Apache reverse proxy location syntax maybe leads to errors

[dev4223]

Description

I have a matrix synapse and mxisd installation on debian stretch working.
Only thing is, that I can't validate any email address. Email is sent but after clicking on the link i get the backend page with this message:

´´´
{"errcode":"M_NO_VALID_SESSION","error":"No valid session was found matching that sid and client secret","success":false}
´´´

Please read here kamax-matrix/mxisd#141

Version information

Debian Stretch

I've installed the lates matrix synapse package for debian stretch:
Package: matrix-synapse-py3
Version: 0.99.2+stretch1

and installed the latest stable mxisd package for stretch:
mxisd_1.3.1_all.deb

Solution

@pexus in kamax-matrix/mxisd#142 brought me to the Idea:
My apache config was

ProxyPreserveHost On
ProxyPass /_matrix/identity http://127.0.0.1:8090/_matrix/identity
ProxyPassReverse /_matrix/identity http://127.0.0.1:8090/_matrix/identity
<Location /_matrix>
  ProxyPass http://127.0.0.1:8008/_matrix nocanon
  ProxyPassReverse http://127.0.0.1:8008/_matrix
</Location>

Now I have changed it to

ProxyPreserveHost On
ProxyPass /_matrix/identity http://127.0.0.1:8090/_matrix/identity
ProxyPassReverse /_matrix/identity http://127.0.0.1:8090/_matrix/identity
ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix

This solved the problem. This Location-syntax for synapse comes frome here https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.rst
And after the description here https://httpd.apache.org/docs/2.4/mod/core.html#location it seems not a good idea to do so.

[richvdh]

Your problem was the mix of ProxyPass directives inside and outside Location directives.

The example came from #3783. @cwmke : was there a reason to prefer Location directives here?

[dev4223]

I came from the issue kamax-matrix/mxisd#141 and kamax-matrix/mxisd#142.
First try was to put the ProxyPass Directives both into different Location-Tags, one for /_matrix and one for /_matrix/identity. Then matrix identity didn't work so i tried it without Location syntax.
In matrix identity INSTALL readme it is put this way, in your readme for reverse_proxy it is with Location syntax. So I mixed it.
Last try was both without Location and it worked.

[cwmke]

@richvdh no reason in particular. I was attempting to figure out how to get things working with apache and must have found an example that worked. From the linked documentation it sounds like location tags are an issue if the below is true.

This has several consequences. Most importantly, directives should not be used to control access to filesystem locations. Since several different URLs may map to the same filesystem location, such access controls may by circumvented.

@dev4223: your solution works well (just confirmed on my server.) I'll just submit a pull request to update the documentation using that syntax if that's agreeable?

[dev4223]

Oh yes, I'm glad I could help.

[richvdh]

fixed by #4870