Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port
I guess it didn't hurt to do it until now, but it's not great serving federation APIs on the client-server API port, etc. matrix-corporal doesn't work yet (still something to be solved in the future), but its firewalling operations will also be sabotaged by Client-Server APIs being served on the federation port (it's a way to get around its firewalling).
This commit is contained in:
parent
cc5cf0d725
commit
5ca68210cd
@ -975,8 +975,9 @@ matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presenc
|
|||||||
|
|
||||||
matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
|
matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
|
||||||
matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
|
matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
|
||||||
matrix_nginx_proxy_synapse_generic_worker_locations: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) }}"
|
matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
|
||||||
matrix_nginx_proxy_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints|default([]) }}"
|
matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}"
|
||||||
|
matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}"
|
||||||
matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}"
|
matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}"
|
||||||
matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}"
|
matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}"
|
||||||
|
|
||||||
|
@ -324,7 +324,8 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_def
|
|||||||
# synapse worker activation and endpoint mappings
|
# synapse worker activation and endpoint mappings
|
||||||
matrix_nginx_proxy_synapse_workers_enabled: false
|
matrix_nginx_proxy_synapse_workers_enabled: false
|
||||||
matrix_nginx_proxy_synapse_workers_list: []
|
matrix_nginx_proxy_synapse_workers_list: []
|
||||||
matrix_nginx_proxy_synapse_generic_worker_locations: []
|
matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []
|
||||||
|
matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
|
||||||
matrix_nginx_proxy_synapse_media_repository_locations: []
|
matrix_nginx_proxy_synapse_media_repository_locations: []
|
||||||
matrix_nginx_proxy_synapse_user_dir_locations: []
|
matrix_nginx_proxy_synapse_user_dir_locations: []
|
||||||
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
|
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
|
||||||
|
@ -109,14 +109,13 @@
|
|||||||
|
|
||||||
{% if generic_workers %}
|
{% if generic_workers %}
|
||||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
||||||
{% for location in matrix_nginx_proxy_synapse_generic_worker_locations %}
|
{% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %}
|
||||||
location ~ {{ location }} {
|
location ~ {{ location }} {
|
||||||
proxy_pass http://generic_worker_upstream$request_uri;
|
proxy_pass http://generic_worker_upstream$request_uri;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
# FIXME: add GET ^/_matrix/federation/v1/groups/
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if media_repository_workers %}
|
{% if media_repository_workers %}
|
||||||
@ -361,7 +360,7 @@ server {
|
|||||||
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
{% if matrix_nginx_proxy_synapse_workers_enabled %}
|
||||||
{% if generic_workers %}
|
{% if generic_workers %}
|
||||||
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
|
||||||
{% for location in matrix_nginx_proxy_synapse_generic_worker_locations %}
|
{% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %}
|
||||||
location ~ {{ location }} {
|
location ~ {{ location }} {
|
||||||
proxy_pass http://generic_worker_upstream$request_uri;
|
proxy_pass http://generic_worker_upstream$request_uri;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
@ -8,3 +8,28 @@ matrix_synapse_role_executed: false
|
|||||||
|
|
||||||
matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
|
matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
|
||||||
matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
|
matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
|
||||||
|
|
||||||
|
# A Synapse generic worker can handle both federation and client-server API endpoints.
|
||||||
|
# We wish to split these, as we normally serve federation separately and don't want them mixed up.
|
||||||
|
#
|
||||||
|
# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492),
|
||||||
|
# which takes a list of various strings and removes the ones NOT containing `/_matrix/client` anywhere in them.
|
||||||
|
#
|
||||||
|
# We intentionally don't do a diff between everything possible (`matrix_synapse_workers_generic_worker_endpoints`) and `matrix_synapse_workers_generic_worker_federation_endpoints`,
|
||||||
|
# because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc.
|
||||||
|
# While /_synapse/client/ endpoints are somewhat client-server API-related, they're:
|
||||||
|
# - neither part of the client-server API spec (and are thus, different)
|
||||||
|
# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`)
|
||||||
|
#
|
||||||
|
# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24),
|
||||||
|
# so it's not that important whether we forward them or not.
|
||||||
|
#
|
||||||
|
# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much.
|
||||||
|
matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/client.*')| list | difference([none]) }}"
|
||||||
|
|
||||||
|
# A Synapse generic worker can handle both federation and client-server API endpoints.
|
||||||
|
# We wish to split these, as we normally serve federation separately and don't want them mixed up.
|
||||||
|
#
|
||||||
|
# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492),
|
||||||
|
# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` anywhere in them.
|
||||||
|
matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/federation.*')| list | difference([none]) }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user