From 6ebbf415710196e38a69e5a27b7e4e8def6c5342 Mon Sep 17 00:00:00 2001 From: Olivier 'reivilibre Date: Mon, 27 Apr 2026 18:26:39 +0100 Subject: [PATCH] Route MAS traffic via nginx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When MAS is enabled, inject nginx location blocks that route: - /_matrix/client/*/login|logout|refresh → MAS compat layer (port 8081) - /_matrix/client/*/register → registration shim (port 8082) - /_synapse/admin/v1/register → registration shim (port 8082) These regex blocks are prepended before the catch-all worker locations so they take priority. In workers-shared-extra.yaml.j2, disable Synapse's built-in registration and password auth when MAS is active, since MAS handles these concerns. --- .../conf/workers-shared-extra.yaml.j2 | 13 +++++-- docker/configure_workers_and_start.py | 35 +++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/docker/complement/conf/workers-shared-extra.yaml.j2 b/docker/complement/conf/workers-shared-extra.yaml.j2 index e829292aca..6c66e3471e 100644 --- a/docker/complement/conf/workers-shared-extra.yaml.j2 +++ b/docker/complement/conf/workers-shared-extra.yaml.j2 @@ -10,17 +10,26 @@ public_baseurl: http://127.0.0.1:8008/ report_stats: False trusted_key_servers: [] -enable_registration: true -enable_registration_without_verification: true bcrypt_rounds: 4 url_preview_enabled: true url_preview_ip_range_blacklist: [] ## Registration ## +{% if mas_enabled %} +# MAS handles registration; disable Synapse's built-in registration +enable_registration: false +enable_registration_without_verification: false +password_config: + enabled: false +{% else %} +enable_registration: true +enable_registration_without_verification: true + # Needed by Complement to register admin users # DO NOT USE in a production configuration! This should be a random secret. registration_shared_secret: complement +{% endif %} ## Federation ## diff --git a/docker/configure_workers_and_start.py b/docker/configure_workers_and_start.py index 26c8556eff..802109370d 100755 --- a/docker/configure_workers_and_start.py +++ b/docker/configure_workers_and_start.py @@ -1061,6 +1061,40 @@ def generate_worker_files( # Build the nginx location config blocks nginx_location_config = "" + + # When MAS is enabled, prepend location blocks that route login/register + # traffic to MAS and the registration shim respectively. These regex blocks + # must come before the catch-all worker locations. + mas_enabled = os.environ.get("SYNAPSE_COMPLEMENT_USE_MAS") == "true" + if mas_enabled: + mas_port = 8081 + shim_port = 8082 + nginx_location_config += f""" + # MAS compat layer: login, logout, refresh + location ~ ^/_matrix/client/(.*)/(login|logout|refresh) {{ + proxy_pass http://localhost:{mas_port}; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + }} + + # Registration shim: legacy register API + location ~ ^/_matrix/client/(.*)/register$ {{ + proxy_pass http://localhost:{shim_port}; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + }} + + # Registration shim: shared-secret admin registration + location ~ ^/_synapse/admin/v1/register {{ + proxy_pass http://localhost:{shim_port}; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + }} +""" + for endpoint, upstream in nginx_locations.items(): nginx_location_config += NGINX_LOCATION_REGEX_CONFIG_BLOCK.format( endpoint=endpoint, @@ -1231,6 +1265,7 @@ def generate_worker_files( enable_redis=workers_in_use, workers_in_use=workers_in_use, using_unix_sockets=using_unix_sockets, + mas_enabled=mas_enabled, ) # Nginx config