docker-matrix

Setup examples

These are example setups that can be used as a guide if you happen to use the same setup, or as a reference if your situation differs a bit.
It is still highly recommended to read the synapse readme which goes in to much more detail.

Server at home behind NAT

The first thing we need is a DNS A record to your home IP (perferably a static IP, if you don’t have that a dynamic dns service could work as well). If you host more services at home a subdomain can work, such as matrix.example.com.
In this example we’re going to host the matrix server on the matrix.example.com subdomain and we’re going to assume this runs on the same host as where the main domain is pointing to.
We’re going to use version v0.26.0, be sure to use the docker image tag for the version you want to use. Add the matrix.example.com DNS A record pointing to the same IP as the example.com domain.
When using a subdomain it is recommended to make an SRV record pointing to matrix subdomain:       _matrix._tcp.example.com 3600 IN SRV 10 0 8448 matrix.example.com  

The DNS record should then look something like:

    $ dig -t srv _matrix._tcp.example.com
    _matrix._tcp.example.com. 3600    IN      SRV     10 0 8448 matrix.example.com.

Once that’s done we can generate the config files and self signed certificate:

   ` docker run -v /opt/synapse:/data –rm -e SERVER_NAME=example.com -e REPORT_STATS=no avhost/docker-matrix:v0.26.0 generate`

At this point it’s possible to edit the configuration file homeserver.yaml and turnserver.conf, located in this example in /opt/synapse
In homeserver.yaml we may want to enable registration and recaptcha
In turnserver.conf we have to set the external ip and we can change the TURN portrange. The default TURN port range is 49152-65535 but because docker doesn’t like publishing large port ranges we’ll decrease the portrange here. If you want to keep using the default port range more information can be found here.

    external-ip=203.0.113.0
    min-port=49152
    max-port=49300

The next step is to forward the relevant ports in the router to the server (note that docker by default writes iptables rules to open the ports needed):

443, 8448 TCP for the matrix server (443 for clients 8448 for federation)
3478, 5349 TCP/UDP for STUN
49152-49300 TCP/UDP for TURN

We now need to configure the webserver reverse proxy. This is done to allow clients to connect on the default 443 port and to use a valid certificate (for instance letsencrypt).
For more details on reverse proxy look at the documentation for the webserver of choice. Here we give an example config for apache2:
First we need to enable mod_proxy and mod_proxy_http and mod_ssl, if you haven’t already:
# a2enmod proxy proxy_http ssl
Then we can create the apache config for the subdomain using a reverse proxy by making /etc/apache2/sites-available/matrix.example.com-ssl.conf.
This is an example of a resulting config. Note that letsencrypt should write part of the config using certbot.

<IfModule mod_ssl.c>
<VirtualHost *:443>
   ServerName matrix.example.com
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/html

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   RewriteEngine on
   SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf
   <Location />
      ProxyPass  http://127.0.0.1:8008/
      ProxyPassReverse  /
   </Location>
   ProxyVia On
   ProxyPreserveHost On
   RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
   </VirtualHost>
   # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

Once the config is created we’ll need to enable the site:
a2ensite matrix.example.com

At this point we’re ready to start the server:
docker run --name=matrix -d --restart=always -p 8448:8448 -p 8008:8008 -p 3478:3478 -p 3478:3478/udp -p 5349:5349/udp -p 5349:5349 -p 49152-49300:49152-49300/udp -p 49152-49300:49152-49300 -v /opt/synapse:/data avhost/docker-matrix:v0.26.0 start

After the container successfully started and the reverse proxy is configured we should be able to connect to the server using a matrix client and register a user (if that was enabled in the config).

If the client connected successfully we should check whether the federation works properly by going to:

https://matrix.org/federationtester/api/report?server_name=example.com

If everything checks out this means the synapse server is up and running.