add synapse client reader worker

.github/workflows/nginx.yml

@@ -13,4 +13,4 @@ jobs:
         python-version: '3.13'
         cache: pip
     - run: 'pip install --require-hashes --only-binary :all: -r requirements.txt'
-    - run: gixy --add-header-redefinition-headers x-frame-options,x-content-type-options,x-xss-protection,content-security-policy,cache-control nginx/nginx.conf
+    - run: gixy --add-header-redefinition-headers x-frame-options,x-content-type-options,x-xss-protection,content-security-policy,cache-control --skips regex_redos nginx/nginx.conf

logrotate.d/synapse

@@ -1,4 +1,4 @@
-/var/log/synapse/main.log /var/log/synapse/background.log /var/log/synapse/federation_reader.log /var/log/synapse/federation_sender1.log /var/log/synapse/federation_sender2.log /var/log/synapse/federation_sender3.log /var/log/synapse/federation_sender4.log /var/log/synapse/media_repository.log {
+/var/log/synapse/main.log /var/log/synapse/background.log /var/log/synapse/client_reader.log /var/log/synapse/federation_reader.log /var/log/synapse/federation_sender1.log /var/log/synapse/federation_sender2.log /var/log/synapse/federation_sender3.log /var/log/synapse/federation_sender4.log /var/log/synapse/media_repository.log {
     missingok
     maxsize 1G
     nodelaycompress

nginx/nginx.conf

@@ -88,6 +88,11 @@ http {
         server unix:/run/synapse/main_public.sock max_conns=4096 max_fails=0;
     }
 
+    upstream synapse-client_reader {
+        zone synapse-client_reader 32k;
+        server unix:/run/synapse/client_reader_public.sock max_conns=4096 max_fails=0;
+    }
+
     upstream synapse-federation_reader {
         zone synapse-federation_reader 32k;
         server unix:/run/synapse/federation_reader_public.sock max_conns=4096 max_fails=0;
@@ -175,6 +180,10 @@ http {
 
             proxy_pass http://synapse-main;
 
+            location ~ ^/_matrix/client/(?:r0|v3)/sync$|^/_matrix/client/(?:api/v1|r0|v3)/events$|^/_matrix/client/(?:api/v1|r0|v3)/initialSync$|^/_matrix/client/(?:api/v1|r0|v3)/rooms/[^/]+/initialSync$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(?:v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/im.nheko.summary/summary/.*$|^/_matrix/client/(?:r0|v3|unstable)/account/3pid$|^/_matrix/client/(?:r0|v3|unstable)/account/whoami$|^/_matrix/client/(?:r0|v3|unstable)/account/deactivate$|^/_matrix/client/(?:r0|v3)/delete_devices$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/devices(?:/|$)|^/_matrix/client/versions$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(?:api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(?:api/v1|r0|v3|unstable)/search$|^/_matrix/client/(?:r0|v3|unstable)/user/.*/filter(?:/|$)|^/_matrix/client/(?:api/v1|r0|v3|unstable)/directory/room/.*$|^/_matrix/client/(?:r0|v3|unstable)/capabilities$|^/_matrix/client/(?:r0|v3|unstable)/notifications$|^/_synapse/admin/v1/rooms/[^/]+$|^/_matrix/client/(?:r0|v3|unstable)/keys/query$|^/_matrix/client/(?:r0|v3|unstable)/keys/changes$|^/_matrix/client/(?:r0|v3|unstable)/keys/claim$|^/_matrix/client/(?:r0|v3|unstable)/room_keys/|^/_matrix/client/(?:r0|v3|unstable)/keys/upload|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/device_signing/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/keys/signatures/upload$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/login$|^/_matrix/client/(?:r0|v3|unstable)/register$|^/_matrix/client/(?:r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(?:r0|v3|unstable)/password_policy$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/rooms/.*/(?:join|invite|leave|ban|unban|kick)$|^/_matrix/client/(?:api/v1|r0|v3|unstable)/join/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(?:api/v1|r0|v3|unstable)/profile/|^/_matrix/client/(?:r0|v3|unstable)/user_directory/search$|^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(?:/.*/restart)?$ {
+                proxy_pass http://synapse-client_reader;
+            }
+
             location ~ ^/_matrix/federation/v1/version$|^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(:?v1|v2)/send_join/|^/_matrix/federation/(:?v1|v2)/send_leave/|^/_matrix/federation/v1/make_knock/|^/_matrix/federation/v1/send_knock/|^/_matrix/federation/(:?v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/|^/_matrix/federation/v1/send/ {
                 proxy_pass http://synapse-federation_reader;
             }

process-static

@@ -20,7 +20,7 @@ fi
 rm -rf nginx-tmp
 cp -a nginx nginx-tmp
 
-gixy --add-header-redefinition-headers x-frame-options,x-content-type-options,x-xss-protection,content-security-policy,cache-control nginx-tmp/nginx.conf
+gixy --add-header-redefinition-headers x-frame-options,x-content-type-options,x-xss-protection,content-security-policy,cache-control --skips regex_redos nginx-tmp/nginx.conf
 
 rm -rf static-tmp
 cp -a /usr/share/webapps/element static-tmp

synapse/workers/client_reader.yaml

@@ -0,0 +1,11 @@
+worker_app: synapse.app.generic_worker
+worker_name: client_reader
+
+worker_listeners:
+  - path: /run/synapse/client_reader_public.sock
+    mode: 432
+    type: http
+    resources:
+      - names: [client]
+
+worker_log_config: /etc/synapse/workers/client_reader_log_config.yaml

synapse/workers/client_reader_log_config.yaml

@@ -0,0 +1,23 @@
+version: 1
+
+formatters:
+    syslog_fmt:
+        format: '%(name)s: [%(request)s] %(message)s'
+
+filters:
+    context:
+        (): synapse.logging.context.LoggingContextFilter
+        request: ""
+
+handlers:
+    syslog:
+        class: logging.handlers.SysLogHandler
+        formatter: syslog_fmt
+        filters: [context]
+        address: /run/synapse-client_reader-log
+
+root:
+    level: INFO
+    handlers: [syslog]
+
+disable_existing_loggers: False

syslog-ng/conf.d/synapse.conf

@@ -4,6 +4,9 @@ source s_synapse_main {
 source s_synapse_background {
     unix-dgram("/run/synapse-background-log" group("synapse") perm(0660));
 };
+source s_synapse_client_reader {
+    unix-dgram("/run/synapse-client_reader-log" group("synapse") perm(0660));
+};
 source s_synapse_federation_reader {
     unix-dgram("/run/synapse-federation_reader-log" group("synapse") perm(0660));
 };
@@ -29,6 +32,9 @@ destination d_synapse_main {
 destination d_synapse_background {
     file("/var/log/synapse/background.log" template("${ISODATE} ${LEVEL} ${MESSAGE}\n"));
 };
+destination d_synapse_client_reader {
+    file("/var/log/synapse/client_reader.log" template("${ISODATE} ${LEVEL} ${MESSAGE}\n"));
+};
 destination d_synapse_federation_reader {
     file("/var/log/synapse/federation_reader.log" template("${ISODATE} ${LEVEL} ${MESSAGE}\n"));
 };
@@ -56,6 +62,10 @@ log {
     source(s_synapse_background);
     destination(d_synapse_background);
 };
+log {
+    source(s_synapse_client_reader);
+    destination(d_synapse_client_reader);
+};
 log {
     source(s_synapse_federation_reader);
     destination(d_synapse_federation_reader);