Reverse proxy causes "Invalid signature for server ..." resulting in inability to accept invites

[fadenb]

Description

I am unable to invite people on some servers into a chat.
In Riot I see no difference (but no one ever accepts the invite ;) )

Synapse always logs something similiar to this:

May 25 11:37:58 m00 synapse[1030]: signedjson.sign: [GET-123405] Error verifying signature
                                   Traceback (most recent call last):
                                     File "/nix/store/0b3bjqyx1lgks8ja23g1whw9mwjfc5sn-python2.7-signedjson-1.0.0/lib/python2.7/site-packages/signedjson/sign.py", line 121, in verify_signed_json
                                       verify_key.verify(message, signature)
                                     File "/nix/store/fv5ps1k1gcak9abndxm5skdqgqrzk3bp-python2.7-pynacl-1.2.1/lib/python2.7/site-packages/nacl/signing.py", line 114, in verify
                                       return nacl.bindings.crypto_sign_open(smessage, self._key)
                                     File "/nix/store/fv5ps1k1gcak9abndxm5skdqgqrzk3bp-python2.7-pynacl-1.2.1/lib/python2.7/site-packages/nacl/bindings/crypto_sign.py", line 109, in crypto_sign_open
                                       raise exc.BadSignatureError("Signature was forged or corrupt")
                                   BadSignatureError: Signature was forged or corrupt
May 25 11:37:58 m00 synapse[1030]: synapse.federation.transport.server: [GET-123405] authenticate_request failed
                                   Traceback (most recent call last):
                                     File "/nix/store/z8772byjm0gqh05rrs2084zsnjj40fic-matrix-synapse-0.28.1/lib/python2.7/site-packages/synapse/federation/transport/server.py", line 182, in new_func
                                       origin = yield authenticator.authenticate_request(request, content)
                                   SynapseError: 401: Invalid signature for server asra.gr with key ed25519:a_uGgJ

The remote side receives the invite but is unable to accept it ("unauthorized").

Federation tester did not show any issues at the time of the error for both involved servers:
https://matrix.org/federationtester/api/report?server_name=utzutzutz.net
https://matrix.org/federationtester/api/report?server_name=asra.gr

Several synapse operators seem to have the same issue. It does not seem to be related to OS or installation method.
See https://matrix.to/#/!HsxjoYRFsDtWBgDQPh:matrix.org/$1527262498154duwWE:fws.fr for some more examples.

Steps to reproduce

• have account on affected homeserver
• Invite user from different homeserver

Version information

• Homeserver: utzutzutz.net (+ others, see link above)

If not matrix.org:

• Version: 0.30.0
• Install method: NixOS module
• Platform: NixOS 18.03, VM, nginx reverse proxy in front of synapse

[dani]

Removing the proxy on the federation port clears the issue, so it seems related to this

[OlegGirko]

I have the same issue.
My configuration:

• Synapse and all relevant packages built for Fedora and installed from a repo on my OBS server.
• Reverse proxy through Apache HTTPD, version 2.4.33, installed from Fedora repo.
• Reverse proxy configuration:

ProxyPass /_matrix http://127.0.0.1:8008/_matrix timeout=600
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix

• Synapse running on port 8008 behind reverse proxy, with no_tls: True.

Synapse receives request from matrix.org.
Request headers:

Content-Length: 1455
X-Forwarded-Host: infoserver.lv
X-Forwarded-For: 83.136.249.97
Connection: Keep-Alive
User-Agent: Synapse/0.30.0-rc1 (b=matrix-org-hotfixes,4ae6080)
Host: 127.0.0.1:8008
X-Forwarded-Server: infoserver.lv
Content-Type: application/json
Authorization: X-Matrix origin=matrix.org,key="ed25519:auto",sig="ZPycrvgFKt5B9nUwDyxom4LSKivdgLxLaZM+Eo5t6yFBDQdD8wT9B+T7QD01tvhTd0fqGz787LvtZEFe9GsQCQ"

Request content (as Python string):

'{"auth_events":[["$152735895692674zWMqz:matrix.org",{"sha256":"8UObuZNGmyJ08TQ6aDiim0lAP/Xvcz3QJ4+I9cBlOc8"}],["$152735895892675Stnog:matrix.org",{"sha256":"WYqp/CKCoVHURPOosQAYaKWiQf8FIcR63SNA9zRRxZw"}],["$152735895692673mNESD:matrix.org",{"sha256":"gM4O3VPYPXIIk/W589DUu/FVY0qarC1/qIWcUr21weo"}],["$152735895992676SrVyB:matrix.org",{"sha256":"v53QKB592/sT5+vfHODuxp2H8CYzVx6EVnGuSXb3NfQ"}]],"content":{"avatar_url":"mxc://infoserver.lv/XbHFzOXJypHstVGnsFlRcSTC","displayname":"Oleg Girko","is_direct":true,"membership":"invite"},"depth":7,"event_id":"$152735895992679nRnho:matrix.org","hashes":{"sha256":"OHJZxQKKUz/GS+GoOixWUJJajvB/MxyQGFQgoayYrjE"},"membership":"invite","origin":"matrix.org","origin_server_ts":1527358959995,"prev_events":[["$152735895992678Hezxs:matrix.org",{"sha256":"27kUzkmXpFGXQub7vTwvdcP1U9PTjNzBZSoWBeYJpHM"}]],"prev_state":[],"room_id":"!TgLZRSYjbikNgCOWLA:matrix.org","sender":"@iav:matrix.org","signatures":{"matrix.org":{"ed25519:auto":"RbIga6iJjGBfC3A8Za4C6AZJ03ZHhGzXpAbO3VvOIbGOsQV+uDgGCxVZbBx7Cam9rk50nybdzcCgHxNb6XhNCA"}},"state_key":"@ol:infoserver.lv","type":"m.room.member","unsigned":{"age":549,"invite_room_state":[{"content":{"join_rule":"invite"},"sender":"@iav:matrix.org","state_key":"","type":"m.room.join_rules"},{"content":{"avatar_url":"mxc://matrix.org/kVrxVLSbutexWwcDZSXzwgZK","displayname":"iav","membership":"join"},"sender":"@iav:matrix.org","state_key":"@iav:matrix.org","type":"m.room.member"}]}}'

The same JSON object pretty printed with indentation:

{
  "origin": "matrix.org", 
  "signatures": {
    "matrix.org": {
      "ed25519:auto": "RbIga6iJjGBfC3A8Za4C6AZJ03ZHhGzXpAbO3VvOIbGOsQV+uDgGCxVZbBx7Cam9rk50nybdzcCgHxNb6XhNCA"
    }
  }, 
  "origin_server_ts": 1527358959995, 
  "sender": "@iav:matrix.org", 
  "event_id": "$152735895992679nRnho:matrix.org", 
  "prev_events": [
    [
      "$152735895992678Hezxs:matrix.org", 
      {
        "sha256": "27kUzkmXpFGXQub7vTwvdcP1U9PTjNzBZSoWBeYJpHM"
      }
    ]
  ], 
  "membership": "invite", 
  "state_key": "@ol:infoserver.lv", 
  "unsigned": {
    "age": 549, 
    "invite_room_state": [
      {
        "content": {
          "join_rule": "invite"
        }, 
        "type": "m.room.join_rules", 
        "sender": "@iav:matrix.org", 
        "state_key": ""
      }, 
      {
        "content": {
          "membership": "join", 
          "avatar_url": "mxc://matrix.org/kVrxVLSbutexWwcDZSXzwgZK", 
          "displayname": "iav"
        }, 
        "type": "m.room.member", 
        "sender": "@iav:matrix.org", 
        "state_key": "@iav:matrix.org"
      }
    ]
  }, 
  "content": {
    "membership": "invite", 
    "avatar_url": "mxc://infoserver.lv/XbHFzOXJypHstVGnsFlRcSTC", 
    "displayname": "Oleg Girko", 
    "is_direct": true
  }, 
  "depth": 7, 
  "prev_state": [], 
  "room_id": "!TgLZRSYjbikNgCOWLA:matrix.org", 
  "auth_events": [
    [
      "$152735895692674zWMqz:matrix.org", 
      {
        "sha256": "8UObuZNGmyJ08TQ6aDiim0lAP/Xvcz3QJ4+I9cBlOc8"
      }
    ], 
    [
      "$152735895892675Stnog:matrix.org", 
      {
        "sha256": "WYqp/CKCoVHURPOosQAYaKWiQf8FIcR63SNA9zRRxZw"
      }
    ], 
    [
      "$152735895692673mNESD:matrix.org", 
      {
        "sha256": "gM4O3VPYPXIIk/W589DUu/FVY0qarC1/qIWcUr21weo"
      }
    ], 
    [
      "$152735895992676SrVyB:matrix.org", 
      {
        "sha256": "v53QKB592/sT5+vfHODuxp2H8CYzVx6EVnGuSXb3NfQ"
      }
    ]
  ], 
  "hashes": {
    "sha256": "OHJZxQKKUz/GS+GoOixWUJJajvB/MxyQGFQgoayYrjE"
  }, 
  "type": "m.room.member"
}

JSON object passed to signedjson.sign.verify_signed_json function:

{'origin': 'matrix.org', 'signatures': {'matrix.org': {'ed25519:auto': 'ZPycrvgFKt5B9nUwDyxom4LSKivdgLxLaZM+Eo5t6yFBDQdD8wT9B+T7QD01tvhTd0fqGz787LvtZEFe9GsQCQ'}}, 'destination': 'infoserver.lv', 'uri': '/_matrix/federation/v1/invite/!TgLZRSYjbikNgCOWLA:matrix.org/$152735895992679nRnho:matrix.org', 'content': {'origin': 'matrix.org', 'signatures': {'matrix.org': {'ed25519:auto': 'RbIga6iJjGBfC3A8Za4C6AZJ03ZHhGzXpAbO3VvOIbGOsQV+uDgGCxVZbBx7Cam9rk50nybdzcCgHxNb6XhNCA'}}, 'origin_server_ts': 1527358959995, 'sender': '@iav:matrix.org', 'event_id': '$152735895992679nRnho:matrix.org', 'prev_events': [['$152735895992678Hezxs:matrix.org', {'sha256': '27kUzkmXpFGXQub7vTwvdcP1U9PTjNzBZSoWBeYJpHM'}]], 'membership': 'invite', 'state_key': '@ol:infoserver.lv', 'unsigned': {'age': 549, 'invite_room_state': [{'content': {'join_rule': 'invite'}, 'type': 'm.room.join_rules', 'sender': '@iav:matrix.org', 'state_key': u''}, {'content': {'membership': 'join', 'avatar_url': 'mxc://matrix.org/kVrxVLSbutexWwcDZSXzwgZK', 'displayname': 'iav'}, 'type': 'm.room.member', 'sender': '@iav:matrix.org', 'state_key': '@iav:matrix.org'}]}, 'content': {'membership': 'invite', 'avatar_url': 'mxc://infoserver.lv/XbHFzOXJypHstVGnsFlRcSTC', 'displayname': 'Oleg Girko', 'is_direct': True}, 'depth': 7, 'prev_state': [], 'room_id': '!TgLZRSYjbikNgCOWLA:matrix.org', 'auth_events': [['$152735895692674zWMqz:matrix.org', {'sha256': '8UObuZNGmyJ08TQ6aDiim0lAP/Xvcz3QJ4+I9cBlOc8'}], ['$152735895892675Stnog:matrix.org', {'sha256': 'WYqp/CKCoVHURPOosQAYaKWiQf8FIcR63SNA9zRRxZw'}], ['$152735895692673mNESD:matrix.org', {'sha256': 'gM4O3VPYPXIIk/W589DUu/FVY0qarC1/qIWcUr21weo'}], ['$152735895992676SrVyB:matrix.org', {'sha256': 'v53QKB592/sT5+vfHODuxp2H8CYzVx6EVnGuSXb3NfQ'}]], 'hashes': {'sha256': 'OHJZxQKKUz/GS+GoOixWUJJajvB/MxyQGFQgoayYrjE'}, 'type': 'm.room.member'}, 'method': 'PUT'}

The same JSON object pretty printed:

{
  "origin": "matrix.org", 
  "signatures": {
    "matrix.org": {
      "ed25519:auto": "ZPycrvgFKt5B9nUwDyxom4LSKivdgLxLaZM+Eo5t6yFBDQdD8wT9B+T7QD01tvhTd0fqGz787LvtZEFe9GsQCQ"
    }
  }, 
  "destination": "infoserver.lv", 
  "uri": "/_matrix/federation/v1/invite/!TgLZRSYjbikNgCOWLA:matrix.org/$152735895992679nRnho:matrix.org", 
  "content": {
    "origin": "matrix.org", 
    "depth": 7, 
    "signatures": {
      "matrix.org": {
        "ed25519:auto": "RbIga6iJjGBfC3A8Za4C6AZJ03ZHhGzXpAbO3VvOIbGOsQV+uDgGCxVZbBx7Cam9rk50nybdzcCgHxNb6XhNCA"
      }
    }, 
    "origin_server_ts": 1527358959995, 
    "sender": "@iav:matrix.org", 
    "event_id": "$152735895992679nRnho:matrix.org", 
    "prev_events": [
      [
        "$152735895992678Hezxs:matrix.org", 
        {
          "sha256": "27kUzkmXpFGXQub7vTwvdcP1U9PTjNzBZSoWBeYJpHM"
        }
      ]
    ], 
    "unsigned": {
      "age": 549, 
      "invite_room_state": [
        {
          "content": {
            "join_rule": "invite"
          }, 
          "type": "m.room.join_rules", 
          "sender": "@iav:matrix.org", 
          "state_key": ""
        }, 
        {
          "content": {
            "membership": "join", 
            "avatar_url": "mxc://matrix.org/kVrxVLSbutexWwcDZSXzwgZK", 
            "displayname": "iav"
          }, 
          "type": "m.room.member", 
          "sender": "@iav:matrix.org", 
          "state_key": "@iav:matrix.org"
        }
      ]
    }, 
    "state_key": "@ol:infoserver.lv", 
    "content": {
      "membership": "invite", 
      "avatar_url": "mxc://infoserver.lv/XbHFzOXJypHstVGnsFlRcSTC", 
      "displayname": "Oleg Girko", 
      "is_direct": true
    }, 
    "membership": "invite", 
    "prev_state": [], 
    "room_id": "!TgLZRSYjbikNgCOWLA:matrix.org", 
    "auth_events": [
      [
        "$152735895692674zWMqz:matrix.org", 
        {
          "sha256": "8UObuZNGmyJ08TQ6aDiim0lAP/Xvcz3QJ4+I9cBlOc8"
        }
      ], 
      [
        "$152735895892675Stnog:matrix.org", 
        {
          "sha256": "WYqp/CKCoVHURPOosQAYaKWiQf8FIcR63SNA9zRRxZw"
        }
      ], 
      [
        "$152735895692673mNESD:matrix.org", 
        {
          "sha256": "gM4O3VPYPXIIk/W589DUu/FVY0qarC1/qIWcUr21weo"
        }
      ], 
      [
        "$152735895992676SrVyB:matrix.org", 
        {
          "sha256": "v53QKB592/sT5+vfHODuxp2H8CYzVx6EVnGuSXb3NfQ"
        }
      ]
    ], 
    "hashes": {
      "sha256": "OHJZxQKKUz/GS+GoOixWUJJajvB/MxyQGFQgoayYrjE"
    }, 
    "type": "m.room.member"
  }, 
  "method": "PUT"
}

Arguments passed as a result to nacl.bindings.crypto_sign.crypto_sign_open() function:

• signed (concatenation of 64-octet signature and signed data), represented as Python string:

'd\xfc\x9c\xae\xf8\x05*\xdeA\xf6u0\x0f,h\x9b\x82\xd2*+\xdd\x80\xbcKi\x93>\x12\x8em\xeb!A\r\x07C\xf3\x04\xfd\x07\xe4\xfb@=5\xb6\xf8SwG\xea\x1b>\xfc\xec\xbb\xeddA^\xf4k\x10\t{"content":{"auth_events":[["$152735895692674zWMqz:matrix.org",{"sha256":"8UObuZNGmyJ08TQ6aDiim0lAP/Xvcz3QJ4+I9cBlOc8"}],["$152735895892675Stnog:matrix.org",{"sha256":"WYqp/CKCoVHURPOosQAYaKWiQf8FIcR63SNA9zRRxZw"}],["$152735895692673mNESD:matrix.org",{"sha256":"gM4O3VPYPXIIk/W589DUu/FVY0qarC1/qIWcUr21weo"}],["$152735895992676SrVyB:matrix.org",{"sha256":"v53QKB592/sT5+vfHODuxp2H8CYzVx6EVnGuSXb3NfQ"}]],"content":{"avatar_url":"mxc://infoserver.lv/XbHFzOXJypHstVGnsFlRcSTC","displayname":"Oleg Girko","is_direct":true,"membership":"invite"},"depth":7,"event_id":"$152735895992679nRnho:matrix.org","hashes":{"sha256":"OHJZxQKKUz/GS+GoOixWUJJajvB/MxyQGFQgoayYrjE"},"membership":"invite","origin":"matrix.org","origin_server_ts":1527358959995,"prev_events":[["$152735895992678Hezxs:matrix.org",{"sha256":"27kUzkmXpFGXQub7vTwvdcP1U9PTjNzBZSoWBeYJpHM"}]],"prev_state":[],"room_id":"!TgLZRSYjbikNgCOWLA:matrix.org","sender":"@iav:matrix.org","signatures":{"matrix.org":{"ed25519:auto":"RbIga6iJjGBfC3A8Za4C6AZJ03ZHhGzXpAbO3VvOIbGOsQV+uDgGCxVZbBx7Cam9rk50nybdzcCgHxNb6XhNCA"}},"state_key":"@ol:infoserver.lv","type":"m.room.member","unsigned":{"age":549,"invite_room_state":[{"content":{"join_rule":"invite"},"sender":"@iav:matrix.org","state_key":"","type":"m.room.join_rules"},{"content":{"avatar_url":"mxc://matrix.org/kVrxVLSbutexWwcDZSXzwgZK","displayname":"iav","membership":"join"},"sender":"@iav:matrix.org","state_key":"@iav:matrix.org","type":"m.room.member"}]}},"destination":"infoserver.lv","method":"PUT","origin":"matrix.org","uri":"/_matrix/federation/v1/invite/!TgLZRSYjbikNgCOWLA:matrix.org/$152735895992679nRnho:matrix.org"}`

pk (public key), represented as Python string:

'6\x88\xbaZ\xa7\x03\x8fD&?\x10\x8dB\xa8\x1e\xcf\x04\xe5\x04\xaa\xdf\xa9\xe8X\xd6\xed\x85\xc9c\xfd\xb9\x8c'

Result: BadSignatureError exception raised.

[OlegGirko]

Another interesting finding.
I've added additional logging to my Apache HTTPD and found that Authorization: header that Apache receives is exactly the same as Synapse receives.
This rules out possibility of mod_proxy or mod_cache messing with Authorization: header.

[OlegGirko]

Another update.
I've installed Synapse 0.26.0 from Fedora repo (not from my OBS that has 0.30.0).
Invitations from 0.26.0 work perfectly.

[OlegGirko]

After I've upgraded another server to 0.30.0 (from my OBS), invitations stopped working.

[ara4n]

There's also another report of signature check failures at https://riot.im/develop/#/room/#matrix-dev:matrix.org/$15273484311ZxXNG:theta.eu.org

[OlegGirko]

By adding debug print statements to another server, I've found what causes discrepancy between sent and received data. The difference is in URL. Another server (federation client) sends the following URL:

/_matrix/federation/v1/invite/%21TgLZRSYjbikNgCOWLA%3Amatrix.org/%24152735895992679nRnho%3Amatrix.org

But the server itself receives the following URL:

/_matrix/federation/v1/invite/!TgLZRSYjbikNgCOWLA:matrix.org/$152735895992679nRnho:matrix.org

Note that URL being sent has !, $ and : is urlquoted, whereas received URL has them not urlquoted.
Federation client signs JSON with urlquoted URL, but federation server somehow receives non-urlquoted URL and tries to verify JSON with it. If URL contains characters that were escaped originally, verification predictably fails.

Quoting URL for sending (and signing JSON with it) was introduced in dab87b8 of #3082 and this change was included in v0.27.3.

It's interesting to note that Apache HTTPD logs show quoted URL. So, it's still possible that it's mod_proxy that unquotes URLs.

Investigating further...

[OlegGirko]

Great success!

Yes, it was mod_proxy who was canonicalising URL before passing it to the backend server.
But there is a solution: nocanon option for ProxyPass directive.
Now my reverse proxy configuration looks like this:

ProxyPass /_matrix http://127.0.0.1:8008/_matrix timeout=600 nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix

(please ignore timeout option, it's irrelevant for this discussion, I've added it when my server was overloaded).

Problem solved!

A note should be added to "Using a reverse proxy with Synapse" section of Synapse README that revese proxy should be configured without URL canonicalisation.

[remjey]

Thanks a lot @OlegGirko

I am using nginx and I had the same problem. Here is my previous configuration:

location /_matrix/ {
  proxy_pass http://localhost:8008/_matrix/
  [...]
}

I changed the proxy_pass line to proxy_pass http://localhost:8008 (I removed the whole path).

The nginx proxy_pass documentation states that without a path after the server in the proxy_pass line, the URL is not normalized if it is an original request.

[fadenb]

@remjey your mentioned fix is working fine for me. 👍

I believe this to be a bug, my understanding of the RFCs is that at least the : may or may not be encoded (not a reserved character for the path part of the URL). So one should expect it in both forms?

[richvdh]

Sigh. The right solution is probably to closely specify how URL should be encoded, and ensure that is done at both ends before signing/verifying.

For now, we should probably just add a warning to the list of things to be careful of when reverse-proxying federation: https://github.com/matrix-org/synapse/blob/master/README.rst#reverse-proxying-the-federation-port.

[slipeer]

May be inserting something like:

    json_object['uri'] = '/'.join(
        tuple(
            urllib.quote(urllib.unquote(arg), safe='') for arg in json_object.get('uri').split('/')
        )
    )

before line https://github.com/matrix-org/synapse/blob/develop/synapse/crypto/keyring.py#L784 completely solve the problem?