Add domain specific matching for haproxy config

bb4242 · bb4242 · commit 149c3db6cd12 · 2021-10-20T09:31:39.000-05:00
I ran into trouble getting federation working properly with the haproxy config specified here. After some debugging, I discovered that many federation HTTP requests, including the ones sent by the [federation tester](https://federationtester.matrix.org/), include the port number in the HTTP Host header field. For example, instead of `Host: matrix.example.com`, these federation requests look like `Host: matrix.example.com:443`. At least on haproxy 2.3, the extra port information causes the `acl matrix-host hdr(host) -i matrix.example.com` match to fail, since this is looking for an exact string match by default according to the [haproxy docs](http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#7.1). This failure, in turn, causes haproxy to return error codes and causes federation to fail. Using `hdr_dom(host)`, which ignores the port information, fixes the issue in my setup. Signed-off-by: Brett Bethke <10068296+bb4242@users.noreply.github.com>
diff --git a/changelog.d/11128.doc b/changelog.d/11128.doc
@@ -0,0 +1 @@
+Improve example HAProxy config in the docs to properly handle host headers with port information. This is required for federation to work correctly.
diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md
@@ -188,7 +188,7 @@ frontend https
   http-request set-header X-Forwarded-For %[src]
 
   # Matrix client traffic
-  acl matrix-host hdr(host) -i matrix.example.com
+  acl matrix-host hdr_dom(host) -i matrix.example.com
   acl matrix-path path_beg /_matrix
   acl matrix-path path_beg /_synapse/client
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Improve example HAProxy config in the docs to properly handle host headers with port information. This is required for federation to work correctly.`