The server reference implementation for the Matrix protocol is Synapse. It's a federated homeserver developed by the Matrix foundation, a non-profit organisation, and has a stable and full-featured maturity. The latter makes it quite resource-intensive. If you plan to use Matrix on a Raspberry Pi, for example, consider a more lightweight solution like Dendrite. The source code of Synapse is written in Python3/Twisted and can be found at GitHub.
For instructions on how to install and setup Synapse consult Installing Synapse article and the Synapse — UberLab 7 documentation. Use federation tester to check your Synapse instance.
Remark: When you want Synapse to run at a subdomain like matrix.example.org it's convenient to use delegation for Matrix IDs (MXID) without subdomain part. Thus a MXID isuser:example.org
instead ofuser:matrix.example.org
.
Specify example.org as server_name
at the beginning of the configuration file, but set public_baseurl
to matrix.example.org:
server_name: "example.org" ... public_baseurl: https://matrix.example.org/
For .well-known announcement you need to create .well-known/matrix/server
in DOCUMENT_ROOT of example.org containing:
{ "m.server": "matrix.example.org:<port>" }
Change <port>
to your needs, typically 443.
The default configuration of Synapse isn't aligned to be extremely privacy respecting as researched by Libre Monde ASBL, but there are means to change that behavior and opt-out of statistics, metrics, for example.
Opt-out of metrics and statistics data collection by using the following configuration settings:
enable_metrics: false report_stats: false
When using Push notifications message content isn't encrypted. For this reason edit main configuration file again, find push
section and disable content inclusion as follows:
include_content: false
If you don't want profile information to be visible to the public and shared in rooms you are invited to before you joined them, use these settings:
require_auth_for_profile_requests: true limit_profile_requests_to_users_who_share_rooms: true include_profile_data_on_invite: false
By default encryption in rooms is optional. To activate encryption for all rooms by default set:
encryption_enabled_by_default_for_room_type: all
Note: If you consider bridging or building a community, this setting might be sub-optimal, as bridges may not support encryption and new users joining a room won't have access to the message history.
Synapse log configuration file is typically named after the server name with suffix .log.config appended. To minimize logging, change both level
parameters in synapse.storage.SQL
subsection below loggers
as well as in root
section to only log critical errors:
loggers: synapse.storage.SQL: level: CRITICAL ... root: level: CRITICAL
This section is about issues related to interaction with other services and tries to offer some quick and dirty solutions to keep it running rather than implementing secure and clean code.
When using delegation and running Nextcloud at the top-level domain, URL rewriting redirects all traffic for documents in /.well-known
to Nextcloud. A solution is to add the following rewrite condition into the .htaccess
file in both sections before rewrite rules:
RewriteCond %{REQUEST_URI} !^/\.well-known/matrix/server
Category: Matrix