Hookshot fails to display configuration widget
Issue
- While trying to load the hookshot configuration widget, I get:
Error occured during widget load: Could not contact your homeserver. Your instance may be misconfigured.
Environment
- Element Enterprise Installer 2022-10.01
- Integrator Installed
- Hookshot Installed
Resolution
You will need to rewrite the Disallowed IP list into the hookshot config so as not to include your IP address's range. Assuming that your IP address was in the 192.168.122.0/24 range, you could add the following to CONFIG_DIR/hookshot/hookshot.yml:
disallowed_ip_ranges:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 100.64.0.0/10
- 169.254.0.0/16
- 192.88.99.0/24
- 198.18.0.0/15
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- ::1/128
- fe80::/10
- fc00::/7
- 2001:db8::/32
- ff00::/8
- fec0::/10
After this, you would re-run the installer. This removes all ranges that are closely related to the 192.168.122.0/24 subnet. You will need to adjust this for your particular use case. To build the above list, we took the list mentioned in the root cause and edited it down.
Root Cause
Looking at the logs for hookshot while attempting this configuration (kubectl logs -n element-onprem instance-hookshot-0
) shows:
INFO 18:04:13:625 [Appservice] 10.1.108.141 - - [11/Oct/2022:18:04:13 +0000] "PUT /transactions/133?access_token=%3Credacted%3E HTTP/1.1" 200 2 "-" "Synapse/1.65.0"
Oct-11 18:04:21.668 WARN ProvisioningApi Failed to fetch the server URL for element.demo ApiError: API error M_AS_BAD_OPENID: Server is disallowed
at ProvisioningApi.checkIpBlacklist (/bin/matrix-hookshot/node_modules/matrix-appservice-bridge/lib/provisioning/api.js:235:19)
at async ProvisioningApi.postExchangeOpenId (/bin/matrix-hookshot/node_modules/matrix-appservice-bridge/lib/provisioning/api.js:259:17) {
error: 'Server is disallowed',
errcode: 'M_AS_BAD_OPENID',
statusCode: 500,
additionalContent: {}
}
Oct-11 18:04:21.668 ERROR ProvisioningApi ApiError: API error M_AS_BAD_OPENID: Could not identify server url
at ProvisioningApi.postExchangeOpenId (/bin/matrix-hookshot/node_modules/matrix-appservice-bridge/lib/provisioning/api.js:264:19) {
error: 'Could not identify server url',
errcode: 'M_AS_BAD_OPENID',
statusCode: 500,
additionalContent: {}
}
The "Server is disallowed" message tells us that the IP address of synapse is disallowed by hookshot. Hookshot has a default list of disallowed IPs as documented here: https://github.com/matrix-org/matrix-hookshot/blob/b491ad1e076cf0922e041506f69623352dfa1463/docs/advanced/widgets.md#configuration to prevent Server Side Request Forgery. If your IP address is in that list, then you will need to redefine the disallow list to not include your IP range.