Route MAS traffic via nginx

When MAS is enabled, inject nginx location blocks that route:

- /_matrix/client/*/login|logout|refresh → MAS compat layer (port 8081)
- /_matrix/client/*/register → registration shim (port 8082)
- /_synapse/admin/v1/register → registration shim (port 8082)

These regex blocks are prepended before the catch-all worker locations so
they take priority.

In workers-shared-extra.yaml.j2, disable Synapse's built-in registration and
password auth when MAS is active, since MAS handles these concerns.

docker/complement/conf/workers-shared-extra.yaml.j2

@@ -10,17 +10,26 @@
 public_baseurl: http://127.0.0.1:8008/
 report_stats: False
 trusted_key_servers: []
-enable_registration: true
-enable_registration_without_verification: true
 bcrypt_rounds: 4
 url_preview_enabled: true
 url_preview_ip_range_blacklist: []
 
 ## Registration ##
 
+{% if mas_enabled %}
+# MAS handles registration; disable Synapse's built-in registration
+enable_registration: false
+enable_registration_without_verification: false
+password_config:
+  enabled: false
+{% else %}
+enable_registration: true
+enable_registration_without_verification: true
+
 # Needed by Complement to register admin users
 # DO NOT USE in a production configuration! This should be a random secret.
 registration_shared_secret: complement
+{% endif %}
 
 ## Federation ##
 

docker/configure_workers_and_start.py

@@ -1061,6 +1061,40 @@ def generate_worker_files(
 
     # Build the nginx location config blocks
     nginx_location_config = ""
+
+    # When MAS is enabled, prepend location blocks that route login/register
+    # traffic to MAS and the registration shim respectively. These regex blocks
+    # must come before the catch-all worker locations.
+    mas_enabled = os.environ.get("SYNAPSE_COMPLEMENT_USE_MAS") == "true"
+    if mas_enabled:
+        mas_port = 8081
+        shim_port = 8082
+        nginx_location_config += f"""
+    # MAS compat layer: login, logout, refresh
+    location ~ ^/_matrix/client/(.*)/(login|logout|refresh) {{
+        proxy_pass http://localhost:{mas_port};
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+    }}
+
+    # Registration shim: legacy register API
+    location ~ ^/_matrix/client/(.*)/register$ {{
+        proxy_pass http://localhost:{shim_port};
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+    }}
+
+    # Registration shim: shared-secret admin registration
+    location ~ ^/_synapse/admin/v1/register {{
+        proxy_pass http://localhost:{shim_port};
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+    }}
+"""
+
     for endpoint, upstream in nginx_locations.items():
         nginx_location_config += NGINX_LOCATION_REGEX_CONFIG_BLOCK.format(
             endpoint=endpoint,
@@ -1231,6 +1265,7 @@ def generate_worker_files(
         enable_redis=workers_in_use,
         workers_in_use=workers_in_use,
         using_unix_sockets=using_unix_sockets,
+        mas_enabled=mas_enabled,
     )
 
     # Nginx config