updated nginx configuration information required for recent versions of synapse

[tgurr]

matrix-org/synapse#8227 replaced the previous

location /_matrix {

with

location ~* ^(\/_matrix|\/_synapse\/client) {

which now seems to interfer with the configuration required for ma1sd. When doing the change above riot/element complains about not being able to reach the identity server, if I revert it back to just /_matrix it works again but I wonder what problems I'll run into with not following the recent upstream change.

I'm not an nginx and/or regex expert so any advice here is greatly appreciated, here's the relevant part of my configuration:

        # ma1sd
        location /_matrix/client/r0/user_directory/ {
            proxy_pass http://localhost:8090/_matrix/client/r0/user_directory/;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        # ma1sd
        location /_matrix/identity {
            proxy_pass http://localhost:8090/_matrix/identity;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        # synapse
        location /_matrix {
#        location ~* ^(\/_matrix|\/_synapse\/client) {
            proxy_pass http://localhost:8008;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
        }

        location /.well-known/matrix/server {
            access_log off;
            add_header Access-Control-Allow-Origin *;
            add_header Content-Type application/json;
            return 200 '{"m.server": "matrix.domain.local:443"}';
        }

        location /.well-known/matrix/client {
            access_log off;
            add_header Access-Control-Allow-Origin *;
            add_header Content-Type application/json;
            return 200 '{"m.homeserver": {"base_url": "https://matrix.domain.local/"}, "m.identity_server": {"base_url": "https://matrix.domain.local"}, "im.vector.riot.e2ee": {"default": false}}';
        }

[lbeltrame]

matrix-ansible-deploy uses a different, non-regex based solution which uses separate /_matrix and /_synapse locations. I wonder if that might work. See https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 (note: this is a template for ansible to use, so it can' be used verbatim).

[q-wertz]

For me the

# ma1sd
location /_matrix/client/r0/user_directory/ {
    proxy_pass http://localhost:8090/_matrix/client/r0/user_directory/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

# ma1sd
location /_matrix/identity {
    proxy_pass http://localhost:8090/_matrix/identity;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

part did not work. I have to use

# ma1sd
location ^~ /_matrix/client/r0/user_directory/ {
    proxy_pass http://localhost:8090/_matrix/client/r0/user_directory/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

# ma1sd
location ^~ /_matrix/identity {
    proxy_pass http://localhost:8090/_matrix/identity;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

Is this a bug in the description, or predictable behavior due to the new location ~* ^(\/_matrix|\/_synapse\/client) { line or am I missing something here?
also see https://docs.nginx.com/nginx/admin-guide/web-server/web-server/#configuring-locations
I think

Higher priority is given to regular expressions, unless the ^~ modifier is used. Among the prefix strings NGINX Plus selects the most specific one (that is, the longest and most complete string).

is the problem here as with the new version a regular expression was introduced and that's why the old config does not work anymore (match by order)

One more thought:
I think they use the new regex to match /_matrix/ AND /_synapse/client as at some point they want to change to /_synapse/client as endpoint (I think i read that somewhere and also some things are at this endpoint see matrix-org/synapse#8154). Especially the /_synapse/admin is excluded in that case (security reasons)

[tgurr]

@q-wertz huge thanks for your suggestion, I also had to add ^~ to the ma1sd locations for things to work.
As you've already predicted, this issue is becomming more and more important and now was a real problem for me because of matrix-org/synapse@8f75bf1 which changes the saml2 endpoint from _matrix to _synapse/client for which the new location ~* ^(\/_matrix|\/_synapse\/client) { is strictly required which in turn broke the ma1sd lookups for me without the change you posted above. With adding ^~ to the ma1sd locations things appear to work, meaning both saml login, ma1sd lookups and the regular chat. I didn't test much or in more depth as I've just upgraded and made the saml endpoint and the changes to the nginx configuration, but things look good. Again thanks for posting the solution above!

[q-wertz]

You're welcome 🎉