Page MenuHomePhabricator
Create Task
Maniphest T223835

Configure wikimedia.org to enable *:wikimedia.org Matrix user IDs
Closed, ResolvedPublic
Actions

Description

To use Matrix IDs from a given domain, that domain needs to be authorized. There are two alternative ways to do this:

  • adding a /.well-known/matrix/server URL served on https://wikimedia.org.
  • adding a DNS SRV record in the DNS zone of wikimedia.org.

This was incorrect, see T223835#5230126.

We'll need one of them for T215042: Set up a hosted Matrix.org / Element instance on modular.im.
Live test: federation tester

.well-known URL

Make the https://wikimedia.org/.well-known/matrix/server URL return

{
    "m.server": "wikimedia.modular.im:443"
}

DNS SRV record

Add an SRV record to the wikimedia.org domain with the content

_matrix._tcp.wikimedia.org 3600 IN SRV 10 5 443 wikimedia.modular.im

Details

SubjectRepoBranchLines +/-
Revert "Add .well-known/matrix for wikimedia.org"operations/mediawiki-configmaster+0 -11
Add .well-known/matrix for wikimedia.orgoperations/mediawiki-configmaster+11 -0
www.wikimedia.org: fix Location directivesoperations/puppetproduction+3 -3
Add permissive CORS headers for wikimedia.org/.well-known/matrixoperations/puppetproduction+5 -0
Revert "Matrix wikimedia.org IDs domain authorization"operations/dnsmaster+0 -3
Matrix wikimedia.org IDs domain authorizationoperations/dnsmaster+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.May 19 2019, 4:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2019, 4:11 PM
Tgr added a parent task: T215042: Set up a hosted Matrix.org / Element instance on modular.im.May 19 2019, 4:12 PM
Tgr updated the task description. (Show Details)May 21 2019, 10:15 PM
Tgr updated the task description. (Show Details)
Tgr added projects: Wikimedia-Apache-configuration, DNS.
Restricted Application added projects: SRE, Traffic. · View Herald TranscriptMay 21 2019, 10:16 PM
Krenair subscribed.May 21 2019, 10:25 PM

Does the Foundation have an NDA with modular.im?

Dzahn subscribed.May 21 2019, 10:31 PM

The comments on T215042#4977385 sounded like this wasn't going to be done, for the temporary evaluation that it is. ?

Tgr added a comment.May 21 2019, 11:44 PM
In T223835#5202604, @Krenair wrote:

Does the Foundation have an NDA with modular.im?

NDA for what? This doesn't involve any non-public information.
In general, there's a ToS clause about confidentiality/privacy.

In T223835#5202624, @Dzahn wrote:

The comments on T215042#4977385 sounded like this wasn't going to be done, for the temporary evaluation that it is. ?

That refers to hosting Matrix (ie. the Synapse server's REST API and the page the Riot web app is served from) under wikimedia.org, which is unrelated to using wikimedia.org as a namespace within the Matrix protocol. (Or only related to the extent that this task is only necessary because the hosting domain and the Matrix ID namespace differ so Synapse wants us to prove ownership).

Volans triaged this task as Medium priority.May 22 2019, 9:27 AM
gerritbot added a comment.May 22 2019, 9:47 AM

Change 511842 had a related patch set uploaded (by Volans; owner: Volans):
[operations/dns@master] Matrix wikimedia.org IDs domain authorization

https://gerrit.wikimedia.org/r/511842

gerritbot added a project: Patch-For-Review.May 22 2019, 9:47 AM
jbond subscribed.May 22 2019, 12:48 PM

@Tgr while reviewing the change created by volans i noticed that currently wikimedia.modular.im. dose not exist. We should ensure this exists and belongs to the wikimedia foundation before adding the authorization. further having followed the links it looks like the hosted service from modular.im would actually be a riot.im box and would have the name wikimedia.riot.im

"""You'll get a customized instance of Riot.im and your own dedicated Matrix homeserver: all you need to get chatting!"""
https://www.modular.im/services/matrix-hosting#get-started

Tgr added a comment.May 22 2019, 9:45 PM

Yeah, it shouldn't be merged before the server is up (which is in a few days if all goes well). The Matrix server (Synapse) will be at wikimedia.modular.im, the client (Riot) will be at wikimedia.riot.im, but the latter is not relevant here. (The setup is not unlike how the main public Matrix server is at matrix.org but the web client is at riot.im).

Chicocvenancio subscribed.May 23 2019, 5:44 PM
jbond added a comment.May 24 2019, 11:51 AM

ack, thanks for the clarification

Volans subscribed.Jun 3 2019, 11:07 AM

Both records are actually up now:

$ dig +trace wikimedia.modular.im
[...SNIP...]
wikimedia.modular.im.	300	IN	A	52.56.197.133
;; Received 65 bytes from 173.245.58.183#53(laura.ns.cloudflare.com) in 9 ms

$ dig +trace wikimedia.riot.im
[...SNIP...]
wikimedia.riot.im.	300	IN	A	52.56.197.133
;; Received 62 bytes from 173.245.59.154#53(derek.ns.cloudflare.com) in 11 ms
gerritbot added a comment.Jun 3 2019, 11:18 AM

Change 511842 merged by Volans:
[operations/dns@master] Matrix wikimedia.org IDs domain authorization

https://gerrit.wikimedia.org/r/511842

Volans closed this task as Resolved.Jun 3 2019, 11:22 AM
Volans claimed this task.
Volans removed a project: Patch-For-Review.

Change is live:

L| 0 ~$ dig @ns0.wikimedia.org SRV _matrix._tcp.wikimedia.org

; <<>> DiG 9.10.6 <<>> @ns0.wikimedia.org SRV _matrix._tcp.wikimedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62524
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_matrix._tcp.wikimedia.org.	IN	SRV

;; ANSWER SECTION:
_matrix._tcp.wikimedia.org. 3600 IN	SRV	0 1 443 wikimedia.modular.im.

;; Query time: 107 msec
;; SERVER: 208.80.154.238#53(208.80.154.238)
;; WHEN: Mon Jun 03 13:21:23 CEST 2019
;; MSG SIZE  rcvd: 95

L| 0 ~$ dig @ns1.wikimedia.org SRV _matrix._tcp.wikimedia.org

; <<>> DiG 9.10.6 <<>> @ns1.wikimedia.org SRV _matrix._tcp.wikimedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23941
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_matrix._tcp.wikimedia.org.	IN	SRV

;; ANSWER SECTION:
_matrix._tcp.wikimedia.org. 3600 IN	SRV	0 1 443 wikimedia.modular.im.

;; Query time: 139 msec
;; SERVER: 208.80.153.231#53(208.80.153.231)
;; WHEN: Mon Jun 03 13:21:26 CEST 2019
;; MSG SIZE  rcvd: 95

L| 0 ~$ dig @ns2.wikimedia.org SRV _matrix._tcp.wikimedia.org

; <<>> DiG 9.10.6 <<>> @ns2.wikimedia.org SRV _matrix._tcp.wikimedia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22752
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;_matrix._tcp.wikimedia.org.	IN	SRV

;; ANSWER SECTION:
_matrix._tcp.wikimedia.org. 3600 IN	SRV	0 1 443 wikimedia.modular.im.

;; Query time: 34 msec
;; SERVER: 91.198.174.239#53(91.198.174.239)
;; WHEN: Mon Jun 03 13:21:28 CEST 2019
;; MSG SIZE  rcvd: 95
Tgr reopened this task as Open.Jun 3 2019, 1:23 PM

It seems the documentation is outdated and only the .well-known method works with Modular, and there need to be two URLs: https://wikimedia.org/.well-known/matrix/server with

{
    "m.server": "wikimedia.modular.im:443"
}

and https://wikimedia.org/.well-known/matrix/client with

{
    "m.homeserver": {
        "base_url": "https://wikimedia.modular.im"
    },
    "m.identity_server": {
        "base_url": "https://vector.im"
    }
}

and the SRV record is not needed. Sorry for the confusion.

ema moved this task from Backlog to Domain name registration on the Traffic board.Jun 3 2019, 3:11 PM
Volans removed Volans as the assignee of this task.Jun 4 2019, 10:12 AM
Volans added a subscriber: fsero.

I'm leaving it back to the current clinic duty (@fsero) at this point given that it needs to be re-worked, it's not just a follow-up.

fsero added a comment.Jun 4 2019, 6:48 PM

Hi @Tgr :)

I'm following this up, according to https://github.com/matrix-org/synapse/blob/master/docs/federate.md DNS SRV should work and hence the DNS change merge made by @Volans useful. Is this a modular limitation instead of matrix? If i understand this correctly this is a paid service that we are trying out, could we contact them to fix that maybe?

If this is just for a test I guess we could scap sync-file the .well-known files, and it should work but when new mw servers are coming up or reimaged this would be lost and hence I'm inclined to avoid it.

Let me know what you think
Thanks

Reedy mentioned this in T225091: `rsync error` during sync-pull-masters.Jun 5 2019, 1:49 PM
Tgr added a comment.Jun 6 2019, 2:37 PM

@fsero this was feedback from modular.im support (and the modular.im config panel indeed checks for the .well-known files, I didn't find the right place initially) - they said Matrix is moving away from the SRV method. (Also the spec says .well-known is tried first and SRV only in case of failure, so it's probably slightly better for performance as well.)

Tgr updated the task description. (Show Details)Jun 6 2019, 2:38 PM
Tgr updated the task description. (Show Details)Jun 9 2019, 2:40 PM
gerritbot added a comment.Jun 9 2019, 2:56 PM

Change 516055 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Add .well-known/matrix for wikimedia.org

https://gerrit.wikimedia.org/r/516055

gerritbot added a project: Patch-For-Review.Jun 9 2019, 2:56 PM
gerritbot added a comment.Jun 9 2019, 2:58 PM

Change 516056 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/dns@master] Revert "Matrix wikimedia.org IDs domain authorization"

https://gerrit.wikimedia.org/r/516056

Joe subscribed.Jun 20 2019, 2:21 PM

@Tgr just to be sure, you just want the url https://wikimedia.org/.well_known to be served from a static file?

Tgr added a comment.Jun 20 2019, 2:41 PM
In T223835#5271300, @Joe wrote:

@Tgr just to be sure, you just want the url https://wikimedia.org/.well_known to be served from a static file?

A static directory, and it's well-known with a dash, but basically yes.

gerritbot added a comment.Jun 20 2019, 2:47 PM

Change 516056 merged by Alexandros Kosiaris:
[operations/dns@master] Revert "Matrix wikimedia.org IDs domain authorization"

https://gerrit.wikimedia.org/r/516056

gerritbot added a comment.Jun 20 2019, 6:25 PM

Change 516055 merged by jenkins-bot:
[operations/mediawiki-config@master] Add .well-known/matrix for wikimedia.org

https://gerrit.wikimedia.org/r/516055

Stashbot added a comment.Jun 20 2019, 6:29 PM

Mentioned in SAL (#wikimedia-operations) [2019-06-20T18:29:30Z] <tgr@deploy1001> Synchronized docroot/wwwportal/.well-known/: SWAT: [[gerrit:516055|Add .well-known/matrix for wikimedia.org (Bug: T223835)]] (duration: 00m 57s)

Tgr added a comment.Jun 21 2019, 6:32 AM

https://wikimedia.org/.well-known/matrix/server works corrently. https://wikimedia.org/.well-known/matrix/client is loaded via AJAX and complains about the lack of CORS headers though.

gerritbot added a comment.Jun 21 2019, 6:47 AM

Change 518209 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Add permissive CORS headers for wikimedia.org/.well-known/matrix

https://gerrit.wikimedia.org/r/518209

gerritbot added a comment.Jun 25 2019, 4:17 PM

Change 518209 merged by Giuseppe Lavagetto:
[operations/puppet@production] Add permissive CORS headers for wikimedia.org/.well-known/matrix

https://gerrit.wikimedia.org/r/518209

gerritbot added a comment.Jun 26 2019, 7:40 AM

Change 519188 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/puppet@production] www.wikimedia.org: fix Location directives

https://gerrit.wikimedia.org/r/519188

gerritbot added a comment.Jun 26 2019, 8:27 AM

Change 519188 merged by Giuseppe Lavagetto:
[operations/puppet@production] www.wikimedia.org: fix Location directives

https://gerrit.wikimedia.org/r/519188

Joe claimed this task.Jun 26 2019, 10:12 AM
Joe added a project: serviceops.
Joe moved this task from Incoming 🐫 to Doing 😎 on the serviceops board.
Joe closed this task as Resolved.Jun 26 2019, 10:18 AM

Using curl I can confirm the header is now added. I fear you might need to force-reload in your browser as I see apache sees the date of modification of the file as last Thursday, so you might get a 304 if your browser has the url cached.

Tentatively resolving now.

Tgr mentioned this in T261531: Configure subdomain foundation.wikimedia.org to enable *:foundation.wikimedia.org Matrix user IDs.Aug 30 2020, 3:50 PM
gerritbot added a comment.Aug 30 2020, 3:58 PM

Change 623147 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Revert "Add .well-known/matrix for wikimedia.org"

https://gerrit.wikimedia.org/r/623147

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL