From c059413001cd2ff7c6104cfcd323ed115245ae90 Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Fri, 6 Nov 2020 15:33:07 +0100 Subject: [PATCH] Notes on SSO logins and media_repository worker (#8701) If SSO login is used (e.g. SAML) in a multi worker setup, it should be mentioned that currently all SAML logins must run on the same worker, see https://github.com/matrix-org/synapse/issues/7530 Also, if you are using different ports (for example 443 and 8448) in a reverse proxy for client and federation, the path `/_matrix/media` on the client and federation port must point to the listener of the `media_repository` worker, otherwise you'll get a 404 on the federation port for the path `/_matrix/media`, if a remote server is trying to get the media object on federation port, see https://github.com/matrix-org/synapse/issues/8695 --- changelog.d/8701.doc | 1 + docs/workers.md | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 changelog.d/8701.doc diff --git a/changelog.d/8701.doc b/changelog.d/8701.doc new file mode 100644 index 000000000000..e2e8b2f79acb --- /dev/null +++ b/changelog.d/8701.doc @@ -0,0 +1 @@ +Notes on SSO logins and media_repository worker. \ No newline at end of file diff --git a/docs/workers.md b/docs/workers.md index 4e046bdb318a..c53d1bd2ff4b 100644 --- a/docs/workers.md +++ b/docs/workers.md @@ -262,6 +262,9 @@ using): Note that a HTTP listener with `client` and `federation` resources must be configured in the `worker_listeners` option in the worker config. +Ensure that all SSO logins go to a single process (usually the main process). +For multiple workers not handling the SSO endpoints properly, see +[#7530](https://github.com/matrix-org/synapse/issues/7530). #### Load balancing @@ -420,6 +423,8 @@ and you must configure a single instance to run the background tasks, e.g.: media_instance_running_background_jobs: "media-repository-1" ``` +Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately). + ### `synapse.app.user_dir` Handles searches in the user directory. It can handle REST endpoints matching