Website/content/docs/infrastructure/matrix/synapse.md

4.7 KiB

title date
Synapse 2024-02-25T11:55:11+01:00

The server reference implementation for the Matrix protocol is Synapse. It's a federated homeserver developed by the Matrix Foundation1 and has a stable and full-featured maturity, which can make it quite resource-intensive. For running a Matrix server on Raspberry Pi2, for example, consider a more lightweight solution such as Conduit or Dendrite3. The source code of Synapse is written in Python3/Twisted4 and can be found at GitHub.

Basic setup

The Synapse — UberLab 7 documentation describes the basic setup at my hosting provider. Other installation instructions are found in the project documentation.

Delegation

As I want a user ID without a subdomain part I need to use delegation via a .well-known URI5 to get a user ID such as user:example.org instead of user:matrix.example.org. Thus, I specify example.org as server_name at the beginning of the configuration file, but set public_baseurl to the subdomain matrix.example.org.

For the .well-known announcement I create .well-known/matrix/server in the Document_Root of my webserver containing:

{
    "m.server": "matrix.example.org:443"
}

{{< callout type="info" >}} If you're running Nextcloud in the Document_Root, its .htaccess file needs editing for proper redirection. {{< /callout >}}

Ultimately, I use the federation tester to check my instance.

Privacy

The default configuration of Synapse isn't aligned to be privacy respecting as researched by Libre Monde ASBL, but there are means to opt-out of statistics and metrics, for example. I refer to the config documentation and edit the main configuration file homeserver.yaml as follows.

Metrics and stats

I opt-out of metrics and statistics data collection by using the following configuration settings:

enable_metrics: false
report_stats: false

Push

When using Push notifications6, the message content isn't encrypted. For this reason, I create a push section and set include_content to false.

Profile data

As I don't want my profile information to be visible to the public and shared in rooms I am invited to before joining them, I change the following settings:

require_auth_for_profile_requests: true
limit_profile_requests_to_users_who_share_rooms: true
include_profile_data_on_invite: false

Logging

Synapse log configuration file is typically named after the server name with the suffix .log.config appended. If I need to investigate errors, I change both level parameters in the synapse.storage.SQL subsection below loggers and in the root section. Allowed values are CRITICAL, ERROR, WARNING, INFO, and DEBUG. The default value is INFO as shown in the sample config.

Known issues

This section is about issues I came accross in relation to the interaction with other services of my infrastructure and documents quick and dirty solutions rather than implementing secure and clean code.

Nextcloud redirects

When using delegation and running Nextcloud at the top-level domain, URL rewriting in .htaccess redirects all the traffic for documents in the .well-known directory to Nextcloud. A solution is to add the following rewrite condition inside the .htaccess file in both sections before the rewrite rules:

RewriteCond %{REQUEST_URI} !^/\.well-known/matrix/server

  1. About Matrix website ↩︎

  2. Raspberry Pi in the Wikipedia ↩︎

  3. Conduit and Dendrite projects ↩︎

  4. Twisted in the Wikipedia ↩︎

  5. Well-known URI in the Matrix specification ↩︎

  6. Push notifications in the Wikipedia ↩︎