[GH-ISSUE #383] Getting Matrix gateway error on self-hosted instance, ntfy claims push key is not prefixed with base URL #295

New issue

Closed

opened 2026-05-07 00:22:43 +02:00 by BreizhHardware · 10 comments

BreizhHardware commented 2026-05-07 00:22:43 +02:00

Owner

Copy link

Originally created by @christophehenry on GitHub (Aug 18, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/383

I run a self hosted ntfy and have try to get Element Android to work with is for the last few days. Today, setting the log level to TRACE, I can see the following in ntfy logs:

Aug 18 13:36:59: {"notification":{"event_id":"$THIS_IS_A_FAKE_EVENT_ID","devices":[{"app_id":"im.vector.app.android","pushkey":"https://<ntfy.domain>/<notifcation_path>?up=1"}]}}
Aug 18 13:36:59: DEBUG HTTP POST /_matrix/push/v1/notify Matrix gateway error: message with push key "https://<ntfy.domain>/<notifcation_path>?up=1 rejected: invalid request: push key must be prefixed with base URL

I don't understand why I'm getting this error, the server is correctly configured as followed:

base-url: "https://<ntfy.domain>"
listen-http: ":8008"
# Runs behind an Apache proxy
behind-proxy: true

where <ntfy.domain> corresponds to my self-hosted ntfy domain.

Can you please tell me what's going on here?

Originally created by @christophehenry on GitHub (Aug 18, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/383 I run a self hosted ntfy and have try to get Element Android to work with is for the last few days. Today, setting the log level to `TRACE`, I can see the following in ntfy logs: ``` Aug 18 13:36:59: {"notification":{"event_id":"$THIS_IS_A_FAKE_EVENT_ID","devices":[{"app_id":"im.vector.app.android","pushkey":"https://<ntfy.domain>/<notifcation_path>?up=1"}]}} Aug 18 13:36:59: DEBUG HTTP POST /_matrix/push/v1/notify Matrix gateway error: message with push key "https://<ntfy.domain>/<notifcation_path>?up=1 rejected: invalid request: push key must be prefixed with base URL ``` I don't understand why I'm getting this error, the server is correctly configured as followed: ``` base-url: "https://<ntfy.domain>" listen-http: ":8008" # Runs behind an Apache proxy behind-proxy: true ``` where `<ntfy.domain>` corresponds to my self-hosted ntfy domain. Can you please tell me what's going on here?

BreizhHardware 2026-05-07 00:22:43 +02:00

• closed this issue
• added the
  🪲 bug
  server
  labels

BreizhHardware commented 2026-05-07 00:22:44 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Aug 18, 2022):

This is quite odd. This error message only happens in one case:

pushKey := m.Notification.Devices[0].PushKey // We ignore other devices for now, see discussion in #316
	if !strings.HasPrefix(pushKey, baseURL+"/") {
		return nil, &errMatrix{pushKey: pushKey, err: errHTTPBadRequestMatrixPushkeyBaseURLMismatch}
	}

So something's not right, either in your example or your config. Check "http" vs "https", and make sure you restarted the server.

<!-- gh-comment-id:1219659730 --> @binwiederhier commented on GitHub (Aug 18, 2022): This is quite odd. This error message only happens in one case: ``` go pushKey := m.Notification.Devices[0].PushKey // We ignore other devices for now, see discussion in #316 if !strings.HasPrefix(pushKey, baseURL+"/") { return nil, &errMatrix{pushKey: pushKey, err: errHTTPBadRequestMatrixPushkeyBaseURLMismatch} } ``` So something's not right, either in your example or your config. Check "http" vs "https", and make sure you restarted the server.

BreizhHardware commented 2026-05-07 00:22:44 +02:00

Author

Owner

Copy link

@christophehenry commented on GitHub (Aug 18, 2022):

Unfortunatly, setting base-url: "http://<ntfy.domain>" doesn't solve the problem. Here is the full log trace:

Aug 18 17:26:14 ntfy[768]: DEBUG [retracted IP] HTTP POST /_matrix/push/v1/notify Dispatching request
Aug 18 17:26:14 ntfy[768]: TRACE [retracted IP] HTTP POST /_matrix/push/v1/notify Entire request (headers and body):
Aug 18 17:26:14 ntfy[768]: POST /_matrix/push/v1/notify HTTP/1.1
Aug 18 17:26:14 ntfy[768]: Connection: close
Aug 18 17:26:14 ntfy[768]: X-Forwarded-Host: <ntfy.domain>
Aug 18 17:26:14 ntfy[768]: X-Forwarded-Server: <ntfy.domain>
Aug 18 17:26:14 ntfy[768]: Content-Type: application/json; charset=UTF-8
Aug 18 17:26:14 ntfy[768]: Accept-Encoding: gzip
Aug 18 17:26:14 ntfy[768]: X-Forwarded-For: [retracted IP]
Aug 18 17:26:14 ntfy[768]: Content-Length: 159
Aug 18 17:26:14 ntfy[768]: User-Agent: Element/1.4.32 
Aug 18 17:26:14 ntfy[768]: {"notification":{"event_id":"$THIS_IS_A_FAKE_EVENT_ID","devices":[{"app_id":"im.vector.app.android","pushkey":"https://<ntfy.domain>/<notifcation_path>?up=1"}]}}
Aug 18 17:26:14 ntfy[768]: DEBUG [retracted IP] HTTP POST /_matrix/push/v1/notify Matrix gateway error: message with push key https://<ntfy.domain>/<notifcation_path>?up=1 rejected: invalid request: push key must be prefixed with base URL

Here is the full updated configuration:

base-url: "http://<ntfy.domain>"
listen-http: ":8008"
cache-startup-queries: |
  pragma journal_mode = WAL;
  pragma synchronous = normal;
  pragma temp_store = memory;
cache-file: /var/cache/ntfy/cache.db
cache-duration: "12h"
behind-proxy: true
attachment-cache-dir: /var/cache/ntfy/attachments
attachment-total-size-limit: "5G"
attachment-file-size-limit: "15M"
attachment-expiry-duration: "24h"
log-level: TRACE

Note that despite running behind Apache, encryption stops at the reverse proxy.

<!-- gh-comment-id:1219762314 --> @christophehenry commented on GitHub (Aug 18, 2022): Unfortunatly, setting `base-url: "http://<ntfy.domain>"` doesn't solve the problem. Here is the full log trace: ``` Aug 18 17:26:14 ntfy[768]: DEBUG [retracted IP] HTTP POST /_matrix/push/v1/notify Dispatching request Aug 18 17:26:14 ntfy[768]: TRACE [retracted IP] HTTP POST /_matrix/push/v1/notify Entire request (headers and body): Aug 18 17:26:14 ntfy[768]: POST /_matrix/push/v1/notify HTTP/1.1 Aug 18 17:26:14 ntfy[768]: Connection: close Aug 18 17:26:14 ntfy[768]: X-Forwarded-Host: <ntfy.domain> Aug 18 17:26:14 ntfy[768]: X-Forwarded-Server: <ntfy.domain> Aug 18 17:26:14 ntfy[768]: Content-Type: application/json; charset=UTF-8 Aug 18 17:26:14 ntfy[768]: Accept-Encoding: gzip Aug 18 17:26:14 ntfy[768]: X-Forwarded-For: [retracted IP] Aug 18 17:26:14 ntfy[768]: Content-Length: 159 Aug 18 17:26:14 ntfy[768]: User-Agent: Element/1.4.32 Aug 18 17:26:14 ntfy[768]: {"notification":{"event_id":"$THIS_IS_A_FAKE_EVENT_ID","devices":[{"app_id":"im.vector.app.android","pushkey":"https://<ntfy.domain>/<notifcation_path>?up=1"}]}} Aug 18 17:26:14 ntfy[768]: DEBUG [retracted IP] HTTP POST /_matrix/push/v1/notify Matrix gateway error: message with push key https://<ntfy.domain>/<notifcation_path>?up=1 rejected: invalid request: push key must be prefixed with base URL ``` Here is the full *updated* configuration: ``` base-url: "http://<ntfy.domain>" listen-http: ":8008" cache-startup-queries: | pragma journal_mode = WAL; pragma synchronous = normal; pragma temp_store = memory; cache-file: /var/cache/ntfy/cache.db cache-duration: "12h" behind-proxy: true attachment-cache-dir: /var/cache/ntfy/attachments attachment-total-size-limit: "5G" attachment-file-size-limit: "15M" attachment-expiry-duration: "24h" log-level: TRACE ``` Note that despite running behind Apache, encryption stops at the reverse proxy.

BreizhHardware commented 2026-05-07 00:22:44 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Aug 18, 2022):

base-url: "http://<ntfy.domain>"
error: message with push key https://<ntfy.domain>/<notifcation_path>?up=1 rejected
Check "http" vs "https"

Just like I said, HTTP/HTTPS mismatch :-)

<!-- gh-comment-id:1219794723 --> @binwiederhier commented on GitHub (Aug 18, 2022): > base-url: "**http**://<ntfy.domain>" > error: message with push key **https**://<ntfy.domain>/<notifcation_path>?up=1 rejected > Check "http" vs "https" Just like I said, HTTP/HTTPS mismatch :-)

BreizhHardware commented 2026-05-07 00:22:44 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Aug 18, 2022):

base-url is the externally visible URL. It doesn't matter where SSL is terminated.

<!-- gh-comment-id:1219795231 --> @binwiederhier commented on GitHub (Aug 18, 2022): `base-url` is the externally visible URL. It doesn't matter where SSL is terminated.

BreizhHardware commented 2026-05-07 00:22:45 +02:00

Author

Owner

Copy link

@christophehenry commented on GitHub (Aug 18, 2022):

You told me to update my config to try http which is why I specifically mentioned "updated configuration". But neither http nor https. I get the same message either way.

<!-- gh-comment-id:1219852117 --> @christophehenry commented on GitHub (Aug 18, 2022): You told me to update my config to try `http` which is why I specifically mentioned "*updated* configuration". But neither `http` nor `https`. I get the same message either way.

BreizhHardware commented 2026-05-07 00:22:45 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Aug 18, 2022):

Does your base URL contain a / at the end? If so, remove it.

Idk what to tell you. The snippet above shows the code it's executing. You can try to compile your own binary and see what ntfy thinks the push key is

<!-- gh-comment-id:1219861792 --> @binwiederhier commented on GitHub (Aug 18, 2022): Does your base URL contain a / at the end? If so, remove it. Idk what to tell you. The snippet above shows the code it's executing. You can try to compile your own binary and see what ntfy thinks the push key is

BreizhHardware commented 2026-05-07 00:22:45 +02:00

Author

Owner

Copy link

@christophehenry commented on GitHub (Aug 18, 2022):

No, no trainling slash. Alright, let's write some Go, then!

<!-- gh-comment-id:1219987117 --> @christophehenry commented on GitHub (Aug 18, 2022): No, no trainling slash. Alright, let's write some Go, then!

BreizhHardware commented 2026-05-07 00:22:45 +02:00

Author

Owner

Copy link

@christophehenry commented on GitHub (Aug 19, 2022):

Ok, I know what was going on. The problem was not the code but the configuration in /etc/ntfy/server.yml which, somehow, doesn't get reloaded when doing systemctl reload ntfy or systemctl restart ntfy. This morning, while testing #384, I did a full systemctl stop ntfy && systemctl start ntfy. Only after that did the configuration change worked. I repeated the operation multiple time and I can confirm that systemctl reload ntfy or systemctl restart ntfy do not force reload /etc/ntfy/server.yml. At least on Fedora.

Still I propose #384 because I think this is a valuable change.

<!-- gh-comment-id:1220493908 --> @christophehenry commented on GitHub (Aug 19, 2022): Ok, I know what was going on. The problem was not the code but the configuration in `/etc/ntfy/server.yml` which, somehow, doesn't get reloaded when doing `systemctl reload ntfy` or `systemctl restart ntfy`. This morning, while testing #384, I did a full `systemctl stop ntfy && systemctl start ntfy`. Only after that did the configuration change worked. I repeated the operation multiple time and I can confirm that `systemctl reload ntfy` or `systemctl restart ntfy` do not force reload `/etc/ntfy/server.yml`. At least on Fedora. Still I propose #384 because I think this is a valuable change.

BreizhHardware commented 2026-05-07 00:22:45 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Aug 19, 2022):

systemctl reload ntfy only reloads the log level (it's in the docs, but buried). systemctl restart ntfy should absolutely and totally restart the binary. The service file doesn't do anything special, so systemd should just send a SIGKILL and restart the binary. Maybe look at journalctl to see if there are clues.

<!-- gh-comment-id:1220992821 --> @binwiederhier commented on GitHub (Aug 19, 2022): `systemctl reload ntfy` only reloads the log level (it's in the docs, but buried). `systemctl restart ntfy` should absolutely and totally restart the binary. The service file doesn't do anything special, so systemd should just send a SIGKILL and restart the binary. Maybe look at `journalctl` to see if there are clues.

BreizhHardware commented 2026-05-07 00:22:45 +02:00

Author

Owner

Copy link

@christophehenry commented on GitHub (Aug 21, 2022):

Never mind. systemctl restart ntfy works correctly. I really don't understand where I messed up, but at some point, I really believe I had the correct configuration but ntfy still wouldn't work event with a systemctl restart ntfy. Sorry for the noise.

<!-- gh-comment-id:1221564798 --> @christophehenry commented on GitHub (Aug 21, 2022): Never mind. `systemctl restart ntfy` works correctly. I really don't understand where I messed up, but at some point, I really believe I had the correct configuration but ntfy still wouldn't work event with a `systemctl restart ntfy`. Sorry for the noise.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#295

No description provided.