diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 0e33721ba..02251478c 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -323,10 +323,6 @@ matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_p # This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse # handles the token validation internally. # -# Without this, sticky routing falls back to parsing the username from the access token (only works -# with native Synapse tokens of the form syt__...), which only provides -# device-level stickiness (same token -> same worker) rather than user-level stickiness. -# # Enabled by default when there are sync workers, because sync workers benefit from user-level # stickiness due to their per-user in-memory caches. matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index 6c72ca2ad..20af557ca 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -64,25 +64,6 @@ {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} -# Access token to user identifier mapping logic. -# This is used for sticky routing to ensure requests from the same user are routed to the same worker. -{% if not matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} -# Extracts the base64-encoded localpart from native Synapse access tokens. -# Native Synapse tokens have the format: syt___ -# See: https://github.com/element-hq/synapse/blob/1bddd25a85d82b2ef4a2a42f6ecd476108d7dd96/synapse/handlers/auth.py#L1448-L1459 -# Maps from https://tcpipuk.github.io/synapse/deployment/nginx.html#mapsconf -# Note: This only works with native Synapse tokens, not with MAS or other auth systems. -map $arg_access_token $accesstoken_from_urlparam { - default $arg_access_token; - "~syt_(?.*?)_.*" $b64localpart; -} -map $http_authorization $user_identifier { - default $http_authorization; - "~Bearer syt_(?.*?)_.*" $b64localpart; - "" $accesstoken_from_urlparam; -} -{% endif %} - # Whether to upgrade HTTP connection map $http_upgrade $connection_upgrade { default upgrade; @@ -246,11 +227,7 @@ server { # sync workers # https://tcpipuk.github.io/synapse/deployment/workers.html # https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf - {% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} {{ render_locations_to_upstream_with_whoami_sync_worker_router(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} - {% else %} - {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} - {% endif %} {% endif %} {% if client_reader_workers | length > 0 %}