Create a Chat Server Using Matrix Synapse and Riot on CentOS 7

Matrix is an open standard communication protocol for decentralized real time communication. Matrix is implemented as home servers which are distributed over the internet; hence there is no single point of control or failure. Matrix provides a RESTful HTTP API for creating and managing the distributed chat servers that includes sending and receiving messages, inviting and managing chat room members, maintaining user accounts, and providing advanced chat features such as VoIP and Video calls, etc. Matrix also establishes a secure synchronization between home servers which are distributed across the globe.

Synapse is the implementation of Matrix home server written by the Matrix team. The Matrix ecosystem consists of the network of many federated home servers distributed across the globe. A Matrix user uses a chat client to connect to the home server, which in turn connects to the Matrix network. Homeserver stores the chat history and the login information of that particular user.

Prerequisites

  • A Vultr CentOS 7 server instance.
  • A sudo user.

In this tutorial, we will use matrix.example.com as the domain name used for Matrix Synapse. Replace all occurrences of matrix.example.com with your actual domain name you want to use for your Synapse home server.

Update your base system using the guide How to Update CentOS 7. Once your system is updated, proceed to install Python.

Install Development Tools

Matrix Synapse needs Python 2.7 to work. Python 2.7 comes preinstalled in all CentOS server instances. You can check the installed version of Python.

python -V

You should get a similar output.

[user@vultr ~]$ python -V
Python 2.7.5

Changing the default version of Python may break YUM repository manager. However, if you want the most recent version of Python, you can make an alternative install, without replacing the default Python.

Install the packages in the Development tools group that are required for compiling the installer files.

sudo yum groupinstall -y "Development tools"

Install a few more required dependencies.

sudo yum -y install libtiff-devel libjpeg-devel libzip-devel freetype-devel lcms2-devel libwebp-devel tcl-devel tk-devel redhat-rpm-config python-virtualenv libffi-devel openssl-devel 

Install Python pip. Pip is the dependency manager for Python packages.

wget https://bootstrap.pypa.io/get-pip.py
sudo python get-pip.py

Install Synapse

Create a virtual environment for your Synapse application. Python virtual environment is used to create an isolated virtual environment for a Python project. A virtual environment contains its own installation directories and doesn’t share libraries with global and other virtual environments.

sudo virtualenv -p python2.7 /opt/synapse

Provide the ownership of the directory to the current user.

sudo chown -R $USER:$USER /opt/synapse/

Now activate the virtual environment.

source /opt/synapse/bin/activate

Ensure that you have the latest version of pip and setuptools.

pip install --upgrade pip 
pip install --upgrade setuptools

Install the latest version of Synapse using pip.

pip install https://github.com/matrix-org/synapse/tarball/master

The above command will take some time to execute as it pulls and installs the latest version of Synapse and all the dependencies from Github repository.

Installing and Configuring PostgreSQL

Synapse uses SQLite as the default database. SQLite stores the data in a database which is kept as a flat file on disk. Using SQLite is very simple, but not recommended for production as it is very slow compared to PostgreSQL.

PostgreSQL is an object relational database system. You will need to add the PostgreSQL repository in your system, as the application is not available in the default YUM repository.

sudo rpm -Uvh https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm

Install the PostgreSQL database server.

sudo yum -y install postgresql96-server postgresql96-contrib

Initialize the database.

sudo /usr/pgsql-9.6/bin/postgresql96-setup initdb

Edit the /var/lib/pgsql/9.6/data/pg_hba.conf to enable MD5 based authentication.

sudo nano /var/lib/pgsql/9.6/data/pg_hba.conf

Find the following lines and change peer to trust and idnet to md5.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            idnet
# IPv6 local connections:
host    all             all             ::1/128                 idnet

Once updated, the configuration should look like this.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

Start the PostgreSQL server and enable it to start automatically at boot.

sudo systemctl start postgresql-9.6
sudo systemctl enable postgresql-9.6

Change the password for the default PostgreSQL user.

sudo passwd postgres

Login.

sudo su - postgres

Create a new PostgreSQL user for Synapse.

createuser synapse

PostgreSQL provides the psql shell to run queries on the database. Switch to the PostgreSQL shell by running.

psql

Set a password for the newly created user for Synapse database.

ALTER USER synapse WITH ENCRYPTED password 'DBPassword';

Replace DBPassword with a strong password and make a note of it as we will use the password later. Create a new database for the PostgreSQL database.

CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;

Exit from the psql shell.

\q

Switch to the sudo user from current postgres user.

exit

You will also need to install the packages required for Synapse to communicate with the PostgreSQL database server.

sudo yum -y install postgresql-devel libpqxx-devel.x86_64
source /opt/synapse/bin/activate
pip install psycopg2

Configuring Synapse

Synapse requires a configuration file before it can be started. The configuration file stores the server settings. Switch to the virtual environment and generate the configuration for Synapse.

source /opt/synapse/bin/activate
cd /opt/synapse
python -m synapse.app.homeserver --server-name matrix.example.com --config-path homeserver.yaml --generate-config --report-stats=yes

Replace matrix.example.com with your actual domain name and make sure that the server name is resolvable to the IP address of your Vultr instance. Provide --report-stats=yes if you want the servers to generate the reports, provide --report-stats=no to disable the generation of reports and statistics.

You should see a similar output.

(synapse)[user@vultr synapse]$ python -m synapse.app.homeserver --server-name matrix.example.com --config-path homeserver.yaml --generate-config --report-stats=yes
A config file has been generated in 'homeserver.yaml' for server name 'matrix.example.com' with corresponding SSL keys and self-signed certificates. Please review this file and customise it to your needs.
If this server name is incorrect, you will need to regenerate the SSL certificates

By default, the homeserver.yaml is configured to use a SQLite database. We need to modify it to use the PostgreSQL database we have created earlier.

Edit the newly created homeserver.yaml.

nano homeserver.yaml

Find the existing database configuration which uses SQLite3. Comment out the lines as shown below. Also, add the new database configuration for PostgreSQL. Make sure that you use the correct database credentials.

# Database configuration
#database:
  # The database engine name
  #name: "sqlite3"
  # Arguments to pass to the engine
  #args:
    # Path to the database
    #database: "/opt/synapse/homeserver.db"


database:
    name: psycopg2
    args:
        user: synapse
        password: DBPassword
        database: synapse
        host: localhost
        cp_min: 5
        cp_max: 10

Registration of a new user from a web interface is disabled by default. To enable registration, you can set enable_registration to True. You can also set a secret registration key, which allows anyone to register who has the secret key, even if registration is disabled.

enable_registration: False

registration_shared_secret: "YPPqCPYqCQ-Rj,ws~FfeLS@maRV9vz5MnnV^r8~pP.Q6yNBDG;"

Save the file and exit from the editor. Now you will need to register your first user. Before you can register a new user, though, you will need to start the application first.

source /opt/synapse/bin/activate && cd /opt/synapse
synctl start

You should see the following lines.

2017-09-05 11:10:41,921 - twisted - 131 - INFO - - SynapseSite starting on 8008
2017-09-05 11:10:41,921 - twisted - 131 - INFO - - Starting factory <synapse.http.site.SynapseSite instance at 0x44bbc68>
2017-09-05 11:10:41,921 - synapse.app.homeserver - 201 - INFO - - Synapse now listening on port 8008
2017-09-05 11:10:41,922 - synapse.app.homeserver - 442 - INFO - - Scheduling stats reporting for 3 hour intervals
started synapse.app.homeserver('homeserver.yaml')

Register a new Matrix user.

register_new_matrix_user -c homeserver.yaml https://localhost:8448

You should see the following.

(synapse)[user@vultr synapse]$ register_new_matrix_user -c homeserver.yaml https://localhost:8448
New user localpart [user]: admin
Password:
Confirm password:
Make admin [no]: yes
Sending registration request...
Success.

Finally, before you can use the Homeserver, you will need to allow port 8448 through the Firewall. Port 8448 is used as the secured federation port. Homeservers use this port to communicate with each other securely. You can also use the built-in Matrix web chat client through this port.

sudo firewall-cmd --permanent --zone=public --add-port=8448/tcp
sudo firewall-cmd --reload

You can now log in to the Matrix web chat client by going to https://matrix.example.com:8448 through your favorite browser. You will see a warning about the SSL certificate as the certificates used are self-signed. We will not use this web chat client as it is outdated and not maintained anymore. Just try to check if you can log in using the user account you just created.

Setting up Let’s Encrypt Certificates

Instead of using a self-signed certificate for securing federation port, we can use Let’s Encrypt free SSL. Let’s Encrypt free SSL can be obtained through the official Let’s Encrypt client called Certbot.

Install Certbot.

sudo yum -y install certbot

Adjust your firewall setting to allow the standard HTTP and HTTPS ports through the firewall. Certbot needs to make an HTTP connection to verify the domain authority.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

To obtain certificates from Let’s Encrypt CA, you must ensure that the domain for which you wish to generate the certificates is pointed towards the server. If it is not, then make the necessary changes to the DNS records of your domain and wait for the DNS to propagate before making the certificate request again. Certbot checks the domain authority before providing the certificates.

Now use the built-in web server in Certbot to generate the certificates for your domain.

sudo certbot certonly --standalone -d matrix.example.com

The generated certificates are likely to be stored in /etc/letsencrypt/live/matrix.example.com/. The SSL certificate will be stored as fullchain.pem and the private key will be stored as privkey.pem.

Copy the certificates.

sudo cp /etc/letsencrypt/live/matrix.example.com/fullchain.pem /opt/synapse/letsencrypt-fullchain.pem

sudo cp /etc/letsencrypt/live/matrix.example.com/privkey.pem /opt/synapse/letsencrypt-privkey.pem

You will need to change the path to the certificates and keys from the homeserver.yaml file. Edit the configuration.

nano /opt/synapse/homeserver.yaml

Find the following lines and modify the path.

tls_certificate_path: "/opt/synapse/letsencrypt-fullchain.pem"

# PEM encoded private key for TLS
tls_private_key_path: "/opt/synapse/letsencrypt-privkey.pem"

Save the file and exit from the editor. Restart the Synapse server so that the changes can take effect.

source /opt/synapse/bin/activate && cd /opt/synapse
synctl restart

Let’s Encrypt certificates are due to expire in 90 days, so it is recommended that you setup auto renewal for the certificates using cron jobs. Cron is a system service which is used to run periodic tasks.

Create a new script to renew certificates and copy the renewed certificates to the Synapse directory.

sudo nano /opt/renew-letsencypt.sh  

Populate the file.

#!/bin/sh

/usr/bin/certbot renew --quiet --nginx
cp /etc/letsencrypt/live/matrix.example.com/fullchain.pem /opt/synapse/letsencrypt-fullchain.pem
cp /etc/letsencrypt/live/matrix.example.com/privkey.pem /opt/synapse/letsencrypt-privkey.pem

Provide the execution permission.

sudo chmod +x /opt/renew-letsencypt.sh

Open the cron job file.

sudo crontab -e

Add the following line at the end of the file.

30 5 * * 1 /opt/renew-letsencypt.sh

The above cron job will run every Monday at 5:30 AM. If the certificate is due to expire, it will automatically renew them.

Now you can visit https://matrix.example.com:8448. You will see that there is no SSL warning before connection.

Setup Nginx With Let’s Encrypt

Apart from the secured federation port 8448, Synapse also listens to the unsecured client port 8008. We will now configure Nginx as a reverse proxy to the Synapse application.

sudo yum -y install nginx

Create a new configuration file.

sudo nano /etc/nginx/conf.d/synapse.conf

Populate the file with the following content.

server {
    listen 80;
    server_name matrix.example.com;
    return 301 https://$host$request_uri;
}
server {

    listen 443;
    server_name matrix.example.com;

    ssl_certificate           /etc/letsencrypt/live/matrix.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/matrix.example.com/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log    /var/log/nginx/synapse.access.log;

    location /_matrix {

      proxy_pass          http://localhost:8008;
      proxy_set_header X-Forwarded-For $remote_addr;

    }
  }

Restart and enable Nginx to automatically start at boot time.

sudo systemctl restart nginx
sudo systemctl enable nginx

Finally, you can verify if Synapse can be accessed through the reverse proxy.

curl https://matrix.example.com/_matrix/key/v2/server/auto

You should get similar output.

[user@vultr ~]$ curl https://matrix.example.com/_matrix/key/v2/server/auto
{"old_verify_keys":{},"server_name":"matrix.example.com","signatures":{"matrix.example.com":{"ed25519:a_ffMf":"T/Uq/UN5vyc4w7v0azALjPIJeZx1vQ+HC6ohUGkTSqiFI4WI/ojGpb2763arwSSQLr/tP/2diCi1KLU2DEnOCQ"}},"tls_fingerprints":[{"sha256":"eorhQj/kubI2PEQZyBZvGV7K1x3EcQ7j/AO2MtZMplw"}],"valid_until_ts":1504876080512,"verify_keys":{"ed25519:a_ffMf":{"key":"Gc1hxkpPmQv71Cvjyk+uzR5UtrpmgV/UwlsLtosawEs"}}}

Setting up the Systemd Service

It is recommended to use the Systemd service to manage the Synapse server process. Using Systemd will ensure that the server is automatically started on system startup and failures.

Create a new Systemd service file.

sudo nano /etc/systemd/system/matrix-synapse.service

Populate the file.

[Unit]
Description=Matrix Synapse service
After=network.target

[Service]
Type=forking
WorkingDirectory=/opt/synapse/
ExecStart=/opt/synapse/bin/synctl start
ExecStop=/opt/synapse/bin/synctl stop
ExecReload=/opt/synapse/bin/synctl restart
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=synapse

[Install]
WantedBy=multi-user.target

Now you can quickly start the Synapse server.

sudo systemctl start matrix-synapse

To stop or restart the server using following commands.

sudo systemctl stop matrix-synapse
sudo systemctl restart matrix-synapse

You can check the status of service.

sudo systemctl status matrix-synapse

Using Riot

Matrix Synapse server is now installed and configured on your server. As the built-in web client for Matrix is outdated, you can choose from the variety of the client applications available for chat. Riot is the most popular chat client, which is available on almost all platforms. You can use the hosted version of Riot’s web chat client, or you can also host a copy of it on your own server. Apart from this, you can also use Riot’s desktop and mobile chat clients, which are available for Windows, Mac, Linux, IOS and Android.

If you wish to host your own copy of Riot web client, you can read further for the instructions to install Riot on your server. For hosted, desktop and mobile client, you can use your username and password to login directly to your homeserver. Just choose my Matrix ID from the dropdown menu of the Sign In option and provide the username and password you have created during the registration of a new user. Click on the Custom server and use the domain name of your Synapse instance. As we have already configured Nginx, we can just use https://matrix.example.com as the Home server and https://matrix.org as Identity server URL.

Riot Login Example

Setup Riot on Your Own Server.

Riot is also open source and free to host on your own server. It does not require any database or dependencies. As we already have an Nginx server running, we can host it on the same server.

The domain or subdomain you are using for Synapse and Riot must be different to avoid cross-site scripting. However, you can use two subdomains of the same domain. In this tutorial, we will be using riot.example.com as the domain for the Riot application. Replace all occurrence of riot.example.com with your actual domain or subdomain for the Riot application.

Download Riot on your server.

cd /opt/
sudo wget https://github.com/vector-im/riot-web/releases/download/v0.12.3/riot-v0.12.3.tar.gz

You can always find the link to the latest version on Riot’s Github.

Extract the archive.

sudo tar -xzf riot-v*.tar.gz

Rename the directory for handling convenience.

sudo mv riot-v*/ riot/

Because we have already installed Certbot, we can generate the certificates directly. Make sure that the domain or subdomain you are using is pointed towards the server.

sudo systemctl stop nginx
sudo certbot certonly --standalone -d riot.example.com

The generated certificates are likely to be stored in the /etc/letsencrypt/live/riot.example.com/ directory.

Create a virtual host for the Riot application.

sudo nano /etc/nginx/conf.d/riot.conf

Populate the file.

server {
    listen 80;
    server_name riot.example.com;
    return 301 https://$host$request_uri;
}
server {

    listen 443;
    server_name riot.example.com;

    ssl_certificate           /etc/letsencrypt/live/riot.example.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/riot.example.com/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    root /opt/riot;
    index index.html index.htm;

    location / {
            try_files $uri $uri/ =404;
    }

    access_log    /var/log/nginx/riot.access.log;

  }

Copy the sample configuration file.

sudo cp /opt/riot/config.sample.json /opt/riot/config.json

Now edit the configuration file to make few changes.

sudo nano /opt/riot/config.json

Find the following lines.

"default_hs_url": "https://matrix.org",
"default_is_url": "https://vector.im",

Replace the value of the default home server URL with the URL of your Matrix server. For the identity server URL, you can use the default option, or you can also provide its value to the Matrix identity server, which is https://matrix.org.

"default_hs_url": "https://matrix.example.com",
"default_is_url": "https://matrix.org",

Save the file and exit. Provide ownership of the files to the Nginx user.

sudo chown -R nginx:nginx /opt/riot/

Restart Nginx.

sudo systemctl restart nginx

You can access Riot on https://riot.example.com. You can now log in using the username and password which you have created earlier. You can connect using the default server as we have already changed the default Matrix server for our application.

You now have a Matrix Synapse home server up and running. You also have a hosted copy of Riot, which you can use to send a message to other people using their Matrix ID, email or mobile number. Start by creating a chat room on your server and invite your friends on Matrix to join the chat room you have created.

Have fun!