Added maps.conf and a bit of proxy information.

2024-12-30 15:31:49 +01:00 · 2024-12-30 15:31:49 +01:00 · 712590af69
commit 712590af69
parent 32989bb166
2 changed files with 81 additions and 10 deletions
--- a/matrix/nginx/workers/README.md
+++ b/matrix/nginx/workers/README.md
@ -71,9 +71,18 @@ tcp_nodelay on;
 server_tokens off;
 ```

-For every `proxy_forward` we want to configure several settings, and because
-we don't want to include the same list of settings every time, we put all of
-them in one snippet of code, that we can include every time we need it.
+We set a few proxy settings that we use in proxy_forwards other than to our
+workers, save this to `conf.d/proxy_optimize.conf`:
+
+```
+proxy_buffer_size 128k;
+proxy_buffers 4 256k;
+proxy_busy_buffers_size 256k;
+```
+
+For every `proxy_forward` to our workers, we want to configure several settings,
+and because we don't want to include the same list of settings every time, we put
+all of them in one snippet of code, that we can include every time we need it.

 Create `/etc/nginx/snippets/proxy.conf` and put this in it:

@ -100,7 +109,7 @@ client_max_body_size 50M;
 Every time we use a `proxy_forward`, we include this snippet.


-# Maps
+# Maps {#maps}

 A map sets a variable based on, usually, another variable. One case we use this
 is in determining the type of sync a client is doing. A normal sync, simply
@ -142,6 +151,8 @@ After this mapping, we forward the request to the correct worker like this:
 proxy_pass http://$sync;
 ```

+See a complete example of maps in the file [maps.conf](maps.conf).
+

 # Upstreams

@ -151,15 +162,22 @@ Such a server is the inbound UNIX socket of a worker, and there can be several
 of them in one group.

 Let's start with a simple one, the `login` worker, that handles the login
-process for clients.
+process for clients. There's only one worker, so only one socket:

 ```
-login worker komt hier...
+upstream login {
+    server unix:/run/matrix-synapse/inbound_login.sock max_fails=0;
+    keepalive 10;
+}
 ```

+Ater this definition, we can forward traffic to `login`. What traffic to
+forward is decided in the `location` statements, see further.

-Two of these upstreams are the sync workers: `normal_sync` and `initial_sync`,
-both consisting of several "servers":
+A more complex example are the sync workers. Under [#Maps] we split sync
+requests into two different types; those different types are handled by
+different worker pools. In our case we have 2 workers for the initial_sync
+requests, and 3 for the normal ones:

 ```
 upstream initial_sync {
@ -178,8 +196,9 @@ upstream normal_sync {
 }
 ```

-The `hash` bit is to make sure requests are always forwarded to the same
-worker.
+The `hash` bit is to make sure that request from one user are consistently
+forwarded to the same worker. We filled the variable `$mxid_localpart` in the
+maps.


 # Locations
--- a/matrix/nginx/workers/maps.conf
+++ b/matrix/nginx/workers/maps.conf
@ -0,0 +1,52 @@
+# List of allowed origins, can only send one.
+map $http_origin $allow_origin { 
+        ~^https?://element.example.com$ $http_origin;
+        ~^https?://call.example.com$ $http_origin;
+        ~^https?://someserver.example.com$ $http_origin;
+        # NGINX won't set empty string headers, so if no match, header is unset.
+        default "";
+}
+
+# Client username from MXID
+map $http_authorization $mxid_localpart {
+  default                           $http_authorization;
+  "~Bearer syt_(?<username>.*?)_.*" $username;
+  ""                                $accesstoken_from_urlparam;
+}
+
+# Whether to upgrade HTTP connection
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+
+#Extract room name from URI
+map $request_uri $room_name {
+  default "not_room";
+  "~^/_matrix/(client|federation)/.*?(?:%21|!)(?<room>[\s\S]+)(?::|%3A)(?<domain>[A-Za-z0-9.\-]+)" "!$room:$domain";
+}
+
+# Choose sync worker based on the existence of "since" query parameter
+map $arg_since $sync {
+    default normal_sync;
+    '' initial_sync;
+}
+
+# Extract username from access token passed as URL parameter
+map $arg_access_token $accesstoken_from_urlparam {
+    # Defaults to just passing back the whole accesstoken
+    default   $arg_access_token;
+    # Try to extract username part from accesstoken URL parameter
+    "~syt_(?<username>.*?)_.*"           $username;
+}
+
+# Extract username from access token passed as authorization header
+map $http_authorization $mxid_localpart {
+    # Defaults to just passing back the whole accesstoken
+    default                              $http_authorization;
+    # Try to extract username part from accesstoken header
+    "~Bearer syt_(?<username>.*?)_.*"    $username;
+    # if no authorization-header exist, try mapper for URL parameter "access_token"
+    ""                                   $accesstoken_from_urlparam;
+}
+