Password Reset results in nginx 404 not found

[warioishere]

Description

Hello people, i got the latest Matrix-Synapse 1.85 running (manual deployment) and I have no issues so far excecpt my users get a 404 not found if they request a password change after loosing their password.
Everything works fine so far also the server seems to handle the request properly according to the homeserver.log
But they link on the email is not resolvable. People get a 404 not found error when clicking on the Mails link to reset password.

The Mails registration links do start with matrix.mydomain.com/_matrix
the Mails Password reset links start with matrix.mydomain.com/_synapse

shoudnt they both start with /_matrix )

im a beginner on server konfigurations so I am very sorry if i miss something or i did something wrong and this is not an actual bug. I tried using also chatgpt and it tells me everything is good. So now i wanted to asked the real experts here :)

im running nginx which should send all request to /_matrix to port 8008

configuration:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name matrix.mydomain.ch;
ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy no-referrer always;
add_header X-Frame-Options "SAMEORIGIN" always;
fastcgi_hide_header X-Powered-By;
access_log off;
error_log off;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
location /_matrix {
proxy_pass http://127.0.0.1:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 50M;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.mydomain.ch:443"}';
add_header Content-Type application/json;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.mydomain.ch"}}';
add_header Content-Type application/json;
add_header "Access-Control-Allow-Origin" *;
}
}

my homeserver.yaml konfig

server_name: matrix.mydomain.ch
pid_file: "/var/run/matrix-synapse.pid"
listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['::1', '127.0.0.1']
    resources:
      - names: [client, federation]
        compress: false

database:
  name: psycopg2
#  txn_limit: 10000
  args:
    user: matrixadmin
    password: xxxx
    database: xxxx
    host: localhost
    port: 5432
    cp_min: 5
    cp_max: 10

log_config: "/etc/matrix-synapse/log.yaml"
media_store_path: /var/lib/matrix-synapse/media
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
trusted_key_servers:
  - server_name: "matrix.org"
trusted_third_party_id_servers:
  - matrix.org

presence:
  enabled: true

suppress_key_server_warning: true
default_identity_server: https://matrix.org
public_baseurl: https://matrix.mydomain.ch
max_upload_size: 50M
url_preview_enabled: true
url_preview_ip_range_blacklist:
 - '127.0.0.0/8'
 - '10.0.0.0/8'
 - '172.16.0.0/12'
 - '192.168.0.0/16'
 - '100.64.0.0/10'
 - '192.0.0.0/24'
 - '169.254.0.0/16'
 - '::1/128'
 - 'fe80::/64'
 - 'fc00::/7'

allow_public_rooms_over_federation: true
enable_metrics: false
report_stats: false
include_content: false

registration_shared_secret: xxxx
enable_registration_without_verification: false
enable_registration: true
registration:
  require_email_validation: true
registrations_require_3pid:
  - email
  - msisdn
disable_msisdn_registration: true
enable_3pid_lookup: false
enable_3pid_changes: true
enable_set_displayname: true
enable_set_avatar_url: true
auto_join_rooms:
  - "#generaltalk:matrix.mydomain.ch"

email:
  smtp_host: mail.mydomain.ch
  smtp_port: 587
  smtp_user: "[email protected]"
  smtp_pass: "xxxx!"
  require_transport_security: true
  enable_tls: true
  enable_notifs: true
  notif_from: "chatserver <[email protected]>"
  app_name: "Matrix Synapse"

## TURN ##
turn_uris: ["turns:coturn.mydomain.ch:443?transport=udp", "turns:coturn.mydomain.ch:443?transport=tcp"]
turn_shared_secret: "xxxx!xxxx!!!"
turn_user_lifetime: 86400000
turn_allow_guests: true
root@matrixserver:/var/log/matrix-synapse# 

if you need more details, pls ask me anytime

greetings

mario

Steps to reproduce

• list the steps
• that reproduce the bug
• using hyphens as bullet points

Reset password after password loss. Click link *Forgot Password?" on login screen either Android App or Webbrowser
Enter Email Adresse
Received reset Email correctly
klick on the reset link
expected to be able to reset password

actuall happening --> klick on link in mail --> 404 not found

Homeserver

matrix.yourdevice.ch (own homeserver)

Synapse Version

1.85 on own Server with NAT

Installation Method

pip (from PyPI)

Database

PosgreSQL - no portings

Workers

Single process

Platform

Proxmox Virtual Enviroment latest version. Connected via NAT

Configuration

No response

Relevant log output

from Homeserver.log

I guess this is the request from the client to the sercer requesting new Password

2023-06-18 20:16:54,925 - synapse.access.http.8008 - 461 - INFO - POST-50417 - 37.46.145.192 - 8008 - {None} Processed request: 1.505sec/0.000sec (0.001sec, 0.001sec) (0.001sec/0.005sec/3) 26B 200 "POST /_matrix/client/r0/account/password/email/requestToken HTTP/1.0" "Element/1.5.32 (Google Pixel 5; Android 13; TQ2A.230505.002.23410000; Flavour FDroid; MatrixAndroidSdk2 1.5.32)" [0 dbevts]

Anything else that would be useful to know?

No response

[warioishere]

after using my brain a bit, i added an entry with:

location /_synapse {
    proxy_pass http://127.0.0.1:8008;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    client_max_body_size 50M;
}

to my nginx konfig. It works now, can be closed, sorry guys