Describe the bug

ntfy does not receive notifications

Mar 18 23:30:14 matrix matrix-synapse[2213]: 2023-03-18 22:30:14,267 - synapse.push.httppusher - 432 - WARNING - httppush.process-17 - Failed to push event $bLGuzRj3t4p6Z6h16aTmfw9YA5gEhZZ0fZOebFToL04 to @user:domain/im.vector.app.android/https://ntfy.domain/upv5aFQWe5uAHe?up=1: <class 'twisted.internet.error.DNSLookupError'> DNS lookup failed: no results for hostname lookup: ntfy.domain.

To Reproduce My vars.yml file looks like this:

...
# Push Gateway
ntfy_enabled: true
ntfy_container_http_host_bind_port: '0.0.0.0:2586'
ntfy_web_root: app
...

Expected behavior I would expect the synapse process to find the ntfy container

Matrix Server:

  • OS: Debian Bullseye
  • Architecture: amd64

Additional context

Diagnosis so far:

  1. DNS is configured correctly host can resolve ntfy.domain and push using curl

  2. journald spits out the error message about DNS so I went into the synapse container and tried pushing via curl - it works

  3. Problem with twisted? Alright - got me https://docs.twistedmatrix.com/en/twisted-16.1.1/_downloads/testdns.py into the container (curl > file) - works.

0
docker automation jitsi matrix-org self-hosting ansible-role ansible-playbook matrix-server

Digging through the code I found "ip_range_blacklist" in the homeserver templates which denies communication with an internal DNS server or anything on a private IP according to the docs:

# Prevent outgoing requests from being sent to the following blacklisted IP address
# CIDR ranges. If this option is not specified then it defaults to private IP
# address ranges (see the example below).
#
# The blacklist applies to the outbound requests for federation, identity servers,
# push servers, and for checking key validity for third-party invite events.
#
# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
# listed here, since they correspond to unroutable addresses.)
#
# This option replaces federation_ip_range_blacklist in Synapse v1.25.0.
#
# Note: The value is ignored when an HTTP proxy is in use
#
#ip_range_blacklist:
#  - '127.0.0.0/8'
#  - '10.0.0.0/8'
#  - '172.16.0.0/12'
#  - '192.168.0.0/16'
#  - '100.64.0.0/10'
#  - '192.0.0.0/24'
#  - '169.254.0.0/16'
#  - '192.88.99.0/24'
#  - '198.18.0.0/15'
#  - '192.0.2.0/24'
#  - '198.51.100.0/24'
#  - '203.0.113.0/24'
#  - '224.0.0.0/4'
#  - '::1/128'
#  - 'fe80::/10'
#  - 'fc00::/7'
#  - '2001:db8::/32'
#  - 'ff00::/8'
#  - 'fec0::/10'

# List of IP address CIDR ranges that should be allowed for federation,
# identity servers, push servers, and for checking key validity for
# third-party invite events. This is useful for specifying exceptions to
# wide-ranging blacklisted target IP ranges - e.g. for communication with
# a push server only visible in your network.
#
# This whitelist overrides ip_range_blacklist and defaults to an empty
# list.
#
#ip_range_whitelist:
#   - '192.168.1.1'

As my DNS and NTFY services were sitting in those networks and DNS resolving goes into that direction....

The solution for my specific case was adding my push gateway to the whitelist

matrix_synapse_configuration_extension_yaml: |
  ip_range_whitelist:
    - 'ip.of.ntfy.server'

Wouldn't it make sense to add this whitelist globally to deal with issues like push gateways in general?

0
© 2022 pullanswer.com - All rights reserved.
Privacy policy