Matrix Synapse Decentralized Encrypted Chat Server Deployment Tutorial (Open Source no IM)

Before You Start#

If you are not familiar with the related concepts, you can jump to the bottom for the introduction

Deployment#

1. Deploy PostgreSQL#

The installation process can be referenced through search engines, so I won't elaborate too much here.

Create Database#

If your database superuser name is user

psql -U user # Enter the database

Create a new user (assuming the username is synapse_user):

CREATE USER synapse_user WITH PASSWORD 'password';

Replace password with the password you want to set.

Create the database synapse

CREATE DATABASE synapse
    WITH ENCODING 'UTF8'
    LC_COLLATE 'C'
    LC_CTYPE 'C'
    TEMPLATE template0;
GRANT ALL PRIVILEGES ON DATABASE synapse TO synapse_user;

2. Install Synapse#

Because I want the server_name of the Synapse server (the suffix of the user ID, such as @user:my-example.com) to match the actual domain name accessed (such as chat.my-example.com, the domain name assigned to your server), it needs to be achieved through Delegation.

Under the root domain of server_name (my-example.com), create a .well-known/matrix/server file with the following content:

{
  "m.server": "chat.my-example.com:443"
}

This file tells other Matrix servers that the actual Synapse server address is chat.my-example.com:443

Docker Deployment#

The installation of Docker can be found through search engines.

docker run -it --rm -v /data/matrix-synapse-data/:/data/ -e SYNAPSE_SERVER_NAME=your_server_domain -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate

Explanation of each parameter:

-e SYNAPSE_REPORT_STATS whether to send anonymous statistical data

-v /data/matrix-synapse-data/:/data/ is the specific path mapped, which can remain unchanged

-e SYNAPSE_SERVER_NAME is your server domain, not server_name

Synapse Configuration#

We have reached the most tricky part of this tutorial, so be careful, and note that the yml has strict indentation and punctuation; if there are errors, check carefully.

Configuring Synapse mainly involves configuring the /data/matrix-synapse-data/ located homeserver.yaml

Here is my example, be sure to pay attention! Other content can refer to the official documentation Configuration - Synapse

server_name: "my-example.com"
public_baseurl: https://chat.my-example.com/ # Enter your domain
pid_file: /data/homeserver.pid
listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    resources:
      - names: [client, federation, openid]
        compress: false
database:  # According to your database configuration
    name: psycopg2
    args:
        user: synapse_user
        password: password
        database: synapse
        host: 192.168.1.1
        cp_min: 5
        cp_max: 10
        keepalives_idle: 30
        keepalives_interval: 10
        keepalives_count: 3
log_config: "/data/dorimu.cn.log.config"
media_store_path: /data/media_store

# These lines are automatically generated, do not modify the content
registration_shared_secret: ""
report_stats: false
macaroon_secret_key: ""
form_secret: ""
signing_key_path: ""


trusted_key_servers:
  - server_name: "matrix.org"
suppress_key_server_warning: true
# Enable registration for new users
enable_registration: true
# Register without email or recaptcha verification (not recommended)
enable_registration_without_verification: false
email: # Email configuration
  smtp_host: smtp-mail.outlook.com
  smtp_port: 587
  smtp_user: "11" # Username
  smtp_pass: "11"
  force_tls: false
  require_transport_security: false
  enable_tls: true
  notif_from: "user" # Username
  enable_notifs: true
  notif_for_new_users: false
  client_base_url: "https://my-example.com"
  validation_token_lifetime: 15m
  invite_client_location: https://my-example.com
registrations_require_3pid:
  - email

Run#

docker run -d --name synapse -v /data/matrix-synapse-data/:/data/ -p 8008:8008 -p 8009:8009 -p 8448:8448 matrixdotorg/synapse:latest

Create Admin User#

docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml -a -u username -p password

3. Nginx Reverse Proxy#

location ^~ /_matrix/ {
    proxy_pass http://127.0.0.1:8008; 
    proxy_set_header Host $host; 
    proxy_set_header X-Real-IP $remote_addr; 
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    proxy_set_header REMOTE-HOST $remote_addr; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection $http_connection; 
    proxy_set_header X-Forwarded-Proto $scheme; 
    proxy_http_version 1.0; 
    add_header X-Cache $upstream_cache_status; 
    add_header Cache-Control no-cache; 
    proxy_ssl_server_name off; 
    proxy_ssl_name $proxy_host; 
}
location ^~ /_synapse/ {
    proxy_pass http://127.0.0.1:8007; 
    proxy_set_header Host $host; 
    proxy_set_header X-Real-IP $remote_addr; 
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
    proxy_set_header REMOTE-HOST $remote_addr; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection $http_connection; 
    proxy_set_header X-Forwarded-Proto $scheme; 
    proxy_http_version 1.0; 
    add_header X-Cache $upstream_cache_status; 
    add_header Cache-Control no-cache; 
    proxy_ssl_server_name off; 
    proxy_ssl_name $proxy_host; 
}

4. Web Client and Admin Panel (Optional)#

Web Client#

element-hq/element-web: A glossy Matrix collaboration client for the web.

Go to the release page to download the latest version and unzip it to the server's web directory (static deployment).

Remember to change config.sample.json, where you need to change it to your server address, and rename the file to config.json.

Admin Panel#

Awesome-Technologies/synapse-admin: Admin console for synapse Matrix homeserver

Go to the release page to download the latest version and unzip it to the server's web directory (static deployment).

5. Testing#

Test using the Matrix Federation Tester. Enter server_name and observe the output results.

Introduction#

What is Matrix?#

The flexibility and security of the Matrix protocol make it a powerful communication solution, especially for users concerned about privacy and communication freedom. The openness and interoperability make the Matrix protocol a very promising communication standard.

Matrix has the following features:

Decentralized Architecture: Matrix adopts a decentralized architecture, with no single central server, but rather a network composed of multiple independent servers. This means users can choose their own server or self-host a server without relying on a single service provider.

End-to-End Encryption: Matrix provides support for end-to-end encryption, ensuring that messages are encrypted between the sender and receiver, and intermediate servers cannot access the message content. This provides advanced communication privacy and security.

Interoperability: One of the main goals of Matrix is to achieve interoperability between different communication applications. This means users can use different client applications and still communicate with other users, regardless of which application or server they are using.

Open Source and Open Standards: The Matrix protocol is an open standard that anyone can view and implement. This openness helps ensure security and scalability and reduces the risk of hidden backdoors.

Multiple Authentication Mechanisms: Matrix supports various authentication methods, including username and password, single sign-on, OpenID Connect, etc., allowing users to choose the authentication method that suits their needs.

Active Community Support: The Matrix community is very active, with many developers and users participating in continuously improving and expanding the protocol to meet the evolving communication needs.

As a decentralized communication protocol, you can use different clients (as long as the client supports the Matrix protocol) to connect to any Matrix server.

The Matrix protocol supports many features:

Decentralized communication (create an account on any Matrix server and communicate with users on other servers through "federation")

End-to-end encryption

WebRTC voice/video calls (yes! The Matrix protocol actually supports video calls)

Message read receipts

Typing indicators

Group chats

What is End-to-End Encryption?#

End-to-end encryption can be understood as direct communication between two terminals. Let's use an example for easier understanding:

Suppose Xiao Ming sends a message from Device A to Xiao Hong's Device B, and at this time, Xiao Hei wants to see what they are chatting about, so Xiao Hei steals Xiao Hong's account password and successfully logs into Xiao Hong's account on Device C.

Can Xiao Hei see their chat history? No. In an end-to-end encrypted conversation, all outgoing messages are automatically encrypted.

When Xiao Ming sends a message to Xiao Hong, a string used to decrypt the message, called the decryption key, is automatically attached. When Xiao Hong receives the message on Device B, she also receives this decryption key, so she can view the message normally. However, the C Device that Xiao Hei later logged into did not receive the decryption key, so he cannot decrypt these historical messages.

End-to-end encryption is currently one of the relatively safest privacy protection methods, capable of meeting the security needs of most people.

What is Synapse?#

Matrix is a protocol, while Matrix Synapse is a specific implementation of the Matrix protocol.

In addition to Synapse, Matrix also includes many other branches, such as Dendrite:

Moreover, Synapse itself is just a server without a graphical interface; we also need a client that supports the Matrix protocol to chat normally. Common clients that support the Matrix protocol include Element (the most well-known and commonly used)