From 712590af692315ffb87a3043451827195c9b99fe Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Mon, 30 Dec 2024 15:31:49 +0100 Subject: [PATCH] Added maps.conf and a bit of proxy information. --- matrix/nginx/workers/README.md | 39 ++++++++++++++++++------- matrix/nginx/workers/maps.conf | 52 ++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+), 10 deletions(-) create mode 100644 matrix/nginx/workers/maps.conf diff --git a/matrix/nginx/workers/README.md b/matrix/nginx/workers/README.md index eae73d1..68975d7 100644 --- a/matrix/nginx/workers/README.md +++ b/matrix/nginx/workers/README.md @@ -71,9 +71,18 @@ tcp_nodelay on; server_tokens off; ``` -For every `proxy_forward` we want to configure several settings, and because -we don't want to include the same list of settings every time, we put all of -them in one snippet of code, that we can include every time we need it. +We set a few proxy settings that we use in proxy_forwards other than to our +workers, save this to `conf.d/proxy_optimize.conf`: + +``` +proxy_buffer_size 128k; +proxy_buffers 4 256k; +proxy_busy_buffers_size 256k; +``` + +For every `proxy_forward` to our workers, we want to configure several settings, +and because we don't want to include the same list of settings every time, we put +all of them in one snippet of code, that we can include every time we need it. Create `/etc/nginx/snippets/proxy.conf` and put this in it: @@ -100,7 +109,7 @@ client_max_body_size 50M; Every time we use a `proxy_forward`, we include this snippet. -# Maps +# Maps {#maps} A map sets a variable based on, usually, another variable. One case we use this is in determining the type of sync a client is doing. A normal sync, simply @@ -142,6 +151,8 @@ After this mapping, we forward the request to the correct worker like this: proxy_pass http://$sync; ``` +See a complete example of maps in the file [maps.conf](maps.conf). + # Upstreams @@ -151,15 +162,22 @@ Such a server is the inbound UNIX socket of a worker, and there can be several of them in one group. Let's start with a simple one, the `login` worker, that handles the login -process for clients. +process for clients. There's only one worker, so only one socket: ``` -login worker komt hier... +upstream login { + server unix:/run/matrix-synapse/inbound_login.sock max_fails=0; + keepalive 10; +} ``` +Ater this definition, we can forward traffic to `login`. What traffic to +forward is decided in the `location` statements, see further. -Two of these upstreams are the sync workers: `normal_sync` and `initial_sync`, -both consisting of several "servers": +A more complex example are the sync workers. Under [#Maps] we split sync +requests into two different types; those different types are handled by +different worker pools. In our case we have 2 workers for the initial_sync +requests, and 3 for the normal ones: ``` upstream initial_sync { @@ -178,8 +196,9 @@ upstream normal_sync { } ``` -The `hash` bit is to make sure requests are always forwarded to the same -worker. +The `hash` bit is to make sure that request from one user are consistently +forwarded to the same worker. We filled the variable `$mxid_localpart` in the +maps. # Locations diff --git a/matrix/nginx/workers/maps.conf b/matrix/nginx/workers/maps.conf new file mode 100644 index 0000000..350fb1f --- /dev/null +++ b/matrix/nginx/workers/maps.conf @@ -0,0 +1,52 @@ +# List of allowed origins, can only send one. +map $http_origin $allow_origin { + ~^https?://element.example.com$ $http_origin; + ~^https?://call.example.com$ $http_origin; + ~^https?://someserver.example.com$ $http_origin; + # NGINX won't set empty string headers, so if no match, header is unset. + default ""; +} + +# Client username from MXID +map $http_authorization $mxid_localpart { + default $http_authorization; + "~Bearer syt_(?.*?)_.*" $username; + "" $accesstoken_from_urlparam; +} + +# Whether to upgrade HTTP connection +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +#Extract room name from URI +map $request_uri $room_name { + default "not_room"; + "~^/_matrix/(client|federation)/.*?(?:%21|!)(?[\s\S]+)(?::|%3A)(?[A-Za-z0-9.\-]+)" "!$room:$domain"; +} + +# Choose sync worker based on the existence of "since" query parameter +map $arg_since $sync { + default normal_sync; + '' initial_sync; +} + +# Extract username from access token passed as URL parameter +map $arg_access_token $accesstoken_from_urlparam { + # Defaults to just passing back the whole accesstoken + default $arg_access_token; + # Try to extract username part from accesstoken URL parameter + "~syt_(?.*?)_.*" $username; +} + +# Extract username from access token passed as authorization header +map $http_authorization $mxid_localpart { + # Defaults to just passing back the whole accesstoken + default $http_authorization; + # Try to extract username part from accesstoken header + "~Bearer syt_(?.*?)_.*" $username; + # if no authorization-header exist, try mapper for URL parameter "access_token" + "" $accesstoken_from_urlparam; +} +