content

Apparently, the Tuwunel documentation for the NGINX reverse proxy configuration is wrong. It sets up the routes /sfu/get and /healthz to forward to the JWT service:

    location ~ ^(/sfu/get|/healthz) {
        proxy_pass http://localhost:8081;

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

But looking at the lk-jwt-service repository, you can see that get_token is another endpoint that needs to be serviced:

  func (h *Handler) prepareMux() *http.ServeMux {

	mux := http.NewServeMux()
	mux.HandleFunc("/sfu/get", h.handle_legacy) // TODO: This is deprecated and will be removed in future versions
 	mux.HandleFunc("/get_token", h.handle)
	mux.HandleFunc("/healthz", h.healthcheck)

	return mux
  }

So, the NGINX config for the JWT service should actually be:

    location ~ ^(/sfu/get|/get_token|/healthz) {
        proxy_pass http://localhost:8081;

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

After fixing this, testmatrix.py reports the expected result for /get_token:

exodrifter@rain ~/w/e/testmatrix (main)> python3 test_matrix.py tsuki.games
Testing server tsuki.games
  Federation url: https://matrix.tsuki.games:443
✔ Server well-known exists
✔ Client well-known redirect #1 has proper CORS header
✔ Client well-known has proper CORS header
  Client url: https://matrix.tsuki.games/
  Adding livekit service URL: https://matrix-rtc.tsuki.games
✔ Server version: Tuwunel (1.5.0)
✔ Federation API endpoints seem to work fine
✔ Client API endpoints seem to work fine
  QR code login is disabled (MSC 4108)
  Public room directory is disabled
✔ MatrixRTC SFU configured
  JWTauth healtz url: https://matrix-rtc.tsuki.games
  jwt has no CORS header (that is OK)
✔ JWTauth responds
✔ jwt /get_token without auth returns (405). This is good!
  jwt: no credentials passed, not trying authed requests
𐄂 MatrixRTC configured but delayed events turned off (MSC4140). BAD!
✔ Room summaries (MSC3266) support in matrix compat v1.15
✔ Room summaries stable support works
✔ Direct registration and guest access forbidden per se 👍

meta

created:

backlinks: 20260221104212 t/suki logs

commit: c7b114df