404 when accessing example.com/.well-known/matrix/*

[Elyviere]

Playbook Configuration:

My vars.yml file looks like this:

---
matrix_domain: <mydomain>.com

matrix_homeserver_implementation: synapse

matrix_homeserver_generic_secret_key: '<redacted>'

matrix_playbook_reverse_proxy_type: playbook-managed-traefik

traefik_config_certificatesResolvers_acme_email: '<myemail>@gmail.com'

postgres_connection_password: '<redacted>'

matrix_coturn_turn_external_ip_address: ''

matrix_synapse_admin_enabled: true

Matrix Server:

• OS: Debian 12 (LXC)
• Architecture amd64

Ansible:
N/A

Problem description:
It appears that nginx is removing the /client from the end of the query, and I'm not really sure why. Details:

---

Update: I added a custom location in nginx specifically for /.well-known/matrix/client and I'm still getting the same error. Traefik outputs the following:

https://<mydomain>.com/.well-known/matrix/client

Jan 19 00:15:05 matrix matrix-traefik[291803]: 10.17.17.100 - - [18/Jan/2025:23:15:05 +0000] "GET /.well-known/matrix/client HTTP/1.1" 404 19 "-" "-" 11374 "-" "-" 0ms

https://matrix.<mydomain>.com/.well-known/matrix/client

Jan 19 00:15:22 matrix matrix-traefik[291803]: 10.17.17.17 - - [18/Jan/2025:23:15:22 +0000] "GET /.well-known/matrix/client HTTP/3.0" 200 158 "-" "-" 11375 "matrix-static-files-well-known@docker" "http://172.22.0.5:8080" 22ms
Jan 19 00:15:22 matrix matrix-traefik[291803]: 10.17.17.17 - - [18/Jan/2025:23:15:22 +0000] "GET /favicon.ico HTTP/3.0" 404 19 "-" "-" 11376 "-" "-" 0ms

---

As I use nginx on my primary domain already (example.com), I followed this guide to set up my reverse proxy: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-2-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server

However, when accessing https://.com/.well-known/matrix/client I'm getting a 404 instead of a json. Accessing https://matrix..com/.well-known/matrix/client does provide the expected JSON.

Using journalctl -fu matrix-traefik.service I can see that the request reaches traefik in both cases, but it doesn't seem to behave quite the same. This is the output when I access .com/.../client

Jan 18 23:59:56 matrix matrix-traefik[291803]: 10.17.17.100 - - [18/Jan/2025:22:59:56 +0000] "GET /.well-known/matrix/ HTTP/1.1" 404 19 "-" "-" 11367 "-" "-" 0ms

And similarly, this is the output when I access matrix..com/.../client

Jan 19 00:00:55 matrix matrix-traefik[291803]: 10.17.17.17 - - [18/Jan/2025:23:00:55 +0000] "GET /.well-known/matrix/client HTTP/3.0" 200 158 "-" "-" 11368 "matrix-static-files-well-known@docker" "http://172.22.0.5:8080" 2ms
Jan 19 00:00:55 matrix matrix-traefik[291803]: 10.17.17.17 - - [18/Jan/2025:23:00:55 +0000] "GET /favicon.ico HTTP/3.0" 404 19 "-" "-" 11369 "-" "-" 0ms

Additional context
Here's my nginx config (some boilerplate due to using Nginx Proxy Manager), but mostly I've just tried to match it to the example in the docs from the link above:

server {
  ...
  server_name <mydomain>.com;
  include /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf;
  include /etc/nginx/conf.id/include/ssl-ciphers.conf;

  location /.well-known/matrix {
    proxy_ssl_server_name on;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;

    set $proxy_forward_scheme https;
    set $proxy_server         "matrix.<mydomain>.com";
    set $proxy_port           443;

    proxy_pass       $proxy_forward_scheme://$proxy_server:$proxy_port/.well-known/matrix/;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
  }
  ...
}

[spantaleev]

Traefik does not serve the base domain for you by default. There's a separate docs/ page we have that tells you how to enable base domain serving.

[Elyviere]

That was it. Took some searching, but if anyone else finds their way here it's here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-base-domain-serving.md#serving-a-more-complicated-website-at-the-base-domain

Needed to add these two lines to my vars.yml:

matrix_static_files_container_labels_base_domain_enabled: true
matrix_static_files_container_labels_base_domain_traefik_path_prefix: /.well-known/matrix

@spantaleev I would suggest adding a section to https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-2-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server about this. Following the logical flow of this page, nothing suggested to me that I needed to look at the documentation for serving the base domain. The only reference to that page is this:

"If you decide to go this route, you don't need to read ahead in this document. Instead, go to Serving the base domain...",

which seems to say that these two pages are mutually exclusive. But actually, for (all?) redirection to work per the suggested option 2, you need to setup the base domain serving as well.

[spantaleev]

What should have told you about the base domain is the Finalize the installation section on docs/installing.md.

The base domain is only involved in getting your server to federate successfully. You can use your server even without doing this extra setup. Of course, most people would like to do it, but it's just.. the next step after the initial setup.

---

Actually, there are 2 ways to handle the base domain for people like you who are fronting Traefik with their own reverse-proxy:

1. Making Traefik handle the base domain (matrix_static_files_container_labels_base_domain_enabled: true).. And then also handling the base domain at your other reverse-proxy and making it forward /.well-known/matrix/* requests to Traefik as example.com (base domain) requests

2. Handling the base domain only at your other reverse-proxy and making it forward /.well-known/matrix/* requests to Traefik as matrix.example.com (matrix. domain!) requests.

The docs that you're linking to ((Option 2): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server) tell you how to do the latter. Doing that, you don't need to make Traefik handle the base domain. It's only your external/other reverse-proxy that handles the base domain, and forwards /.well-known/matrix/* requests to Traefik as matrix.example.com (matrix. domain!) requests

Serving the base domain from the Matrix server is mostly useful for people who don't front Traefik with another reverse-proxy and who mostly don't need to host a website at the base domain. If that's not you, perhaps it's not the best option for you.

---

You may be right that we need to update some docs to make this more clear (though yours is quite a special case), but I'm not sure which and how.

[Elyviere]

What should have told you about the base domain is the Finalize the installation section on docs/installing.md.

I must've missed that part in the "Finalize the installation"-step, since it's after the link. In my mind that puts that as something I should do after completing everything in the link. But, clearly it was in the docs so perhaps it's not such a big issue, I just missed it when I was searching for it.

I didn't think my case was quite so special, but perhaps it's more rare than I thought. If so, perhaps this is fine. I would suggest just changing the order such that this line:
matrix_static_files_container_labels_base_domain_enabled: true comes before the link to a different page, since that page includes testing that the /.well-known url works.