgero what's the errormessage in that case? For me it said that it can't preview the room, but joining is no problem afterwards.

murgero

@msbt some are "This room cannot be previewed, you must join to continue" where others are "This room is unavailable at this time"blah blah with similar output in the error logs as I mentioned above.

msbt

That's odd, I'm able to join any (existing) channel on the matrix network and some others as well, but those are only official networks. Maybe you guys could pm me on the chat I can try by myself. Either way, 1.1.0 got released and is already updated, maybe you could try with the new image again.

murgero

@msbt What is your Matrix id?

msbt

you can find me at @matthias:matrix.bits.at - let me know if that doesn't work

murgero

Hmmm it didn't work for me. I'll update with logs later when I'm home.

murgero

@msbt try me: @murgero:matrix.urgero.org

msbt

@technotame do you still have problems? If so, please use the federation tester to see if the target server maybe has some issues.

Also, pushed another update for riot to v1.2.4.

technotame

I believe it is mostly working. The link you provided gave all green checks. I think the main issue was the small amount of RAM Matrix and/or Riot was given by default. I bumped them both up to 2 gigs or so and that seemed to be the main fix.

yusf

@msbt Performed the upgrade. Everything seem to work as good as the old version. Need to manually edit Synapse and TURN config files to be able to report back on things like group video chat but 1on1 voice and video calls works regardless for me (at least between users on the same server)

Many thanks for your effort. You’re effectively enabling Matrix adoption for several communities.

msbt

thanks @yusf, glad to hear that! maybe you can share the info if something is not working out of the box for group video chat so I can adjust the code

yes @technotame, bigger channels require a lot of ram, like the #matrix:matrix.org one with several 1000s of users, <2GB probably won't do it, maybe if you're very patient, but the more the better

yusf

I’ll be sure to do that. Thanks again.

yusf

Hi @msbt! Sadly I haven't had the time to configure and test the TURN-server.

The server has been online and stable for months btw. I'm looking to expand it with app services, webhooks for instance. However, I'm unsure on how to proceed since the Cloudron app is only configured for specific ports only and so on, limiting installing app services in Cloudron user space. Would you be interested in adding a bunch of useful default but opt-in app services?

msbt

hey @yusf, happy to see other people using the package

I would be happy to add more features/packages, in this case it really needs to be added in the app itself and can't be run as a regular integration. I've been thinking about including other addons as well (this seems to be an extensive setup where we could pick things that are nice2have). Let me know what might be interesting for you and I see what I can do about it.

Although it might be a good idea if either @girish or @nebulon also take a look at those and maybe give some pointers, I don't want to spend time on something which they can either do way more quickly and/or don't want in an app at all

yusf

I've been looking at matrix-appservice-webhooks a bit and the way it works makes it a good candidate for inclusion.

It works like so:

1. a webhooks bot is created
2. you invite this bot to a room
3. you create a new webhook with the !webbook command
4. the bot sends you a pm with the credentials for this specific new webhook
5. profit

This means that this integrations grants an unlimited amount of webhooks, so it's not a one-time thing.

Would you be willing to look into it?

msbt

sure thing, but I probably need you to do the testing and everything, since I don't have a use-case ready to play around with give me a few days to free up some space and I'll look into it!

yusf

Thank you! While at it, check out mautrix-facebook as well, as this seems to work in a similar, multi-user fashion.

murgero

@msbt I can test too!

kasini

@msbt I can help test if needed. I use webhooks to filter by keyword and aggregate news articles, forum threads, etc.

The matrix server and riot app work great so far! Just needed a bump in memory limit when exploring the channel list from matrix.org

Recently moved from mattermost -> rocketchat and now excitedly waiting for matrix to go live in the Cloudron app store. Please let me know if there's anything I can do to help!

yusf

On the topic of App Store inclusion: how relevant is the attack vector of running Matrix and Riot on the same (sub)domain nowadays? I know that the Matrix folks used to recommended against that setup and perhaps they still do.

Is that threat still as relevant with the Cloudron/Docker setup? After all, Cloudron apps are supposed to work out of the box.

msbt

@kasini during the little time I had to try things out I didn't really get anywhere. I was having a talk with @girish a while ago and they're planning to add matrix to the app store at some point. Maybe they can have another look at it since they actually know what they're doing

And yes, it requires a lot of RAM if you want to join bigger channels, but if you keep to yourself, you should be good to go with less.

@yusf good question, if noone else does it, I'll jump on the matrix network and ask if that's still a thing to worry about

yusf

In addition to looking up security concerns of bundling Riot with Matrix, putting it in the app store also calls for a solution to a reverse proxy solution often used in federated software.

What I mean is a way of forwarding certain ports from domain.tld to matrixserver.domain.tld so that user handles follows convention by ommitting the technical placement of the server itself. (Hosting the server on domain.tld sucks for obvious reasons )

This solution would also enable more federated software with similar needs to come aboard the Cloudron ecosystem.

october

Is this app officially provided by Cloudron yet? What's the status? I see the gitlab repo but I don't know what that means.

Btw I would also love to see some bridges included as options. Bridging FB Messenger, whatsapp, telegram etc is essential if one is to use it for personal communication purposes.

murgero

@october As of now you have to build and install using the Cloudron CLI:

1. install Cloudron CLI
2. Install docker (or use cloudron build service)
3. git clone repo
4. cd repo
5. docker build -t dockerhubusername/projectname . (Period is important at the end!)
6. docker push dockerhubusername/projectname
7. cloudron login
8. cloudron install --image dockerhubusername/projectname

That's the general way to install apps not in the cloudron app store. - If using the build service provided by cloudron, replace 5 & 6 with cloudron build

yusf

maubot would be a nice inclusion in the package as well. It's a bot framework, with a GUI.

Not necessary to have inside this package at all. Only Application Services are!

yusf

Hey @msbt, the Synapse package is falling behind on releases. (1.6.0 and 1.6.1)

msbt

my bad, I did update my local repos but forgot to push, here you go

I skipped the 1.6.0 commit since it was a bit weird, wasn't showing the latest version after updating, maybe that's why I didn't push

riot is also at the latest version here

yusf

I looked into the possibility of a new try to host Riot and Synapse on the same (sub)domain. Here’s the reply:

yusf:
Or is there, if it’s decided to host both on same (sub)domain, any method to reduce XSS attack probability?

Riot dude:
Basically the attack surface is such that any code which gets executed with access to that subdomain in a browser will have access to that user's matrix access token. So if you run things like synapse or other things on same subdomain and they end up serving malicious code then bad things can happen.

It's a very narrow surface, csp can make it even more narrow.

How then to use the CSP setting??

yusf

Another useful tool to possibly embed in this app package is matrix-corporal, though as an opt-in by default (enabled but void of policy) https://github.com/devture/matrix-corporal

msbt

just pushed an update for v1.8.0, apparently there were some changes in the config at some point, so when you're using log_file, you might need to remove that in order to be able to start the latest version.

In case it doesn't, jump on a terminal, check if it's actually running (ps -ax) and if not, manually launch with gosu www-data python3 -m synapse.app.homeserver --config-path homeserver.yaml from /app/data/synapse and check the errormessage.

yusf

@msbt said in matrix.org (communication):

when you're using log_file

What do you mean by this?

girish

@msbt Can you put in a LICENSE file into the repo (preferably MIT like the other app packages), so I can get this pushed to unstable?

murgero

@girish Having it in unstable would be awesome.