[GH-ISSUE #982] Matrix push gateway doesn't send/receive notification from the clients in SchildiChat: Self-hosting, reverse proxy, unix-socket #688

New issue

Closed

opened 2026-05-07 00:26:36 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented 2026-05-07 00:26:36 +02:00

Owner

Copy link

Originally created by @michalszmidt on GitHub (Dec 18, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/982

🐞 Describe the bug

Matrix push gateway doesn't send/receive notification from the clients in SchildiChat

💻 Components impacted

• SchildiChat Matrix Client
• ntfy server
• nginx reverse proxy

💡 Screenshots and/or logs

• ntfy log: error=ParseAddr(""): unable to parse IP, http_method=GET
• ntfy log 2: same us ^ but with 0.0.0.0 in ParseAddr
• SchildiChat Android: java.lang.RuntimeException: HTTP 403:

{
"code": 40301, 
"http": 403,
"error": "forbidden",
"link": "https://ntfy.sh/docs/publish/#authentication"
}

🔮 Additional context

• FreeBSD 14.0
• ntfy 2.7.0
• nginx 1.25.3
• dendrite 0.13.4
• acl was configured to allow up* for user my_user_formatted (also tested with * all topics)
• ntfy android app succeeds with some manually subscribed topic like up-test, test notification works (method: websocket)

ntfy config:

base-url: "https://my-domain-formatted"
attachment-cache-dir: "/usr/local/etc/ntfy/cache"
attachment-total-size-limit: "4G"
attachment-file-size-limit: "40M"
attachment-expiry-duration: "6h"
visitor-attachment-total-size-limit: "500M"
visitor-attachment-daily-bandwidth-limit: "1G"
auth-file: "/usr/local/etc/ntfy/user.db"
auth-default-access: "deny-all"
listen-http: "-"
listen-unix: "/var/sockets/ntfy/ntfy.sock"
behind-proxy: true
listen-unix-mode: 0777
log-level: info
log-format: text
log-file: /var/log/ntfy/ntfy.log

nginx config of :

upstream ntfysock {
	server unix:/var/sockets/ntfy/ntfy.sock;
}

server {
  listen 443 ssl;
  http2 on;

  server_name mydomain
  ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
  ssl_certificate /usr/local/etc/letsencrypt/live/mydomain/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/mydomain/privkey.pem;
  include /usr/local/etc/letsencryptoptions-ssl-nginx.conf;
  ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
 
  location / {
    proxy_pass http://ntfysock;
    proxy_http_version 1.1;

#    proxy_buffering off;
#    proxy_request_buffering off;
#    proxy_redirect off;

    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_connect_timeout 3m;
    proxy_send_timeout 3m;
    proxy_read_timeout 3m;

    client_max_body_size 0; # Stream request body to backend
  }
}

server {
    if ($host = mydomain) {
        return 301 https://$host$request_uri;
    }

        listen 80;
        server_name
    return 404;
}

other variation of http server was tested, just copy-paste from documentation config

The only thing different I need from the common use scenario is:

• https only communication client-server

Guess what might be the problem:

1. nginx config for http and redirect to https
2. http request made by schildichat with http not https
3. ntfy server with unix socket listening

Originally created by @michalszmidt on GitHub (Dec 18, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/982 :lady_beetle: **Describe the bug** <!-- A clear and concise description of the problem. --> Matrix push gateway doesn't send/receive notification from the clients in SchildiChat :computer: **Components impacted** <!-- ntfy server, Android app, iOS app, web app --> - SchildiChat Matrix Client - ntfy server - nginx reverse proxy :bulb: **Screenshots and/or logs** <!-- If applicable, add screenshots or share logs help explain your problem. To get logs from the ... - ntfy server: Enable "log-level: trace" in your server.yml file - Android app: Go to "Settings" -> "Record logs", then eventually "Copy/upload logs" - web app: Press "F12" and find the "Console" window --> - ntfy log: `error=ParseAddr(""): unable to parse IP, http_method=GET` - ntfy log 2: same us ^ but with `0.0.0.0` in ParseAddr - SchildiChat Android: `java.lang.RuntimeException: HTTP 403: ` ```json { "code": 40301, "http": 403, "error": "forbidden", "link": "https://ntfy.sh/docs/publish/#authentication" } ``` :crystal_ball: **Additional context** <!-- Add any other context about the problem here. --> - FreeBSD `14.0` - ntfy `2.7.0` - nginx `1.25.3` - dendrite `0.13.4` - acl was configured to allow `up*` for user `my_user_formatted` (also tested with * all topics) - ntfy android app succeeds with some manually subscribed topic like `up-test`, test notification works (method: websocket) ntfy config: ```ini base-url: "https://my-domain-formatted" attachment-cache-dir: "/usr/local/etc/ntfy/cache" attachment-total-size-limit: "4G" attachment-file-size-limit: "40M" attachment-expiry-duration: "6h" visitor-attachment-total-size-limit: "500M" visitor-attachment-daily-bandwidth-limit: "1G" auth-file: "/usr/local/etc/ntfy/user.db" auth-default-access: "deny-all" listen-http: "-" listen-unix: "/var/sockets/ntfy/ntfy.sock" behind-proxy: true listen-unix-mode: 0777 log-level: info log-format: text log-file: /var/log/ntfy/ntfy.log ``` nginx config of : ```nginx upstream ntfysock { server unix:/var/sockets/ntfy/ntfy.sock; } server { listen 443 ssl; http2 on; server_name mydomain ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_certificate /usr/local/etc/letsencrypt/live/mydomain/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/mydomain/privkey.pem; include /usr/local/etc/letsencryptoptions-ssl-nginx.conf; ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://ntfysock; proxy_http_version 1.1; # proxy_buffering off; # proxy_request_buffering off; # proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 3m; proxy_send_timeout 3m; proxy_read_timeout 3m; client_max_body_size 0; # Stream request body to backend } } server { if ($host = mydomain) { return 301 https://$host$request_uri; } listen 80; server_name return 404; } ``` other variation of http server was tested, [just copy-paste from documentation config](https://docs.ntfy.sh/config/#__tabbed_11_2) The only thing different I need from the common use scenario is: - https only communication client-server Guess what might be the problem: 1. nginx config for http and redirect to https 2. http request made by schildichat with http not https 3. ntfy server with unix socket listening

BreizhHardware 2026-05-07 00:26:36 +02:00

• closed this issue
• added the
  🪲 bug
  label

BreizhHardware commented 2026-05-07 00:26:37 +02:00

Author

Owner

Copy link

@escix commented on GitHub (Nov 22, 2024):

Notification works when the up* is given read-write access

<!-- gh-comment-id:2492908352 --> @escix commented on GitHub (Nov 22, 2024): Notification works when the up* is given read-write access

BreizhHardware commented 2026-05-07 00:26:37 +02:00

Author

Owner

Copy link

@michalszmidt commented on GitHub (Dec 31, 2024):

had up* rw

I have no idea then ;) I applied some workaround.

<!-- gh-comment-id:2566593144 --> @michalszmidt commented on GitHub (Dec 31, 2024): had up* rw I have no idea then ;) I applied some workaround.

BreizhHardware commented 2026-05-07 00:26:37 +02:00

Author

Owner

Copy link

@escix commented on GitHub (Jan 1, 2025):

--

<!-- gh-comment-id:2567161132 --> @escix commented on GitHub (Jan 1, 2025): --

BreizhHardware referenced this issue 2026-05-07 01:01:50 +02:00

[PR #688] [MERGED] add hostux server #1378

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#688

No description provided.