Synapse federation

g7kse · 19 September 2025 18:35

Not a bug!! Just me being a bit thick

I’m attempting to federate a synapse server. The software has been installed from the dietpi list. I use nginx proxy manager to point to a sub.domain.com and it all works fine. If I check for federation I get various refusals from time outs to connections refused.

I’ve spent a good long time looking for an answer and there isn’t one, but several. All slightly different, from amending the yaml to include a 8448 port through to .wellknown type responses.

Any clue on what might be the preferred method for this installation? I’m going round in circles a bit and not really getting anywhere.

Ta

Jappe · 20 September 2025 11:58

When you you wanna federate make sure the server is reachable via port 8448. You only need to use .wellknown if you want to use another port, like 443 or so.
So you need wellknown for every other port than 8448.

Here is the part of the synapse docs which explain it:
https://element-hq.github.io/synapse/latest/delegate.html

g7kse · 22 September 2025 09:29

sorry for being a bit thick. I’m using NPM and read through what I thought I should be doing. Assuming its handle there..

homeserver.yaml has:

server_name: "matrix.example.com"
pid_file: /mnt/dietpi_userdata/synapse/homeserver.pid

listeners:
  - port: 8008
    type: http
    tls: false
    x_forwarded: true
    resources:
      - names: [client, federation]
        compress: false

database:
  name: sqlite3
  args:
    database: /mnt/dietpi_userdata/synapse/homeserver.db

NPM Advanced has the following:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    # For the federation port
    listen 8448 ssl default_server;
    listen [::]:8448 ssl default_server;

    server_name matrix.example.com;

    location ~ ^(/_matrix|/_synapse/client) {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise nginx will canonicalise the URI and cause signature verification
        # errors.
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host:$server_port;

        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;
    
    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
    proxy_http_version 1.1;
    }
}

This just give me a red ‘Offline’ notification. So that is not the right config. I’ve added additional listeners to the homeserver.yaml but now am out of ideas.

I think I’m just not getting the point of the documentation. Straight into detail, when i need a bit more…see that homeserver.taml…leave it alone…type stuff Im afraid

Jappe · 22 September 2025 12:07

You can not do that in the same server block, Synapse expects federation to appear on a dedicated HTTPS port.
And this proxy_set_header Host $host:$server_port; breaks federation signature verification.

You need to split the NPM config in two parts, one for client connections on port 443 and one for the federation on port 8448:

# CLIENT – port 443
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name matrix.example.com;

    location /_matrix/client {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 50M;
        proxy_http_version 1.1;
    }
}

# FEDERATION – port 8448
server {
    listen 8448 ssl;
    listen [::]:8448 ssl;
    server_name matrix.example.com;

    location /_matrix/federation {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
    }
}

EDIT:

OK I see they also have it like you in their docs
https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx

So now I think I also missed something.
Maybe our network specialist @trendy has an idea?

g7kse · 22 September 2025 12:19

Glad its not just me that’s got all confused. There is a lot of documentation that is all slightly different. the OEM stuff is what I’m looking at now as everything else seems to fall out of that with personal tweaks

trendy · 22 September 2025 18:36

Unfortunately not, this seems to be config specific issue and not pure networking issue.

However could you run a tcpdump on the server to verify what is coming from the client when you ask for federation services?

system · 20 March 2026 06:36

This topic was automatically closed 178 days after the last reply. New replies are no longer allowed.