Docs: Federation troubleshooting re: Cloudflare

[caseyWebb]

Description:

I am using Cloudflare as my DNS provider. When attempting to federate (using port 8448), I was getting errors like

Get "https://104.21.90.241:8448/_matrix/key/v2/server": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

"https://[2606:4700:3036::ac43:a2cf]:8448/_matrix/key/v2/server": dial tcp [2606:4700:3036::ac43:a2cf]:8448: i/o timeout (Client.Timeout exceeded while awaiting headers)

I determined this to be caused by the fact that, when using Cloudflare's proxying only certain ports are allowed. The simple solution is to turn off proxying (set matrix DNS entry to "DNS-only").

---

To elaborate, what happens (in my case) is:

• https://example.com/.well-known/_matrix/server is fetched, it delegates to https://matrix.example.com
• https://matrix.example.com resolves to a Cloudflare proxy IP address
• Attempt to reach https://<cloudflare_ip>:8448
• Cloudflare unhappy :(

You could presumably also change your configuration to use one of the supported ports.

---

I think a note in the delegation and/or federation docs about usage with Cloudflare would go a long way here to save some headache.

[MomentQYC]

You might try setting up a SRV record, it worked for me.

[caseyWebb]

@MomentQYC I don't think that works for my specific use-case. I'm using DDNS, so I would need to set the SRV record to that. The server at that host has multiple services behind a reverse proxy, including an existing default server. I'm using the HOST header in that to send matrix federation traffic to synapse. My understanding is the SRV record would replace the original delegated_hostname with the DDNS hostname and I'd lose the ability to route based on the header. I could change the reverse proxy to use location/pathname based routing but I already had the rest done and it was easiest to turn off proxying 😅