diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index af77d73a3..3b88d902f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5855,20 +5855,6 @@ traefik_gid: "{{ matrix_user_gid }}" # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint. traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s -# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. -# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs). -# Ref: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 -# - https://doc.traefik.io/traefik/migrate/v3/#v364 -traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true -traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true -traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true -# Doing the same for the `web` entrypoint, for people who disable SSL for the playbook -# and actually go through this entrypoint. -traefik_config_entrypoint_web_http_encodedCharacters_enabled: "{{ not matrix_playbook_ssl_enabled }}" -traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedSlash: "{{ not matrix_playbook_ssl_enabled }}" -traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedHash: "{{ not matrix_playbook_ssl_enabled }}" - traefik_additional_entrypoints_auto: | {{ ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else []) diff --git a/requirements.yml b/requirements.yml index 2b54552fb..00d579e08 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.6-0 + version: v3.6.7-1 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-4 diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 647fa55cb..0fefb7300 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -321,13 +321,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" -# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. -# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. -# Ref: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 -# - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern] -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern] matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming @@ -337,19 +330,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: {{ {} - | combine( - ( - { - 'http': { - 'encodedCharacters': { - 'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, - 'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, - } - } - } - ) - ) - | combine( ( ( @@ -412,30 +392,7 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-inter matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: '' matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}" -# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. -# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. -# Ref: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 -# - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern] -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern] -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: | - {{ - {} - - | combine( - ( - { - 'http': { - 'encodedCharacters': { - 'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, - 'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, - } - } - } - ) - ) - }} +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: {} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {} diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 360c995b5..4f8f1db70 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -36,6 +36,11 @@ - {'old': 'matrix_container_global_registry_prefix', 'new': ''} - {'old': 'matrix_user_username', 'new': 'matrix_user_name'} - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'} + - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': ''} + - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': ''} + - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': ''} + - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': ''} + # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. - name: Fail if matrix_homeserver_generic_secret_key is undefined