From e7cb9eee79a63b7c7e50480f5e3571671f80b7a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Dec 2025 13:00:53 +0200 Subject: [PATCH] Configure `encodedCharacters` for various Traefik entrypoints to fix Traefik 3.6.3+ regression Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 Ref: https://doc.traefik.io/traefik/migrate/v3/#v364 --- group_vars/matrix_servers | 9 +++++ roles/custom/matrix-base/defaults/main.yml | 46 +++++++++++++++++++++- 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 919b77019..45810a2e1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5836,6 +5836,15 @@ traefik_gid: "{{ matrix_user_gid }}" # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint. traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s +# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. +# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs). +# Ref: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 +# - https://doc.traefik.io/traefik/migrate/v3/#v364 +traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true +traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true +traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true + traefik_additional_entrypoints_auto: | {{ ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else []) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 8112c89ee..e9bee12b8 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -321,6 +321,13 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" +# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. +# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. +# Ref: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 +# - https://doc.traefik.io/traefik/migrate/v3/#v364 +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming @@ -330,6 +337,19 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: {{ {} + | combine( + ( + { + 'http': { + 'encodedCharacters': { + 'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, + 'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, + } + } + } + ) + ) + | combine( ( ( @@ -391,7 +411,31 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matri matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: '' -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}" +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}" +# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. +# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. +# Ref: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 +# - https://doc.traefik.io/traefik/migrate/v3/#v364 +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: | + {{ + {} + + | combine( + ( + { + 'http': { + 'encodedCharacters': { + 'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, + 'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, + } + } + } + ) + ) + }} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}