The server reference implementation for the Matrix protocol is Synapse. It's a federated homeserver developed by the Matrix foundation, a non-profit organisation, and has a stable and full-featured maturity. The latter makes it quite resource-intensive. If you plan to use Matrix on a Raspberry Pi, for example, consider a more lightweight solution like Dendrite. The source code of Synapse is written in Python3/Twisted and can be found at GitHub.

For instructions on how to install and setup Synapse consult Installing Synapse article and the Synapse — UberLab 7 documentation. Use federation tester to check your Synapse instance.

Remark: When you want Synapse to run at a subdomain like matrix.example.org it's convenient to use delegation for Matrix IDs (MXID) without subdomain part. Thus a MXID is user:example.org instead of user:matrix.example.org.

Specify example.org as server_name at the beginning of the configuration file, but set public_baseurl to matrix.example.org:

server_name: "example.org"
...
public_baseurl: https://matrix.example.org/

For .well-known announcement you need to create .well-known/matrix/server in DOCUMENT_ROOT of example.org containing:

server

{
    "m.server": "matrix.example.org:<port>"
}

Change <port> to your needs, typically 443.

Note: If you're running Nextcloud in the DOCUMENT_ROOT, its .htaccess file needs to be edited to force a redirect.

The default configuration of Synapse isn't aligned to be extremely privacy respecting as researched by Libre Monde ASBL, but there are means to change that behavior and opt-out of statistics, metrics, for example.

Opt-out of metrics and statistics data collection by using the following configuration settings:

enable_metrics: false
report_stats: false

When using Push notifications message content isn't encrypted. For this reason edit main configuration file again, find push section and disable content inclusion as follows:

  include_content: false

If you don't want profile information to be visible to the public and shared in rooms you are invited to before you joined them, use these settings:

require_auth_for_profile_requests: true
limit_profile_requests_to_users_who_share_rooms: true
include_profile_data_on_invite: false

By default encryption in rooms is optional. To activate encryption for all rooms by default set:

encryption_enabled_by_default_for_room_type: all

Note: If you consider bridging or building a community, this setting might be sub-optimal, as bridges may not support encryption and new users joining a room won't have access to the message history.

Synapse log configuration file is typically named after the server name with suffix .log.config appended. To minimize logging, change both level parameters in synapse.storage.SQL subsection below loggers as well as in root section to only log critical errors:

loggers:
    synapse.storage.SQL:
        level: CRITICAL
    ...
root:
    level: CRITICAL

This section is about issues related to interaction with other services and tries to offer some quick and dirty solutions to keep it running rather than implementing secure and clean code.

When using delegation and running Nextcloud at the top-level domain, URL rewriting redirects all traffic for documents in /.well-known to Nextcloud. A solution is to add the following rewrite condition into the .htaccess file in both sections before rewrite rules:

RewriteCond %{REQUEST_URI} !^/\.well-known/matrix/server

Category: Matrix