Example of mxid sticky nginx loadbalancing for sync / initialsync

Add example configuration for nginx that handles stickying sync and initialsync with mxid part of token found in the request
tswfi · Nov 5, 2022 · b3704b9 · b3704b9
1 parent 8bcdd71
commit b3704b9
Showing 1 changed file with 77 additions and 8 deletions.
diff --git a/docs/workers.md b/docs/workers.md
@@ -305,14 +305,83 @@ may wish to run multiple groups of workers handling different endpoints so that
 load balancing can be done in different ways.
 
 For `/sync` and `/initialSync` requests it will be more efficient if all
-requests from a particular user are routed to a single instance. Extracting a
-user ID from the access token or `Authorization` header is currently left as an
-exercise for the reader. Admins may additionally wish to separate out `/sync`
-requests that have a `since` query parameter from those that don't (and
-`/initialSync`), as requests that don't are known as "initial sync" that happens
-when a user logs in on a new device and can be *very* resource intensive, so
-isolating these requests will stop them from interfering with other users ongoing
-syncs.
+requests from a particular user are routed to a single instance. 
+
+Admins may additionally wish to separate out `/sync` requests that have a 
+`since` query parameter from those that don't (and `/initialSync`), as requests 
+that don't are known as "initial sync" that happens when a user logs in on a new 
+device and can be *very* resource intensive, so isolating these requests will stop 
+them from interfering with other users ongoing syncs.
+
+Example `nginx` configuration snippet that handles the cases above. This is just and
+example and requires some changes according to your configuration:
+
+```js
+# Choose sync worker based on the existence of "since" query parameter
+map $arg_since $sync {
+    default synapse_sync;
+    '' synapse_initial_sync;
+}
+
+# Extract username from access token passed as URL parameter
+map $arg_access_token $accesstoken_from_urlparam {
+    # Defaults to just passing back the whole accesstoken
+    default   $arg_access_token;
+    # Try to extract username part from accesstoken URL parameter
+    "~syt_(?<username>.*?)_.*"           $username;
+}
+
+# Extract username from access token passed as authorization header
+map $http_authorization $mxid_localpart {
+    # Defaults to just passing back the whole accesstoken
+    default                              $http_authorization;
+    # Try to extract username part from accesstoken header
+    "~Bearer syt_(?<username>.*?)_.*"    $username;
+    # if no authorization-header exist, try mapper for URL parameter "access_token"
+    ""                                   $accesstoken_from_urlparam;
+}
+
+upstream synapse_initial_sync {
+    # Use the username mapper result for hash key
+    hash $mxid_localpart consistent;
+    server 127.0.0.1:8016;
+    server 127.0.0.1:8036;
+}
+
+upstream synapse_sync {
+    # Use the username mapper result for hash key
+    hash $mxid_localpart consistent;
+    server 127.0.0.1:8013;
+    server 127.0.0.1:8037;
+    server 127.0.0.1:8038;
+    server 127.0.0.1:8039;
+}
+
+# Sync initial/normal
+location ~ ^/_matrix/client/(r0|v3)/sync$ {
+	include snippets/matrix-proxy-headers.conf;
+	proxy_pass http://$sync;
+	proxy_read_timeout 1h;
+}
+
+# Normal sync
+location ~ ^/_matrix/client/(api/v1|r0|v3)/events$ {
+	include snippets/matrix-proxy-headers.conf;
+	proxy_pass http://synapse_sync;
+}
+
+# Initial_sync
+location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$ {
+	include snippets/matrix-proxy-headers.conf;
+	proxy_pass http://synapse_initial_sync;
+	proxy_read_timeout 1h;
+}
+location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
+	include snippets/matrix-proxy-headers.conf;
+	proxy_pass http://synapse_initial_sync;
+	proxy_read_timeout 1h;
+}
+```
 
 Federation and client requests can be balanced via simple round robin.