Page MenuHomePhabricator

Configure wikimedia.org to enable *:wikimedia.org Matrix user IDs
Closed, ResolvedPublic

Description

To use Matrix IDs from a given domain, that domain needs to be authorized. There are two alternative ways to do this:

  • adding a /.well-known/matrix/server URL served on https://wikimedia.org.
  • adding a DNS SRV record in the DNS zone of wikimedia.org.

This was incorrect, see T223835#5230126.

We'll need one of them for T215042: Set up a hosted Matrix.org / Riot instance on modular.im.
Live test: federation tester

.well-known URL

Make the https://wikimedia.org/.well-known/matrix/server URL return

{
    "m.server": "wikimedia.modular.im:443"
}

DNS SRV record

Add an SRV record to the wikimedia.org domain with the content

_matrix._tcp.wikimedia.org 3600 IN SRV 10 5 443 wikimedia.modular.im

Event Timeline

Tgr created this task.May 19 2019, 4:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2019, 4:11 PM
Tgr updated the task description. (Show Details)May 21 2019, 10:15 PM
Tgr updated the task description. (Show Details)
Restricted Application added projects: Operations, Traffic. · View Herald TranscriptMay 21 2019, 10:16 PM

Does the Foundation have an NDA with modular.im?

Dzahn added a subscriber: Dzahn.May 21 2019, 10:31 PM

The comments on T215042#4977385 sounded like this wasn't going to be done, for the temporary evaluation that it is. ?

Tgr added a comment.May 21 2019, 11:44 PM

Does the Foundation have an NDA with modular.im?

NDA for what? This doesn't involve any non-public information.
In general, there's a ToS clause about confidentiality/privacy.

The comments on T215042#4977385 sounded like this wasn't going to be done, for the temporary evaluation that it is. ?

That refers to hosting Matrix (ie. the Synapse server's REST API and the page the Riot web app is served from) under wikimedia.org, which is unrelated to using wikimedia.org as a namespace within the Matrix protocol. (Or only related to the extent that this task is only necessary because the hosting domain and the Matrix ID namespace differ so Synapse wants us to prove ownership).

Volans triaged this task as Normal priority.May 22 2019, 9:27 AM

Change 511842 had a related patch set uploaded (by Volans; owner: Volans):
[operations/dns@master] Matrix wikimedia.org IDs domain authorization

https://gerrit.wikimedia.org/r/511842

jbond added a subscriber: jbond.May 22 2019, 12:48 PM

@Tgr while reviewing the change created by volans i noticed that currently wikimedia.modular.im. dose not exist. We should ensure this exists and belongs to the wikimedia foundation before adding the authorization. further having followed the links it looks like the hosted service from modular.im would actually be a riot.im box and would have the name wikimedia.riot.im

"""You'll get a customized instance of Riot.im and your own dedicated Matrix homeserver: all you need to get chatting!"""
https://www.modular.im/services/matrix-hosting#get-started

Tgr added a comment.May 22 2019, 9:45 PM

Yeah, it shouldn't be merged before the server is up (which is in a few days if all goes well). The Matrix server (Synapse) will be at wikimedia.modular.im, the client (Riot) will be at wikimedia.riot.im, but the latter is not relevant here. (The setup is not unlike how the main public Matrix server is at matrix.org but the web client is at riot.im).

ack, thanks for the clarification

Volans added a subscriber: Volans.Jun 3 2019, 11:07 AM

Both records are actually up now:

$ dig +trace wikimedia.modular.im
[...SNIP...]
wikimedia.modular.im.	300	IN	A	52.56.197.133
;; Received 65 bytes from 173.245.58.183#53(laura.ns.cloudflare.com) in 9 ms

$ dig +trace wikimedia.riot.im
[...SNIP...]
wikimedia.riot.im.	300	IN	A	52.56.197.133
;; Received 62 bytes from 173.245.59.154#53(derek.ns.cloudflare.com) in 11 ms

Change 511842 merged by Volans:
[operations/dns@master] Matrix wikimedia.org IDs domain authorization

https://gerrit.wikimedia.org/r/511842

Volans closed this task as Resolved.Jun 3 2019, 11:22 AM
Volans claimed this task.
Volans removed a project: Patch-For-Review.

Change is live:

L| 0 ~$ dig @ns0.wikimedia.org SRV _matrix._tcp.wikimedia.org

; <<>> DiG 9.10.6 <<>> @ns0.wikimedia.org SRV _matrix._tcp.wikimedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62524
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_matrix._tcp.wikimedia.org.	IN	SRV

;; ANSWER SECTION:
_matrix._tcp.wikimedia.org. 3600 IN	SRV	0 1 443 wikimedia.modular.im.

;; Query time: 107 msec
;; SERVER: 208.80.154.238#53(208.80.154.238)
;; WHEN: Mon Jun 03 13:21:23 CEST 2019
;; MSG SIZE  rcvd: 95

L| 0 ~$ dig @ns1.wikimedia.org SRV _matrix._tcp.wikimedia.org

; <<>> DiG 9.10.6 <<>> @ns1.wikimedia.org SRV _matrix._tcp.wikimedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23941
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_matrix._tcp.wikimedia.org.	IN	SRV

;; ANSWER SECTION:
_matrix._tcp.wikimedia.org. 3600 IN	SRV	0 1 443 wikimedia.modular.im.

;; Query time: 139 msec
;; SERVER: 208.80.153.231#53(208.80.153.231)
;; WHEN: Mon Jun 03 13:21:26 CEST 2019
;; MSG SIZE  rcvd: 95

L| 0 ~$ dig @ns2.wikimedia.org SRV _matrix._tcp.wikimedia.org

; <<>> DiG 9.10.6 <<>> @ns2.wikimedia.org SRV _matrix._tcp.wikimedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22752
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_matrix._tcp.wikimedia.org.	IN	SRV

;; ANSWER SECTION:
_matrix._tcp.wikimedia.org. 3600 IN	SRV	0 1 443 wikimedia.modular.im.

;; Query time: 34 msec
;; SERVER: 91.198.174.239#53(91.198.174.239)
;; WHEN: Mon Jun 03 13:21:28 CEST 2019
;; MSG SIZE  rcvd: 95
Tgr reopened this task as Open.Jun 3 2019, 1:23 PM

It seems the documentation is outdated and only the .well-known method works with Modular, and there need to be two URLs: https://wikimedia.org/.well-known/matrix/server with

{
    "m.server": "wikimedia.modular.im:443"
}

and https://wikimedia.org/.well-known/matrix/client with

{
    "m.homeserver": {
        "base_url": "https://wikimedia.modular.im"
    },
    "m.identity_server": {
        "base_url": "https://vector.im"
    }
}

and the SRV record is not needed. Sorry for the confusion.

ema moved this task from Triage to DNS Names on the Traffic board.Jun 3 2019, 3:11 PM
Volans removed Volans as the assignee of this task.Jun 4 2019, 10:12 AM
Volans added a subscriber: fsero.

I'm leaving it back to the current clinic duty (@fsero) at this point given that it needs to be re-worked, it's not just a follow-up.

fsero added a comment.Jun 4 2019, 6:48 PM

Hi @Tgr :)

I'm following this up, according to https://github.com/matrix-org/synapse/blob/master/docs/federate.md DNS SRV should work and hence the DNS change merge made by @Volans useful. Is this a modular limitation instead of matrix? If i understand this correctly this is a paid service that we are trying out, could we contact them to fix that maybe?

If this is just for a test I guess we could scap sync-file the .well-known files, and it should work but when new mw servers are coming up or reimaged this would be lost and hence I'm inclined to avoid it.

Let me know what you think
Thanks

Tgr added a comment.Jun 6 2019, 2:37 PM

@fsero this was feedback from modular.im support (and the modular.im config panel indeed checks for the .well-known files, I didn't find the right place initially) - they said Matrix is moving away from the SRV method. (Also the spec says .well-known is tried first and SRV only in case of failure, so it's probably slightly better for performance as well.)

Tgr updated the task description. (Show Details)Jun 6 2019, 2:38 PM
Tgr updated the task description. (Show Details)Jun 9 2019, 2:40 PM

Change 516055 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Add .well-known/matrix for wikimedia.org

https://gerrit.wikimedia.org/r/516055

Change 516056 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/dns@master] Revert "Matrix wikimedia.org IDs domain authorization"

https://gerrit.wikimedia.org/r/516056

Joe added a subscriber: Joe.Jun 20 2019, 2:21 PM

@Tgr just to be sure, you just want the url https://wikimedia.org/.well_known to be served from a static file?

Tgr added a comment.Jun 20 2019, 2:41 PM

@Tgr just to be sure, you just want the url https://wikimedia.org/.well_known to be served from a static file?

A static directory, and it's well-known with a dash, but basically yes.

Change 516056 merged by Alexandros Kosiaris:
[operations/dns@master] Revert "Matrix wikimedia.org IDs domain authorization"

https://gerrit.wikimedia.org/r/516056

Change 516055 merged by jenkins-bot:
[operations/mediawiki-config@master] Add .well-known/matrix for wikimedia.org

https://gerrit.wikimedia.org/r/516055

Mentioned in SAL (#wikimedia-operations) [2019-06-20T18:29:30Z] <tgr@deploy1001> Synchronized docroot/wwwportal/.well-known/: SWAT: [[gerrit:516055|Add .well-known/matrix for wikimedia.org (Bug: T223835)]] (duration: 00m 57s)

Tgr added a comment.Jun 21 2019, 6:32 AM

https://wikimedia.org/.well-known/matrix/server works corrently. https://wikimedia.org/.well-known/matrix/client is loaded via AJAX and complains about the lack of CORS headers though.

Change 518209 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Add permissive CORS headers for wikimedia.org/.well-known/matrix

https://gerrit.wikimedia.org/r/518209

Change 518209 merged by Giuseppe Lavagetto:
[operations/puppet@production] Add permissive CORS headers for wikimedia.org/.well-known/matrix

https://gerrit.wikimedia.org/r/518209

Change 519188 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/puppet@production] www.wikimedia.org: fix Location directives

https://gerrit.wikimedia.org/r/519188

Change 519188 merged by Giuseppe Lavagetto:
[operations/puppet@production] www.wikimedia.org: fix Location directives

https://gerrit.wikimedia.org/r/519188

Joe claimed this task.Jun 26 2019, 10:12 AM
Joe added a project: serviceops.
Joe moved this task from Backlog to Doing on the serviceops board.
Joe closed this task as Resolved.Jun 26 2019, 10:18 AM

Using curl I can confirm the header is now added. I fear you might need to force-reload in your browser as I see apache sees the date of modification of the file as last Thursday, so you might get a 304 if your browser has the url cached.

Tentatively resolving now.