config_documentation.html 184 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382
  1. <!DOCTYPE HTML>
  2. <html lang="en" class="sidebar-visible no-js light">
  3. <head>
  4. <!-- Book generated using mdBook -->
  5. <meta charset="UTF-8">
  6. <title>Configuration Manual - Synapse</title>
  7. <!-- Custom HTML head -->
  8. <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  9. <meta name="description" content="">
  10. <meta name="viewport" content="width=device-width, initial-scale=1">
  11. <meta name="theme-color" content="#ffffff" />
  12. <link rel="icon" href="../../favicon.svg">
  13. <link rel="shortcut icon" href="../../favicon.png">
  14. <link rel="stylesheet" href="../../css/variables.css">
  15. <link rel="stylesheet" href="../../css/general.css">
  16. <link rel="stylesheet" href="../../css/chrome.css">
  17. <link rel="stylesheet" href="../../css/print.css" media="print">
  18. <!-- Fonts -->
  19. <link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
  20. <link rel="stylesheet" href="../../fonts/fonts.css">
  21. <!-- Highlight.js Stylesheets -->
  22. <link rel="stylesheet" href="../../highlight.css">
  23. <link rel="stylesheet" href="../../tomorrow-night.css">
  24. <link rel="stylesheet" href="../../ayu-highlight.css">
  25. <!-- Custom theme stylesheets -->
  26. <link rel="stylesheet" href="../../docs/website_files/table-of-contents.css">
  27. <link rel="stylesheet" href="../../docs/website_files/remove-nav-buttons.css">
  28. <link rel="stylesheet" href="../../docs/website_files/indent-section-headers.css">
  29. <link rel="stylesheet" href="../../docs/website_files/version-picker.css">
  30. </head>
  31. <body>
  32. <!-- Provide site root to javascript -->
  33. <script type="text/javascript">
  34. var path_to_root = "../../";
  35. var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
  36. </script>
  37. <!-- Work around some values being stored in localStorage wrapped in quotes -->
  38. <script type="text/javascript">
  39. try {
  40. var theme = localStorage.getItem('mdbook-theme');
  41. var sidebar = localStorage.getItem('mdbook-sidebar');
  42. if (theme.startsWith('"') && theme.endsWith('"')) {
  43. localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
  44. }
  45. if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
  46. localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
  47. }
  48. } catch (e) { }
  49. </script>
  50. <!-- Set the theme before any content is loaded, prevents flash -->
  51. <script type="text/javascript">
  52. var theme;
  53. try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
  54. if (theme === null || theme === undefined) { theme = default_theme; }
  55. var html = document.querySelector('html');
  56. html.classList.remove('no-js')
  57. html.classList.remove('light')
  58. html.classList.add(theme);
  59. html.classList.add('js');
  60. </script>
  61. <!-- Hide / unhide sidebar before it is displayed -->
  62. <script type="text/javascript">
  63. var html = document.querySelector('html');
  64. var sidebar = 'hidden';
  65. if (document.body.clientWidth >= 1080) {
  66. try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
  67. sidebar = sidebar || 'visible';
  68. }
  69. html.classList.remove('sidebar-visible');
  70. html.classList.add("sidebar-" + sidebar);
  71. </script>
  72. <nav id="sidebar" class="sidebar" aria-label="Table of contents">
  73. <div class="sidebar-scrollbox">
  74. <ol class="chapter"><li class="chapter-item expanded affix "><li class="part-title">Introduction</li><li class="chapter-item expanded "><a href="../../welcome_and_overview.html">Welcome and Overview</a></li><li class="chapter-item expanded affix "><li class="part-title">Setup</li><li class="chapter-item expanded "><a href="../../setup/installation.html">Installation</a></li><li class="chapter-item expanded "><a href="../../postgres.html">Using Postgres</a></li><li class="chapter-item expanded "><a href="../../reverse_proxy.html">Configuring a Reverse Proxy</a></li><li class="chapter-item expanded "><a href="../../setup/forward_proxy.html">Configuring a Forward/Outbound Proxy</a></li><li class="chapter-item expanded "><a href="../../turn-howto.html">Configuring a Turn Server</a></li><li class="chapter-item expanded "><a href="../../delegate.html">Delegation</a></li><li class="chapter-item expanded affix "><li class="part-title">Upgrading</li><li class="chapter-item expanded "><a href="../../upgrade.html">Upgrading between Synapse Versions</a></li><li class="chapter-item expanded affix "><li class="part-title">Usage</li><li class="chapter-item expanded "><a href="../../federate.html">Federation</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/index.html">Configuration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../usage/configuration/config_documentation.html" class="active">Configuration Manual</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/homeserver_sample_config.html">Homeserver Sample Config File</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/logging_sample_config.html">Logging Sample Config File</a></li><li class="chapter-item expanded "><a href="../../structured_logging.html">Structured Logging</a></li><li class="chapter-item expanded "><a href="../../templates.html">Templates</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/user_authentication/index.html">User Authentication</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../usage/configuration/user_authentication/single_sign_on/index.html">Single-Sign On</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../openid.html">OpenID Connect</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/user_authentication/single_sign_on/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/user_authentication/single_sign_on/cas.html">CAS</a></li><li class="chapter-item expanded "><a href="../../sso_mapping_providers.html">SSO Mapping Providers</a></li></ol></li><li class="chapter-item expanded "><a href="../../password_auth_providers.html">Password Auth Providers</a></li><li class="chapter-item expanded "><a href="../../jwt.html">JSON Web Tokens</a></li><li class="chapter-item expanded "><a href="../../usage/configuration/user_authentication/refresh_tokens.html">Refresh Tokens</a></li></ol></li><li class="chapter-item expanded "><a href="../../CAPTCHA_SETUP.html">Registration Captcha</a></li><li class="chapter-item expanded "><a href="../../application_services.html">Application Services</a></li><li class="chapter-item expanded "><a href="../../server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="../../consent_tracking.html">Consent Tracking</a></li><li class="chapter-item expanded "><a href="../../user_directory.html">User Directory</a></li><li class="chapter-item expanded "><a href="../../message_retention_policies.html">Message Retention Policies</a></li><li class="chapter-item expanded "><a href="../../modules/index.html">Pluggable Modules</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../modules/writing_a_module.html">Writing a module</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../modules/spam_checker_callbacks.html">Spam checker callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/third_party_rules_callbacks.html">Third-party rules callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/presence_router_callbacks.html">Presence router callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/account_validity_callbacks.html">Account validity callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/password_auth_provider_callbacks.html">Password auth provider callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/background_update_controller_callbacks.html">Background update controller callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/account_data_callbacks.html">Account data callbacks</a></li><li class="chapter-item expanded "><a href="../../modules/porting_legacy_module.html">Porting a legacy module to the new interface</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="../../workers.html">Workers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../synctl_workers.html">Using synctl with Workers</a></li><li class="chapter-item expanded "><a href="../../systemd-with-workers/index.html">Systemd</a></li></ol></li></ol></li><li class="chapter-item expanded "><a href="../../usage/administration/index.html">Administration</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../usage/administration/admin_api/index.html">Admin API</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../admin_api/account_validity.html">Account Validity</a></li><li class="chapter-item expanded "><a href="../../usage/administration/admin_api/background_updates.html">Background Updates</a></li><li class="chapter-item expanded "><a href="../../admin_api/event_reports.html">Event Reports</a></li><li class="chapter-item expanded "><a href="../../admin_api/media_admin_api.html">Media</a></li><li class="chapter-item expanded "><a href="../../admin_api/purge_history_api.html">Purge History</a></li><li class="chapter-item expanded "><a href="../../admin_api/register_api.html">Register Users</a></li><li class="chapter-item expanded "><a href="../../usage/administration/admin_api/registration_tokens.html">Registration Tokens</a></li><li class="chapter-item expanded "><a href="../../admin_api/room_membership.html">Manipulate Room Membership</a></li><li class="chapter-item expanded "><a href="../../admin_api/rooms.html">Rooms</a></li><li class="chapter-item expanded "><a href="../../admin_api/server_notices.html">Server Notices</a></li><li class="chapter-item expanded "><a href="../../admin_api/statistics.html">Statistics</a></li><li class="chapter-item expanded "><a href="../../admin_api/user_admin_api.html">Users</a></li><li class="chapter-item expanded "><a href="../../admin_api/version_api.html">Server Version</a></li><li class="chapter-item expanded "><a href="../../usage/administration/admin_api/federation.html">Federation</a></li></ol></li><li class="chapter-item expanded "><a href="../../manhole.html">Manhole</a></li><li class="chapter-item expanded "><a href="../../metrics-howto.html">Monitoring</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../usage/administration/monitoring/reporting_homeserver_usage_statistics.html">Reporting Homeserver Usage Statistics</a></li></ol></li><li class="chapter-item expanded "><a href="../../usage/administration/understanding_synapse_through_grafana_graphs.html">Understanding Synapse Through Grafana Graphs</a></li><li class="chapter-item expanded "><a href="../../usage/administration/useful_sql_for_admins.html">Useful SQL for Admins</a></li><li class="chapter-item expanded "><a href="../../usage/administration/database_maintenance_tools.html">Database Maintenance Tools</a></li><li class="chapter-item expanded "><a href="../../usage/administration/state_groups.html">State Groups</a></li><li class="chapter-item expanded "><a href="../../usage/administration/request_log.html">Request log format</a></li><li class="chapter-item expanded "><a href="../../usage/administration/admin_faq.html">Admin FAQ</a></li><li class="chapter-item expanded "><div>Scripts</div></li></ol></li><li class="chapter-item expanded "><li class="part-title">Development</li><li class="chapter-item expanded "><a href="../../development/contributing_guide.html">Contributing Guide</a></li><li class="chapter-item expanded "><a href="../../code_style.html">Code Style</a></li><li class="chapter-item expanded "><a href="../../development/reviews.html">Reviewing Code</a></li><li class="chapter-item expanded "><a href="../../development/releases.html">Release Cycle</a></li><li class="chapter-item expanded "><a href="../../development/git.html">Git Usage</a></li><li class="chapter-item expanded "><div>Testing</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../development/demo.html">Demo scripts</a></li></ol></li><li class="chapter-item expanded "><a href="../../opentracing.html">OpenTracing</a></li><li class="chapter-item expanded "><a href="../../development/database_schema.html">Database Schemas</a></li><li class="chapter-item expanded "><a href="../../development/experimental_features.html">Experimental features</a></li><li class="chapter-item expanded "><a href="../../development/dependencies.html">Dependency management</a></li><li class="chapter-item expanded "><div>Synapse Architecture</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../development/synapse_architecture/cancellation.html">Cancellation</a></li><li class="chapter-item expanded "><a href="../../log_contexts.html">Log Contexts</a></li><li class="chapter-item expanded "><a href="../../replication.html">Replication</a></li><li class="chapter-item expanded "><a href="../../tcp_replication.html">TCP Replication</a></li></ol></li><li class="chapter-item expanded "><a href="../../development/internal_documentation/index.html">Internal Documentation</a></li><li><ol class="section"><li class="chapter-item expanded "><div>Single Sign-On</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../development/saml.html">SAML</a></li><li class="chapter-item expanded "><a href="../../development/cas.html">CAS</a></li></ol></li><li class="chapter-item expanded "><a href="../../development/room-dag-concepts.html">Room DAG concepts</a></li><li class="chapter-item expanded "><div>State Resolution</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../auth_chain_difference_algorithm.html">The Auth Chain Difference Algorithm</a></li></ol></li><li class="chapter-item expanded "><a href="../../media_repository.html">Media Repository</a></li><li class="chapter-item expanded "><a href="../../room_and_user_statistics.html">Room and User Statistics</a></li></ol></li><li class="chapter-item expanded "><div>Scripts</div></li><li class="chapter-item expanded affix "><li class="part-title">Other</li><li class="chapter-item expanded "><a href="../../deprecation_policy.html">Dependency Deprecation Policy</a></li><li class="chapter-item expanded "><a href="../../other/running_synapse_on_single_board_computers.html">Running Synapse on a Single-Board Computer</a></li></ol>
  75. </div>
  76. <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
  77. </nav>
  78. <div id="page-wrapper" class="page-wrapper">
  79. <div class="page">
  80. <div id="menu-bar-hover-placeholder"></div>
  81. <div id="menu-bar" class="menu-bar sticky bordered">
  82. <div class="left-buttons">
  83. <button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
  84. <i class="fa fa-bars"></i>
  85. </button>
  86. <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
  87. <i class="fa fa-paint-brush"></i>
  88. </button>
  89. <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
  90. <li role="none"><button role="menuitem" class="theme" id="light">Light (default)</button></li>
  91. <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
  92. <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
  93. <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
  94. <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
  95. </ul>
  96. <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
  97. <i class="fa fa-search"></i>
  98. </button>
  99. <div class="version-picker">
  100. <div class="dropdown">
  101. <div class="select">
  102. <span></span>
  103. <i class="fa fa-chevron-down"></i>
  104. </div>
  105. <input type="hidden" name="version">
  106. <ul class="dropdown-menu">
  107. <!-- Versions will be added dynamically in version-picker.js -->
  108. </ul>
  109. </div>
  110. </div>
  111. </div>
  112. <h1 class="menu-title">Synapse</h1>
  113. <div class="right-buttons">
  114. <a href="../../print.html" title="Print this book" aria-label="Print this book">
  115. <i id="print-button" class="fa fa-print"></i>
  116. </a>
  117. <a href="https://github.com/matrix-org/synapse" title="Git repository" aria-label="Git repository">
  118. <i id="git-repository-button" class="fa fa-github"></i>
  119. </a>
  120. <a href="https://github.com/matrix-org/synapse/edit/develop/docs/usage/configuration/config_documentation.md" title="Suggest an edit" aria-label="Suggest an edit">
  121. <i id="git-edit-button" class="fa fa-edit"></i>
  122. </a>
  123. </div>
  124. </div>
  125. <div id="search-wrapper" class="hidden">
  126. <form id="searchbar-outer" class="searchbar-outer">
  127. <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
  128. </form>
  129. <div id="searchresults-outer" class="searchresults-outer hidden">
  130. <div id="searchresults-header" class="searchresults-header"></div>
  131. <ul id="searchresults">
  132. </ul>
  133. </div>
  134. </div>
  135. <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
  136. <script type="text/javascript">
  137. document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
  138. document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
  139. Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
  140. link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
  141. });
  142. </script>
  143. <div id="content" class="content">
  144. <main>
  145. <!-- Page table of contents -->
  146. <div class="sidetoc">
  147. <nav class="pagetoc"></nav>
  148. </div>
  149. <h1 id="configuring-synapse"><a class="header" href="#configuring-synapse">Configuring Synapse</a></h1>
  150. <p>This is intended as a guide to the Synapse configuration. The behavior of a Synapse instance can be modified
  151. through the many configuration settings documented here — each config option is explained,
  152. including what the default is, how to change the default and what sort of behaviour the setting governs.
  153. Also included is an example configuration for each setting. If you don't want to spend a lot of time
  154. thinking about options, the config as generated sets sensible defaults for all values. Do note however that the
  155. database defaults to SQLite, which is not recommended for production usage. You can read more on this subject
  156. <a href="../../setup/installation.html#using-postgresql">here</a>.</p>
  157. <h2 id="config-conventions"><a class="header" href="#config-conventions">Config Conventions</a></h2>
  158. <p>Configuration options that take a time period can be set using a number
  159. followed by a letter. Letters have the following meanings:</p>
  160. <ul>
  161. <li><code>s</code> = second</li>
  162. <li><code>m</code> = minute</li>
  163. <li><code>h</code> = hour</li>
  164. <li><code>d</code> = day</li>
  165. <li><code>w</code> = week</li>
  166. <li><code>y</code> = year</li>
  167. </ul>
  168. <p>For example, setting <code>redaction_retention_period: 5m</code> would remove redacted
  169. messages from the database after 5 minutes, rather than 5 months.</p>
  170. <p>In addition, configuration options referring to size use the following suffixes:</p>
  171. <ul>
  172. <li><code>M</code> = MiB, or 1,048,576 bytes</li>
  173. <li><code>K</code> = KiB, or 1024 bytes</li>
  174. </ul>
  175. <p>For example, setting <code>max_avatar_size: 10M</code> means that Synapse will not accept files larger than 10,485,760 bytes
  176. for a user avatar.</p>
  177. <h3 id="yaml"><a class="header" href="#yaml">YAML</a></h3>
  178. <p>The configuration file is a <a href="https://yaml.org/">YAML</a> file, which means that certain syntax rules
  179. apply if you want your config file to be read properly. A few helpful things to know:</p>
  180. <ul>
  181. <li>
  182. <p><code>#</code> before any option in the config will comment out that setting and either a default (if available) will
  183. be applied or Synapse will ignore the setting. Thus, in example #1 below, the setting will be read and
  184. applied, but in example #2 the setting will not be read and a default will be applied.</p>
  185. <p>Example #1:</p>
  186. <pre><code class="language-yaml">pid_file: DATADIR/homeserver.pid
  187. </code></pre>
  188. <p>Example #2:</p>
  189. <pre><code class="language-yaml">#pid_file: DATADIR/homeserver.pid
  190. </code></pre>
  191. </li>
  192. <li>
  193. <p>Indentation matters! The indentation before a setting
  194. will determine whether a given setting is read as part of another
  195. setting, or considered on its own. Thus, in example #1, the <code>enabled</code> setting
  196. is read as a sub-option of the <code>presence</code> setting, and will be properly applied.</p>
  197. <p>However, the lack of indentation before the <code>enabled</code> setting in example #2 means
  198. that when reading the config, Synapse will consider both <code>presence</code> and <code>enabled</code> as
  199. different settings. In this case, <code>presence</code> has no value, and thus a default applied, and <code>enabled</code>
  200. is an option that Synapse doesn't recognize and thus ignores.</p>
  201. <p>Example #1:</p>
  202. <pre><code class="language-yaml">presence:
  203. enabled: false
  204. </code></pre>
  205. <p>Example #2:</p>
  206. <pre><code class="language-yaml">presence:
  207. enabled: false
  208. </code></pre>
  209. <p>In this manual, all top-level settings (ones with no indentation) are identified
  210. at the beginning of their section (i.e. &quot;### <code>example_setting</code>&quot;) and
  211. the sub-options, if any, are identified and listed in the body of the section.
  212. In addition, each setting has an example of its usage, with the proper indentation
  213. shown.</p>
  214. </li>
  215. </ul>
  216. <h2 id="modules"><a class="header" href="#modules">Modules</a></h2>
  217. <p>Server admins can expand Synapse's functionality with external modules.</p>
  218. <p>See <a href="../../modules/index.html">here</a> for more
  219. documentation on how to configure or create custom modules for Synapse.</p>
  220. <hr />
  221. <h3 id="modules-1"><a class="header" href="#modules-1"><code>modules</code></a></h3>
  222. <p>Use the <code>module</code> sub-option to add modules under this option to extend functionality.
  223. The <code>module</code> setting then has a sub-option, <code>config</code>, which can be used to define some configuration
  224. for the <code>module</code>.</p>
  225. <p>Defaults to none.</p>
  226. <p>Example configuration:</p>
  227. <pre><code class="language-yaml">modules:
  228. - module: my_super_module.MySuperClass
  229. config:
  230. do_thing: true
  231. - module: my_other_super_module.SomeClass
  232. config: {}
  233. </code></pre>
  234. <hr />
  235. <h2 id="server"><a class="header" href="#server">Server</a></h2>
  236. <p>Define your homeserver name and other base options.</p>
  237. <hr />
  238. <h3 id="server_name"><a class="header" href="#server_name"><code>server_name</code></a></h3>
  239. <p>This sets the public-facing domain of the server.</p>
  240. <p>The <code>server_name</code> name will appear at the end of usernames and room addresses
  241. created on your server. For example if the <code>server_name</code> was example.com,
  242. usernames on your server would be in the format <code>@user:example.com</code></p>
  243. <p>In most cases you should avoid using a matrix specific subdomain such as
  244. matrix.example.com or synapse.example.com as the <code>server_name</code> for the same
  245. reasons you wouldn't use user@email.example.com as your email address.
  246. See <a href="../../delegate.html">here</a>
  247. for information on how to host Synapse on a subdomain while preserving
  248. a clean <code>server_name</code>.</p>
  249. <p>The <code>server_name</code> cannot be changed later so it is important to
  250. configure this correctly before you start Synapse. It should be all
  251. lowercase and may contain an explicit port.</p>
  252. <p>There is no default for this option.</p>
  253. <p>Example configuration #1:</p>
  254. <pre><code class="language-yaml">server_name: matrix.org
  255. </code></pre>
  256. <p>Example configuration #2:</p>
  257. <pre><code class="language-yaml">server_name: localhost:8080
  258. </code></pre>
  259. <hr />
  260. <h3 id="pid_file"><a class="header" href="#pid_file"><code>pid_file</code></a></h3>
  261. <p>When running Synapse as a daemon, the file to store the pid in. Defaults to none.</p>
  262. <p>Example configuration:</p>
  263. <pre><code class="language-yaml">pid_file: DATADIR/homeserver.pid
  264. </code></pre>
  265. <hr />
  266. <h3 id="web_client_location"><a class="header" href="#web_client_location"><code>web_client_location</code></a></h3>
  267. <p>The absolute URL to the web client which <code>/</code> will redirect to. Defaults to none.</p>
  268. <p>Example configuration:</p>
  269. <pre><code class="language-yaml">web_client_location: https://riot.example.com/
  270. </code></pre>
  271. <hr />
  272. <h3 id="public_baseurl"><a class="header" href="#public_baseurl"><code>public_baseurl</code></a></h3>
  273. <p>The public-facing base URL that clients use to access this Homeserver (not
  274. including _matrix/...). This is the same URL a user might enter into the
  275. 'Custom Homeserver URL' field on their client. If you use Synapse with a
  276. reverse proxy, this should be the URL to reach Synapse via the proxy.
  277. Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
  278. 'listeners' below).</p>
  279. <p>Defaults to <code>https://&lt;server_name&gt;/</code>.</p>
  280. <p>Example configuration:</p>
  281. <pre><code class="language-yaml">public_baseurl: https://example.com/
  282. </code></pre>
  283. <hr />
  284. <h3 id="serve_server_wellknown"><a class="header" href="#serve_server_wellknown"><code>serve_server_wellknown</code></a></h3>
  285. <p>By default, other servers will try to reach our server on port 8448, which can
  286. be inconvenient in some environments.</p>
  287. <p>Provided <code>https://&lt;server_name&gt;/</code> on port 443 is routed to Synapse, this
  288. option configures Synapse to serve a file at <code>https://&lt;server_name&gt;/.well-known/matrix/server</code>.
  289. This will tell other servers to send traffic to port 443 instead.</p>
  290. <p>This option currently defaults to false.</p>
  291. <p>See https://matrix-org.github.io/synapse/latest/delegate.html for more
  292. information.</p>
  293. <p>Example configuration:</p>
  294. <pre><code class="language-yaml">serve_server_wellknown: true
  295. </code></pre>
  296. <hr />
  297. <h3 id="extra_well_known_client_content"><a class="header" href="#extra_well_known_client_content"><code>extra_well_known_client_content </code></a></h3>
  298. <p>This option allows server runners to add arbitrary key-value pairs to the <a href="https://spec.matrix.org/latest/client-server-api/#well-known-uri">client-facing <code>.well-known</code> response</a>.
  299. Note that the <code>public_baseurl</code> config option must be provided for Synapse to serve a response to <code>/.well-known/matrix/client</code> at all.</p>
  300. <p>If this option is provided, it parses the given yaml to json and
  301. serves it on <code>/.well-known/matrix/client</code> endpoint
  302. alongside the standard properties.</p>
  303. <p><em>Added in Synapse 1.62.0.</em></p>
  304. <p>Example configuration:</p>
  305. <pre><code class="language-yaml">extra_well_known_client_content :
  306. option1: value1
  307. option2: value2
  308. </code></pre>
  309. <hr />
  310. <h3 id="soft_file_limit"><a class="header" href="#soft_file_limit"><code>soft_file_limit</code></a></h3>
  311. <p>Set the soft limit on the number of file descriptors synapse can use.
  312. Zero is used to indicate synapse should set the soft limit to the hard limit.
  313. Defaults to 0.</p>
  314. <p>Example configuration:</p>
  315. <pre><code class="language-yaml">soft_file_limit: 3
  316. </code></pre>
  317. <hr />
  318. <h3 id="presence"><a class="header" href="#presence"><code>presence</code></a></h3>
  319. <p>Presence tracking allows users to see the state (e.g online/offline)
  320. of other local and remote users. Set the <code>enabled</code> sub-option to false to
  321. disable presence tracking on this homeserver. Defaults to true.
  322. This option replaces the previous top-level 'use_presence' option.</p>
  323. <p>Example configuration:</p>
  324. <pre><code class="language-yaml">presence:
  325. enabled: false
  326. </code></pre>
  327. <hr />
  328. <h3 id="require_auth_for_profile_requests"><a class="header" href="#require_auth_for_profile_requests"><code>require_auth_for_profile_requests</code></a></h3>
  329. <p>Whether to require authentication to retrieve profile data (avatars, display names) of other
  330. users through the client API. Defaults to false. Note that profile data is also available
  331. via the federation API, unless <code>allow_profile_lookup_over_federation</code> is set to false.</p>
  332. <p>Example configuration:</p>
  333. <pre><code class="language-yaml">require_auth_for_profile_requests: true
  334. </code></pre>
  335. <hr />
  336. <h3 id="limit_profile_requests_to_users_who_share_rooms"><a class="header" href="#limit_profile_requests_to_users_who_share_rooms"><code>limit_profile_requests_to_users_who_share_rooms</code></a></h3>
  337. <p>Use this option to require a user to share a room with another user in order
  338. to retrieve their profile information. Only checked on Client-Server
  339. requests. Profile requests from other servers should be checked by the
  340. requesting server. Defaults to false.</p>
  341. <p>Example configuration:</p>
  342. <pre><code class="language-yaml">limit_profile_requests_to_users_who_share_rooms: true
  343. </code></pre>
  344. <hr />
  345. <h3 id="include_profile_data_on_invite"><a class="header" href="#include_profile_data_on_invite"><code>include_profile_data_on_invite</code></a></h3>
  346. <p>Use this option to prevent a user's profile data from being retrieved and
  347. displayed in a room until they have joined it. By default, a user's
  348. profile data is included in an invite event, regardless of the values
  349. of the above two settings, and whether or not the users share a server.
  350. Defaults to true.</p>
  351. <p>Example configuration:</p>
  352. <pre><code class="language-yaml">include_profile_data_on_invite: false
  353. </code></pre>
  354. <hr />
  355. <h3 id="allow_public_rooms_without_auth"><a class="header" href="#allow_public_rooms_without_auth"><code>allow_public_rooms_without_auth</code></a></h3>
  356. <p>If set to true, removes the need for authentication to access the server's
  357. public rooms directory through the client API, meaning that anyone can
  358. query the room directory. Defaults to false.</p>
  359. <p>Example configuration:</p>
  360. <pre><code class="language-yaml">allow_public_rooms_without_auth: true
  361. </code></pre>
  362. <hr />
  363. <h3 id="allow_public_rooms_over_federation"><a class="header" href="#allow_public_rooms_over_federation"><code>allow_public_rooms_over_federation</code></a></h3>
  364. <p>If set to true, allows any other homeserver to fetch the server's public
  365. rooms directory via federation. Defaults to false.</p>
  366. <p>Example configuration:</p>
  367. <pre><code class="language-yaml">allow_public_rooms_over_federation: true
  368. </code></pre>
  369. <hr />
  370. <h3 id="default_room_version"><a class="header" href="#default_room_version"><code>default_room_version</code></a></h3>
  371. <p>The default room version for newly created rooms on this server.</p>
  372. <p>Known room versions are listed <a href="https://spec.matrix.org/latest/rooms/#complete-list-of-room-versions">here</a></p>
  373. <p>For example, for room version 1, <code>default_room_version</code> should be set
  374. to &quot;1&quot;.</p>
  375. <p>Currently defaults to &quot;9&quot;.</p>
  376. <p>Example configuration:</p>
  377. <pre><code class="language-yaml">default_room_version: &quot;8&quot;
  378. </code></pre>
  379. <hr />
  380. <h3 id="gc_thresholds"><a class="header" href="#gc_thresholds"><code>gc_thresholds</code></a></h3>
  381. <p>The garbage collection threshold parameters to pass to <code>gc.set_threshold</code>, if defined.
  382. Defaults to none.</p>
  383. <p>Example configuration:</p>
  384. <pre><code class="language-yaml">gc_thresholds: [700, 10, 10]
  385. </code></pre>
  386. <hr />
  387. <h3 id="gc_min_interval"><a class="header" href="#gc_min_interval"><code>gc_min_interval</code></a></h3>
  388. <p>The minimum time in seconds between each GC for a generation, regardless of
  389. the GC thresholds. This ensures that we don't do GC too frequently. A value of <code>[1s, 10s, 30s]</code>
  390. indicates that a second must pass between consecutive generation 0 GCs, etc.</p>
  391. <p>Defaults to <code>[1s, 10s, 30s]</code>.</p>
  392. <p>Example configuration:</p>
  393. <pre><code class="language-yaml">gc_min_interval: [0.5s, 30s, 1m]
  394. </code></pre>
  395. <hr />
  396. <h3 id="filter_timeline_limit"><a class="header" href="#filter_timeline_limit"><code>filter_timeline_limit</code></a></h3>
  397. <p>Set the limit on the returned events in the timeline in the get
  398. and sync operations. Defaults to 100. A value of -1 means no upper limit.</p>
  399. <p>Example configuration:</p>
  400. <pre><code class="language-yaml">filter_timeline_limit: 5000
  401. </code></pre>
  402. <hr />
  403. <h3 id="block_non_admin_invites"><a class="header" href="#block_non_admin_invites"><code>block_non_admin_invites</code></a></h3>
  404. <p>Whether room invites to users on this server should be blocked
  405. (except those sent by local server admins). Defaults to false.</p>
  406. <p>Example configuration:</p>
  407. <pre><code class="language-yaml">block_non_admin_invites: true
  408. </code></pre>
  409. <hr />
  410. <h3 id="enable_search"><a class="header" href="#enable_search"><code>enable_search</code></a></h3>
  411. <p>If set to false, new messages will not be indexed for searching and users
  412. will receive errors when searching for messages. Defaults to true.</p>
  413. <p>Example configuration:</p>
  414. <pre><code class="language-yaml">enable_search: false
  415. </code></pre>
  416. <hr />
  417. <h3 id="ip_range_blacklist"><a class="header" href="#ip_range_blacklist"><code>ip_range_blacklist</code></a></h3>
  418. <p>This option prevents outgoing requests from being sent to the specified blacklisted IP address
  419. CIDR ranges. If this option is not specified then it defaults to private IP
  420. address ranges (see the example below).</p>
  421. <p>The blacklist applies to the outbound requests for federation, identity servers,
  422. push servers, and for checking key validity for third-party invite events.</p>
  423. <p>(0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
  424. listed here, since they correspond to unroutable addresses.)</p>
  425. <p>This option replaces <code>federation_ip_range_blacklist</code> in Synapse v1.25.0.</p>
  426. <p>Note: The value is ignored when an HTTP proxy is in use.</p>
  427. <p>Example configuration:</p>
  428. <pre><code class="language-yaml">ip_range_blacklist:
  429. - '127.0.0.0/8'
  430. - '10.0.0.0/8'
  431. - '172.16.0.0/12'
  432. - '192.168.0.0/16'
  433. - '100.64.0.0/10'
  434. - '192.0.0.0/24'
  435. - '169.254.0.0/16'
  436. - '192.88.99.0/24'
  437. - '198.18.0.0/15'
  438. - '192.0.2.0/24'
  439. - '198.51.100.0/24'
  440. - '203.0.113.0/24'
  441. - '224.0.0.0/4'
  442. - '::1/128'
  443. - 'fe80::/10'
  444. - 'fc00::/7'
  445. - '2001:db8::/32'
  446. - 'ff00::/8'
  447. - 'fec0::/10'
  448. </code></pre>
  449. <hr />
  450. <h3 id="ip_range_whitelist"><a class="header" href="#ip_range_whitelist"><code>ip_range_whitelist</code></a></h3>
  451. <p>List of IP address CIDR ranges that should be allowed for federation,
  452. identity servers, push servers, and for checking key validity for
  453. third-party invite events. This is useful for specifying exceptions to
  454. wide-ranging blacklisted target IP ranges - e.g. for communication with
  455. a push server only visible in your network.</p>
  456. <p>This whitelist overrides <code>ip_range_blacklist</code> and defaults to an empty
  457. list.</p>
  458. <p>Example configuration:</p>
  459. <pre><code class="language-yaml">ip_range_whitelist:
  460. - '192.168.1.1'
  461. </code></pre>
  462. <hr />
  463. <h3 id="listeners"><a class="header" href="#listeners"><code>listeners</code></a></h3>
  464. <p>List of ports that Synapse should listen on, their purpose and their
  465. configuration.</p>
  466. <p>Sub-options for each listener include:</p>
  467. <ul>
  468. <li>
  469. <p><code>port</code>: the TCP port to bind to.</p>
  470. </li>
  471. <li>
  472. <p><code>bind_addresses</code>: a list of local addresses to listen on. The default is
  473. 'all local interfaces'.</p>
  474. </li>
  475. <li>
  476. <p><code>type</code>: the type of listener. Normally <code>http</code>, but other valid options are:</p>
  477. <ul>
  478. <li>
  479. <p><code>manhole</code>: (see the docs <a href="../../manhole.html">here</a>),</p>
  480. </li>
  481. <li>
  482. <p><code>metrics</code>: (see the docs <a href="../../metrics-howto.html">here</a>),</p>
  483. </li>
  484. <li>
  485. <p><code>replication</code>: (deprecated as of Synapse 1.18, see the docs <a href="../../workers.html">here</a>).</p>
  486. </li>
  487. </ul>
  488. </li>
  489. <li>
  490. <p><code>tls</code>: set to true to enable TLS for this listener. Will use the TLS key/cert specified in tls_private_key_path / tls_certificate_path.</p>
  491. </li>
  492. <li>
  493. <p><code>x_forwarded</code>: Only valid for an 'http' listener. Set to true to use the X-Forwarded-For header as the client IP. Useful when Synapse is
  494. behind a reverse-proxy.</p>
  495. </li>
  496. <li>
  497. <p><code>resources</code>: Only valid for an 'http' listener. A list of resources to host
  498. on this port. Sub-options for each resource are:</p>
  499. <ul>
  500. <li>
  501. <p><code>names</code>: a list of names of HTTP resources. See below for a list of valid resource names.</p>
  502. </li>
  503. <li>
  504. <p><code>compress</code>: set to true to enable gzip compression on HTTP bodies for this resource. This is currently only supported with the
  505. <code>client</code>, <code>consent</code>, <code>metrics</code> and <code>federation</code> resources.</p>
  506. </li>
  507. </ul>
  508. </li>
  509. <li>
  510. <p><code>additional_resources</code>: Only valid for an 'http' listener. A map of
  511. additional endpoints which should be loaded via dynamic modules.</p>
  512. </li>
  513. </ul>
  514. <p>Valid resource names are:</p>
  515. <ul>
  516. <li>
  517. <p><code>client</code>: the client-server API (/_matrix/client), and the synapse admin API (/_synapse/admin). Also implies <code>media</code> and <code>static</code>.</p>
  518. </li>
  519. <li>
  520. <p><code>consent</code>: user consent forms (/_matrix/consent). See <a href="../../consent_tracking.html">here</a> for more.</p>
  521. </li>
  522. <li>
  523. <p><code>federation</code>: the server-server API (/_matrix/federation). Also implies <code>media</code>, <code>keys</code>, <code>openid</code></p>
  524. </li>
  525. <li>
  526. <p><code>keys</code>: the key discovery API (/_matrix/key).</p>
  527. </li>
  528. <li>
  529. <p><code>media</code>: the media API (/_matrix/media).</p>
  530. </li>
  531. <li>
  532. <p><code>metrics</code>: the metrics interface. See <a href="../../metrics-howto.html">here</a>.</p>
  533. </li>
  534. <li>
  535. <p><code>openid</code>: OpenID authentication. See <a href="../../openid.html">here</a>.</p>
  536. </li>
  537. <li>
  538. <p><code>replication</code>: the HTTP replication API (/_synapse/replication). See <a href="../../workers.html">here</a>.</p>
  539. </li>
  540. <li>
  541. <p><code>static</code>: static resources under synapse/static (/_matrix/static). (Mostly useful for 'fallback authentication'.)</p>
  542. </li>
  543. </ul>
  544. <p>Example configuration #1:</p>
  545. <pre><code class="language-yaml">listeners:
  546. # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
  547. #
  548. # (Note that you will also need to give Synapse a TLS key and certificate: see the TLS section
  549. # below.)
  550. #
  551. - port: 8448
  552. type: http
  553. tls: true
  554. resources:
  555. - names: [client, federation]
  556. </code></pre>
  557. <p>Example configuration #2:</p>
  558. <pre><code class="language-yaml">listeners:
  559. # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
  560. # that unwraps TLS.
  561. #
  562. # If you plan to use a reverse proxy, please see
  563. # https://matrix-org.github.io/synapse/latest/reverse_proxy.html.
  564. #
  565. - port: 8008
  566. tls: false
  567. type: http
  568. x_forwarded: true
  569. bind_addresses: ['::1', '127.0.0.1']
  570. resources:
  571. - names: [client, federation]
  572. compress: false
  573. # example additional_resources:
  574. additional_resources:
  575. &quot;/_matrix/my/custom/endpoint&quot;:
  576. module: my_module.CustomRequestHandler
  577. config: {}
  578. # Turn on the twisted ssh manhole service on localhost on the given
  579. # port.
  580. - port: 9000
  581. bind_addresses: ['::1', '127.0.0.1']
  582. type: manhole
  583. </code></pre>
  584. <hr />
  585. <h3 id="manhole_settings"><a class="header" href="#manhole_settings"><code>manhole_settings</code></a></h3>
  586. <p>Connection settings for the manhole. You can find more information
  587. on the manhole <a href="../../manhole.html">here</a>. Manhole sub-options include:</p>
  588. <ul>
  589. <li><code>username</code> : the username for the manhole. This defaults to 'matrix'.</li>
  590. <li><code>password</code>: The password for the manhole. This defaults to 'rabbithole'.</li>
  591. <li><code>ssh_priv_key_path</code> and <code>ssh_pub_key_path</code>: The private and public SSH key pair used to encrypt the manhole traffic.
  592. If these are left unset, then hardcoded and non-secret keys are used,
  593. which could allow traffic to be intercepted if sent over a public network.</li>
  594. </ul>
  595. <p>Example configuration:</p>
  596. <pre><code class="language-yaml">manhole_settings:
  597. username: manhole
  598. password: mypassword
  599. ssh_priv_key_path: CONFDIR/id_rsa
  600. ssh_pub_key_path: CONFDIR/id_rsa.pub
  601. </code></pre>
  602. <hr />
  603. <h3 id="dummy_events_threshold"><a class="header" href="#dummy_events_threshold"><code>dummy_events_threshold</code></a></h3>
  604. <p>Forward extremities can build up in a room due to networking delays between
  605. homeservers. Once this happens in a large room, calculation of the state of
  606. that room can become quite expensive. To mitigate this, once the number of
  607. forward extremities reaches a given threshold, Synapse will send an
  608. <code>org.matrix.dummy_event</code> event, which will reduce the forward extremities
  609. in the room.</p>
  610. <p>This setting defines the threshold (i.e. number of forward extremities in the room) at which dummy events are sent.
  611. The default value is 10.</p>
  612. <p>Example configuration:</p>
  613. <pre><code class="language-yaml">dummy_events_threshold: 5
  614. </code></pre>
  615. <hr />
  616. <h3 id="delete_stale_devices_after"><a class="header" href="#delete_stale_devices_after"><code>delete_stale_devices_after</code></a></h3>
  617. <p>An optional duration. If set, Synapse will run a daily background task to log out and
  618. delete any device that hasn't been accessed for more than the specified amount of time.</p>
  619. <p>Defaults to no duration, which means devices are never pruned.</p>
  620. <p>Example configuration:</p>
  621. <pre><code class="language-yaml">delete_stale_devices_after: 1y
  622. </code></pre>
  623. <h2 id="homeserver-blocking"><a class="header" href="#homeserver-blocking">Homeserver blocking</a></h2>
  624. <p>Useful options for Synapse admins.</p>
  625. <hr />
  626. <h3 id="admin_contact"><a class="header" href="#admin_contact"><code>admin_contact</code></a></h3>
  627. <p>How to reach the server admin, used in <code>ResourceLimitError</code>. Defaults to none.</p>
  628. <p>Example configuration:</p>
  629. <pre><code class="language-yaml">admin_contact: 'mailto:admin@server.com'
  630. </code></pre>
  631. <hr />
  632. <h3 id="hs_disabled-and-hs_disabled_message"><a class="header" href="#hs_disabled-and-hs_disabled_message"><code>hs_disabled</code> and <code>hs_disabled_message</code></a></h3>
  633. <p>Blocks users from connecting to the homeserver and provides a human-readable reason
  634. why the connection was blocked. Defaults to false.</p>
  635. <p>Example configuration:</p>
  636. <pre><code class="language-yaml">hs_disabled: true
  637. hs_disabled_message: 'Reason for why the HS is blocked'
  638. </code></pre>
  639. <hr />
  640. <h3 id="limit_usage_by_mau"><a class="header" href="#limit_usage_by_mau"><code>limit_usage_by_mau</code></a></h3>
  641. <p>This option disables/enables monthly active user blocking. Used in cases where the admin or
  642. server owner wants to limit to the number of monthly active users. When enabled and a limit is
  643. reached the server returns a <code>ResourceLimitError</code> with error type <code>Codes.RESOURCE_LIMIT_EXCEEDED</code>.
  644. Defaults to false. If this is enabled, a value for <code>max_mau_value</code> must also be set.</p>
  645. <p>Example configuration:</p>
  646. <pre><code class="language-yaml">limit_usage_by_mau: true
  647. </code></pre>
  648. <hr />
  649. <h3 id="max_mau_value"><a class="header" href="#max_mau_value"><code>max_mau_value</code></a></h3>
  650. <p>This option sets the hard limit of monthly active users above which the server will start
  651. blocking user actions if <code>limit_usage_by_mau</code> is enabled. Defaults to 0.</p>
  652. <p>Example configuration:</p>
  653. <pre><code class="language-yaml">max_mau_value: 50
  654. </code></pre>
  655. <hr />
  656. <h3 id="mau_trial_days"><a class="header" href="#mau_trial_days"><code>mau_trial_days</code></a></h3>
  657. <p>The option <code>mau_trial_days</code> is a means to add a grace period for active users. It
  658. means that users must be active for the specified number of days before they
  659. can be considered active and guards against the case where lots of users
  660. sign up in a short space of time never to return after their initial
  661. session. Defaults to 0.</p>
  662. <p>Example configuration:</p>
  663. <pre><code class="language-yaml">mau_trial_days: 5
  664. </code></pre>
  665. <hr />
  666. <h3 id="mau_appservice_trial_days"><a class="header" href="#mau_appservice_trial_days"><code>mau_appservice_trial_days</code></a></h3>
  667. <p>The option <code>mau_appservice_trial_days</code> is similar to <code>mau_trial_days</code>, but applies a different
  668. trial number if the user was registered by an appservice. A value
  669. of 0 means no trial days are applied. Appservices not listed in this dictionary
  670. use the value of <code>mau_trial_days</code> instead.</p>
  671. <p>Example configuration:</p>
  672. <pre><code class="language-yaml">mau_appservice_trial_days:
  673. my_appservice_id: 3
  674. another_appservice_id: 6
  675. </code></pre>
  676. <hr />
  677. <h3 id="mau_limit_alerting"><a class="header" href="#mau_limit_alerting"><code>mau_limit_alerting</code></a></h3>
  678. <p>The option <code>mau_limit_alerting</code> is a means of limiting client-side alerting
  679. should the mau limit be reached. This is useful for small instances
  680. where the admin has 5 mau seats (say) for 5 specific people and no
  681. interest increasing the mau limit further. Defaults to true, which
  682. means that alerting is enabled.</p>
  683. <p>Example configuration:</p>
  684. <pre><code class="language-yaml">mau_limit_alerting: false
  685. </code></pre>
  686. <hr />
  687. <h3 id="mau_stats_only"><a class="header" href="#mau_stats_only"><code>mau_stats_only</code></a></h3>
  688. <p>If enabled, the metrics for the number of monthly active users will
  689. be populated, however no one will be limited based on these numbers. If <code>limit_usage_by_mau</code>
  690. is true, this is implied to be true. Defaults to false.</p>
  691. <p>Example configuration:</p>
  692. <pre><code class="language-yaml">mau_stats_only: true
  693. </code></pre>
  694. <hr />
  695. <h3 id="mau_limit_reserved_threepids"><a class="header" href="#mau_limit_reserved_threepids"><code>mau_limit_reserved_threepids</code></a></h3>
  696. <p>Sometimes the server admin will want to ensure certain accounts are
  697. never blocked by mau checking. These accounts are specified by this option.
  698. Defaults to none. Add accounts by specifying the <code>medium</code> and <code>address</code> of the
  699. reserved threepid (3rd party identifier).</p>
  700. <p>Example configuration:</p>
  701. <pre><code class="language-yaml">mau_limit_reserved_threepids:
  702. - medium: 'email'
  703. address: 'reserved_user@example.com'
  704. </code></pre>
  705. <hr />
  706. <h3 id="server_context"><a class="header" href="#server_context"><code>server_context</code></a></h3>
  707. <p>This option is used by phonehome stats to group together related servers.
  708. Defaults to none.</p>
  709. <p>Example configuration:</p>
  710. <pre><code class="language-yaml">server_context: context
  711. </code></pre>
  712. <hr />
  713. <h3 id="limit_remote_rooms"><a class="header" href="#limit_remote_rooms"><code>limit_remote_rooms</code></a></h3>
  714. <p>When this option is enabled, the room &quot;complexity&quot; will be checked before a user
  715. joins a new remote room. If it is above the complexity limit, the server will
  716. disallow joining, or will instantly leave. This is useful for homeservers that are
  717. resource-constrained. Options for this setting include:</p>
  718. <ul>
  719. <li><code>enabled</code>: whether this check is enabled. Defaults to false.</li>
  720. <li><code>complexity</code>: the limit above which rooms cannot be joined. The default is 1.0.</li>
  721. <li><code>complexity_error</code>: override the error which is returned when the room is too complex with a
  722. custom message.</li>
  723. <li><code>admins_can_join</code>: allow server admins to join complex rooms. Default is false.</li>
  724. </ul>
  725. <p>Room complexity is an arbitrary measure based on factors such as the number of
  726. users in the room.</p>
  727. <p>Example configuration:</p>
  728. <pre><code class="language-yaml">limit_remote_rooms:
  729. enabled: true
  730. complexity: 0.5
  731. complexity_error: &quot;I can't let you do that, Dave.&quot;
  732. admins_can_join: true
  733. </code></pre>
  734. <hr />
  735. <h3 id="require_membership_for_aliases"><a class="header" href="#require_membership_for_aliases"><code>require_membership_for_aliases</code></a></h3>
  736. <p>Whether to require a user to be in the room to add an alias to it.
  737. Defaults to true.</p>
  738. <p>Example configuration:</p>
  739. <pre><code class="language-yaml">require_membership_for_aliases: false
  740. </code></pre>
  741. <hr />
  742. <h3 id="allow_per_room_profiles"><a class="header" href="#allow_per_room_profiles"><code>allow_per_room_profiles</code></a></h3>
  743. <p>Whether to allow per-room membership profiles through the sending of membership
  744. events with profile information that differs from the target's global profile.
  745. Defaults to true.</p>
  746. <p>Example configuration:</p>
  747. <pre><code class="language-yaml">allow_per_room_profiles: false
  748. </code></pre>
  749. <hr />
  750. <h3 id="max_avatar_size"><a class="header" href="#max_avatar_size"><code>max_avatar_size</code></a></h3>
  751. <p>The largest permissible file size in bytes for a user avatar. Defaults to no restriction.
  752. Use M for MB and K for KB.</p>
  753. <p>Note that user avatar changes will not work if this is set without using Synapse's media repository.</p>
  754. <p>Example configuration:</p>
  755. <pre><code class="language-yaml">max_avatar_size: 10M
  756. </code></pre>
  757. <hr />
  758. <h3 id="allowed_avatar_mimetypes"><a class="header" href="#allowed_avatar_mimetypes"><code>allowed_avatar_mimetypes</code></a></h3>
  759. <p>The MIME types allowed for user avatars. Defaults to no restriction.</p>
  760. <p>Note that user avatar changes will not work if this is set without
  761. using Synapse's media repository.</p>
  762. <p>Example configuration:</p>
  763. <pre><code class="language-yaml">allowed_avatar_mimetypes: [&quot;image/png&quot;, &quot;image/jpeg&quot;, &quot;image/gif&quot;]
  764. </code></pre>
  765. <hr />
  766. <h3 id="redaction_retention_period"><a class="header" href="#redaction_retention_period"><code>redaction_retention_period</code></a></h3>
  767. <p>How long to keep redacted events in unredacted form in the database. After
  768. this period redacted events get replaced with their redacted form in the DB.</p>
  769. <p>Synapse will check whether the rentention period has concluded for redacted
  770. events every 5 minutes. Thus, even if this option is set to <code>0</code>, Synapse may
  771. still take up to 5 minutes to purge redacted events from the database.</p>
  772. <p>Defaults to <code>7d</code>. Set to <code>null</code> to disable.</p>
  773. <p>Example configuration:</p>
  774. <pre><code class="language-yaml">redaction_retention_period: 28d
  775. </code></pre>
  776. <hr />
  777. <h3 id="user_ips_max_age"><a class="header" href="#user_ips_max_age"><code>user_ips_max_age</code></a></h3>
  778. <p>How long to track users' last seen time and IPs in the database.</p>
  779. <p>Defaults to <code>28d</code>. Set to <code>null</code> to disable clearing out of old rows.</p>
  780. <p>Example configuration:</p>
  781. <pre><code class="language-yaml">user_ips_max_age: 14d
  782. </code></pre>
  783. <hr />
  784. <h3 id="request_token_inhibit_3pid_errors"><a class="header" href="#request_token_inhibit_3pid_errors"><code>request_token_inhibit_3pid_errors</code></a></h3>
  785. <p>Inhibits the <code>/requestToken</code> endpoints from returning an error that might leak
  786. information about whether an e-mail address is in use or not on this
  787. homeserver. Defaults to false.
  788. Note that for some endpoints the error situation is the e-mail already being
  789. used, and for others the error is entering the e-mail being unused.
  790. If this option is enabled, instead of returning an error, these endpoints will
  791. act as if no error happened and return a fake session ID ('sid') to clients.</p>
  792. <p>Example configuration:</p>
  793. <pre><code class="language-yaml">request_token_inhibit_3pid_errors: true
  794. </code></pre>
  795. <hr />
  796. <h3 id="next_link_domain_whitelist"><a class="header" href="#next_link_domain_whitelist"><code>next_link_domain_whitelist</code></a></h3>
  797. <p>A list of domains that the domain portion of <code>next_link</code> parameters
  798. must match.</p>
  799. <p>This parameter is optionally provided by clients while requesting
  800. validation of an email or phone number, and maps to a link that
  801. users will be automatically redirected to after validation
  802. succeeds. Clients can make use this parameter to aid the validation
  803. process.</p>
  804. <p>The whitelist is applied whether the homeserver or an identity server is handling validation.</p>
  805. <p>The default value is no whitelist functionality; all domains are
  806. allowed. Setting this value to an empty list will instead disallow
  807. all domains.</p>
  808. <p>Example configuration:</p>
  809. <pre><code class="language-yaml">next_link_domain_whitelist: [&quot;matrix.org&quot;]
  810. </code></pre>
  811. <hr />
  812. <h3 id="templates-and-custom_template_directory"><a class="header" href="#templates-and-custom_template_directory"><code>templates</code> and <code>custom_template_directory</code></a></h3>
  813. <p>These options define templates to use when generating email or HTML page contents.
  814. The <code>custom_template_directory</code> determines which directory Synapse will try to
  815. find template files in to use to generate email or HTML page contents.
  816. If not set, or a file is not found within the template directory, a default
  817. template from within the Synapse package will be used.</p>
  818. <p>See <a href="../../templates.html">here</a> for more
  819. information about using custom templates.</p>
  820. <p>Example configuration:</p>
  821. <pre><code class="language-yaml">templates:
  822. custom_template_directory: /path/to/custom/templates/
  823. </code></pre>
  824. <hr />
  825. <h3 id="retention"><a class="header" href="#retention"><code>retention</code></a></h3>
  826. <p>This option and the associated options determine message retention policy at the
  827. server level.</p>
  828. <p>Room admins and mods can define a retention period for their rooms using the
  829. <code>m.room.retention</code> state event, and server admins can cap this period by setting
  830. the <code>allowed_lifetime_min</code> and <code>allowed_lifetime_max</code> config options.</p>
  831. <p>If this feature is enabled, Synapse will regularly look for and purge events
  832. which are older than the room's maximum retention period. Synapse will also
  833. filter events received over federation so that events that should have been
  834. purged are ignored and not stored again.</p>
  835. <p>The message retention policies feature is disabled by default. Please be advised
  836. that enabling this feature carries some risk. There are known bugs with the implementation
  837. which can cause database corruption. Setting retention to delete older history
  838. is less risky than deleting newer history but in general caution is advised when enabling this
  839. experimental feature. You can read more about this feature <a href="../../message_retention_policies.html">here</a>.</p>
  840. <p>This setting has the following sub-options:</p>
  841. <ul>
  842. <li>
  843. <p><code>default_policy</code>: Default retention policy. If set, Synapse will apply it to rooms that lack the
  844. 'm.room.retention' state event. This option is further specified by the
  845. <code>min_lifetime</code> and <code>max_lifetime</code> sub-options associated with it. Note that the
  846. value of <code>min_lifetime</code> doesn't matter much because Synapse doesn't take it into account yet.</p>
  847. </li>
  848. <li>
  849. <p><code>allowed_lifetime_min</code> and <code>allowed_lifetime_max</code>: Retention policy limits. If
  850. set, and the state of a room contains a <code>m.room.retention</code> event in its state
  851. which contains a <code>min_lifetime</code> or a <code>max_lifetime</code> that's out of these bounds,
  852. Synapse will cap the room's policy to these limits when running purge jobs.</p>
  853. </li>
  854. <li>
  855. <p><code>purge_jobs</code> and the associated <code>shortest_max_lifetime</code> and <code>longest_max_lifetime</code> sub-options:
  856. Server admins can define the settings of the background jobs purging the
  857. events whose lifetime has expired under the <code>purge_jobs</code> section.</p>
  858. <p>If no configuration is provided for this option, a single job will be set up to delete
  859. expired events in every room daily.</p>
  860. <p>Each job's configuration defines which range of message lifetimes the job
  861. takes care of. For example, if <code>shortest_max_lifetime</code> is '2d' and
  862. <code>longest_max_lifetime</code> is '3d', the job will handle purging expired events in
  863. rooms whose state defines a <code>max_lifetime</code> that's both higher than 2 days, and
  864. lower than or equal to 3 days. Both the minimum and the maximum value of a
  865. range are optional, e.g. a job with no <code>shortest_max_lifetime</code> and a
  866. <code>longest_max_lifetime</code> of '3d' will handle every room with a retention policy
  867. whose <code>max_lifetime</code> is lower than or equal to three days.</p>
  868. <p>The rationale for this per-job configuration is that some rooms might have a
  869. retention policy with a low <code>max_lifetime</code>, where history needs to be purged
  870. of outdated messages on a more frequent basis than for the rest of the rooms
  871. (e.g. every 12h), but not want that purge to be performed by a job that's
  872. iterating over every room it knows, which could be heavy on the server.</p>
  873. <p>If any purge job is configured, it is strongly recommended to have at least
  874. a single job with neither <code>shortest_max_lifetime</code> nor <code>longest_max_lifetime</code>
  875. set, or one job without <code>shortest_max_lifetime</code> and one job without
  876. <code>longest_max_lifetime</code> set. Otherwise some rooms might be ignored, even if
  877. <code>allowed_lifetime_min</code> and <code>allowed_lifetime_max</code> are set, because capping a
  878. room's policy to these values is done after the policies are retrieved from
  879. Synapse's database (which is done using the range specified in a purge job's
  880. configuration).</p>
  881. </li>
  882. </ul>
  883. <p>Example configuration:</p>
  884. <pre><code class="language-yaml">retention:
  885. enabled: true
  886. default_policy:
  887. min_lifetime: 1d
  888. max_lifetime: 1y
  889. allowed_lifetime_min: 1d
  890. allowed_lifetime_max: 1y
  891. purge_jobs:
  892. - longest_max_lifetime: 3d
  893. interval: 12h
  894. - shortest_max_lifetime: 3d
  895. interval: 1d
  896. </code></pre>
  897. <hr />
  898. <h2 id="tls"><a class="header" href="#tls">TLS</a></h2>
  899. <p>Options related to TLS.</p>
  900. <hr />
  901. <h3 id="tls_certificate_path"><a class="header" href="#tls_certificate_path"><code>tls_certificate_path</code></a></h3>
  902. <p>This option specifies a PEM-encoded X509 certificate for TLS.
  903. This certificate, as of Synapse 1.0, will need to be a valid and verifiable
  904. certificate, signed by a recognised Certificate Authority. Defaults to none.</p>
  905. <p>Be sure to use a <code>.pem</code> file that includes the full certificate chain including
  906. any intermediate certificates (for instance, if using certbot, use
  907. <code>fullchain.pem</code> as your certificate, not <code>cert.pem</code>).</p>
  908. <p>Example configuration:</p>
  909. <pre><code class="language-yaml">tls_certificate_path: &quot;CONFDIR/SERVERNAME.tls.crt&quot;
  910. </code></pre>
  911. <hr />
  912. <h3 id="tls_private_key_path"><a class="header" href="#tls_private_key_path"><code>tls_private_key_path</code></a></h3>
  913. <p>PEM-encoded private key for TLS. Defaults to none.</p>
  914. <p>Example configuration:</p>
  915. <pre><code class="language-yaml">tls_private_key_path: &quot;CONFDIR/SERVERNAME.tls.key&quot;
  916. </code></pre>
  917. <hr />
  918. <h3 id="federation_verify_certificates"><a class="header" href="#federation_verify_certificates"><code>federation_verify_certificates</code></a></h3>
  919. <p>Whether to verify TLS server certificates for outbound federation requests.</p>
  920. <p>Defaults to true. To disable certificate verification, set the option to false.</p>
  921. <p>Example configuration:</p>
  922. <pre><code class="language-yaml">federation_verify_certificates: false
  923. </code></pre>
  924. <hr />
  925. <h3 id="federation_client_minimum_tls_version"><a class="header" href="#federation_client_minimum_tls_version"><code>federation_client_minimum_tls_version</code></a></h3>
  926. <p>The minimum TLS version that will be used for outbound federation requests.</p>
  927. <p>Defaults to <code>1</code>. Configurable to <code>1</code>, <code>1.1</code>, <code>1.2</code>, or <code>1.3</code>. Note
  928. that setting this value higher than <code>1.2</code> will prevent federation to most
  929. of the public Matrix network: only configure it to <code>1.3</code> if you have an
  930. entirely private federation setup and you can ensure TLS 1.3 support.</p>
  931. <p>Example configuration:</p>
  932. <pre><code class="language-yaml">federation_client_minimum_tls_version: 1.2
  933. </code></pre>
  934. <hr />
  935. <h3 id="federation_certificate_verification_whitelist"><a class="header" href="#federation_certificate_verification_whitelist"><code>federation_certificate_verification_whitelist</code></a></h3>
  936. <p>Skip federation certificate verification on a given whitelist
  937. of domains.</p>
  938. <p>This setting should only be used in very specific cases, such as
  939. federation over Tor hidden services and similar. For private networks
  940. of homeservers, you likely want to use a private CA instead.</p>
  941. <p>Only effective if <code>federation_verify_certicates</code> is <code>true</code>.</p>
  942. <p>Example configuration:</p>
  943. <pre><code class="language-yaml">federation_certificate_verification_whitelist:
  944. - lon.example.com
  945. - &quot;*.domain.com&quot;
  946. - &quot;*.onion&quot;
  947. </code></pre>
  948. <hr />
  949. <h3 id="federation_custom_ca_list"><a class="header" href="#federation_custom_ca_list"><code>federation_custom_ca_list</code></a></h3>
  950. <p>List of custom certificate authorities for federation traffic.</p>
  951. <p>This setting should only normally be used within a private network of
  952. homeservers.</p>
  953. <p>Note that this list will replace those that are provided by your
  954. operating environment. Certificates must be in PEM format.</p>
  955. <p>Example configuration:</p>
  956. <pre><code class="language-yaml">federation_custom_ca_list:
  957. - myCA1.pem
  958. - myCA2.pem
  959. - myCA3.pem
  960. </code></pre>
  961. <hr />
  962. <h2 id="federation"><a class="header" href="#federation">Federation</a></h2>
  963. <p>Options related to federation.</p>
  964. <hr />
  965. <h3 id="federation_domain_whitelist"><a class="header" href="#federation_domain_whitelist"><code>federation_domain_whitelist</code></a></h3>
  966. <p>Restrict federation to the given whitelist of domains.
  967. N.B. we recommend also firewalling your federation listener to limit
  968. inbound federation traffic as early as possible, rather than relying
  969. purely on this application-layer restriction. If not specified, the
  970. default is to whitelist everything.</p>
  971. <p>Example configuration:</p>
  972. <pre><code class="language-yaml">federation_domain_whitelist:
  973. - lon.example.com
  974. - nyc.example.com
  975. - syd.example.com
  976. </code></pre>
  977. <hr />
  978. <h3 id="federation_metrics_domains"><a class="header" href="#federation_metrics_domains"><code>federation_metrics_domains</code></a></h3>
  979. <p>Report prometheus metrics on the age of PDUs being sent to and received from
  980. the given domains. This can be used to give an idea of &quot;delay&quot; on inbound
  981. and outbound federation, though be aware that any delay can be due to problems
  982. at either end or with the intermediate network.</p>
  983. <p>By default, no domains are monitored in this way.</p>
  984. <p>Example configuration:</p>
  985. <pre><code class="language-yaml">federation_metrics_domains:
  986. - matrix.org
  987. - example.com
  988. </code></pre>
  989. <hr />
  990. <h3 id="allow_profile_lookup_over_federation"><a class="header" href="#allow_profile_lookup_over_federation"><code>allow_profile_lookup_over_federation</code></a></h3>
  991. <p>Set to false to disable profile lookup over federation. By default, the
  992. Federation API allows other homeservers to obtain profile data of any user
  993. on this homeserver.</p>
  994. <p>Example configuration:</p>
  995. <pre><code class="language-yaml">allow_profile_lookup_over_federation: false
  996. </code></pre>
  997. <hr />
  998. <h3 id="allow_device_name_lookup_over_federation"><a class="header" href="#allow_device_name_lookup_over_federation"><code>allow_device_name_lookup_over_federation</code></a></h3>
  999. <p>Set this option to true to allow device display name lookup over federation. By default, the
  1000. Federation API prevents other homeservers from obtaining the display names of any user devices
  1001. on this homeserver.</p>
  1002. <p>Example configuration:</p>
  1003. <pre><code class="language-yaml">allow_device_name_lookup_over_federation: true
  1004. </code></pre>
  1005. <hr />
  1006. <h2 id="caching"><a class="header" href="#caching">Caching</a></h2>
  1007. <p>Options related to caching.</p>
  1008. <hr />
  1009. <h3 id="event_cache_size"><a class="header" href="#event_cache_size"><code>event_cache_size</code></a></h3>
  1010. <p>The number of events to cache in memory. Not affected by
  1011. <code>caches.global_factor</code> and is not part of the <code>caches</code> section. Defaults to 10K.</p>
  1012. <p>Example configuration:</p>
  1013. <pre><code class="language-yaml">event_cache_size: 15K
  1014. </code></pre>
  1015. <hr />
  1016. <h3 id="caches-and-associated-values"><a class="header" href="#caches-and-associated-values"><code>caches</code> and associated values</a></h3>
  1017. <p>A cache 'factor' is a multiplier that can be applied to each of
  1018. Synapse's caches in order to increase or decrease the maximum
  1019. number of entries that can be stored.</p>
  1020. <p><code>caches</code> can be configured through the following sub-options:</p>
  1021. <ul>
  1022. <li>
  1023. <p><code>global_factor</code>: Controls the global cache factor, which is the default cache factor
  1024. for all caches if a specific factor for that cache is not otherwise
  1025. set.</p>
  1026. <p>This can also be set by the <code>SYNAPSE_CACHE_FACTOR</code> environment
  1027. variable. Setting by environment variable takes priority over
  1028. setting through the config file.</p>
  1029. <p>Defaults to 0.5, which will halve the size of all caches.</p>
  1030. </li>
  1031. <li>
  1032. <p><code>per_cache_factors</code>: A dictionary of cache name to cache factor for that individual
  1033. cache. Overrides the global cache factor for a given cache.</p>
  1034. <p>These can also be set through environment variables comprised
  1035. of <code>SYNAPSE_CACHE_FACTOR_</code> + the name of the cache in capital
  1036. letters and underscores. Setting by environment variable
  1037. takes priority over setting through the config file.
  1038. Ex. <code>SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0</code></p>
  1039. <p>Some caches have '*' and other characters that are not
  1040. alphanumeric or underscores. These caches can be named with or
  1041. without the special characters stripped. For example, to specify
  1042. the cache factor for <code>*stateGroupCache*</code> via an environment
  1043. variable would be <code>SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0</code>.</p>
  1044. </li>
  1045. <li>
  1046. <p><code>expire_caches</code>: Controls whether cache entries are evicted after a specified time
  1047. period. Defaults to true. Set to false to disable this feature. Note that never expiring
  1048. caches may result in excessive memory usage.</p>
  1049. </li>
  1050. <li>
  1051. <p><code>cache_entry_ttl</code>: If <code>expire_caches</code> is enabled, this flag controls how long an entry can
  1052. be in a cache without having been accessed before being evicted.
  1053. Defaults to 30m.</p>
  1054. </li>
  1055. <li>
  1056. <p><code>sync_response_cache_duration</code>: Controls how long the results of a /sync request are
  1057. cached for after a successful response is returned. A higher duration can help clients
  1058. with intermittent connections, at the cost of higher memory usage.
  1059. A value of zero means that sync responses are not cached.
  1060. Defaults to 2m.</p>
  1061. <p><em>Changed in Synapse 1.62.0</em>: The default was changed from 0 to 2m.</p>
  1062. </li>
  1063. <li>
  1064. <p><code>cache_autotuning</code> and its sub-options <code>max_cache_memory_usage</code>, <code>target_cache_memory_usage</code>, and
  1065. <code>min_cache_ttl</code> work in conjunction with each other to maintain a balance between cache memory
  1066. usage and cache entry availability. You must be using <a href="https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ramcpu">jemalloc</a>
  1067. to utilize this option, and all three of the options must be specified for this feature to work. This option
  1068. defaults to off, enable it by providing values for the sub-options listed below. Please note that the feature will not work
  1069. and may cause unstable behavior (such as excessive emptying of caches or exceptions) if all of the values are not provided.
  1070. Please see the <a href="#config-conventions">Config Conventions</a> for information on how to specify memory size and cache expiry
  1071. durations.</p>
  1072. <ul>
  1073. <li><code>max_cache_memory_usage</code> sets a ceiling on how much memory the cache can use before caches begin to be continuously evicted.
  1074. They will continue to be evicted until the memory usage drops below the <code>target_memory_usage</code>, set in
  1075. the setting below, or until the <code>min_cache_ttl</code> is hit. There is no default value for this option.</li>
  1076. <li><code>target_memory_usage</code> sets a rough target for the desired memory usage of the caches. There is no default value
  1077. for this option.</li>
  1078. <li><code>min_cache_ttl</code> sets a limit under which newer cache entries are not evicted and is only applied when
  1079. caches are actively being evicted/<code>max_cache_memory_usage</code> has been exceeded. This is to protect hot caches
  1080. from being emptied while Synapse is evicting due to memory. There is no default value for this option.</li>
  1081. </ul>
  1082. </li>
  1083. </ul>
  1084. <p>Example configuration:</p>
  1085. <pre><code class="language-yaml">event_cache_size: 15K
  1086. caches:
  1087. global_factor: 1.0
  1088. per_cache_factors:
  1089. get_users_who_share_room_with_user: 2.0
  1090. sync_response_cache_duration: 2m
  1091. cache_autotuning:
  1092. max_cache_memory_usage: 1024M
  1093. target_cache_memory_usage: 758M
  1094. min_cache_ttl: 5m
  1095. </code></pre>
  1096. <h3 id="reloading-cache-factors"><a class="header" href="#reloading-cache-factors">Reloading cache factors</a></h3>
  1097. <p>The cache factors (i.e. <code>caches.global_factor</code> and <code>caches.per_cache_factors</code>) may be reloaded at any time by sending a
  1098. <a href="https://en.wikipedia.org/wiki/SIGHUP"><code>SIGHUP</code></a> signal to Synapse using e.g.</p>
  1099. <pre><code class="language-commandline">kill -HUP [PID_OF_SYNAPSE_PROCESS]
  1100. </code></pre>
  1101. <p>If you are running multiple workers, you must individually update the worker
  1102. config file and send this signal to each worker process.</p>
  1103. <p>If you're using the <a href="https://github.com/matrix-org/synapse/blob/develop/contrib/systemd/matrix-synapse.service">example systemd service</a>
  1104. file in Synapse's <code>contrib</code> directory, you can send a <code>SIGHUP</code> signal by using
  1105. <code>systemctl reload matrix-synapse</code>.</p>
  1106. <hr />
  1107. <h2 id="database"><a class="header" href="#database">Database</a></h2>
  1108. <p>Config options related to database settings.</p>
  1109. <hr />
  1110. <h3 id="database-1"><a class="header" href="#database-1"><code>database</code></a></h3>
  1111. <p>The <code>database</code> setting defines the database that synapse uses to store all of
  1112. its data.</p>
  1113. <p>Associated sub-options:</p>
  1114. <ul>
  1115. <li>
  1116. <p><code>name</code>: this option specifies the database engine to use: either <code>sqlite3</code> (for SQLite)
  1117. or <code>psycopg2</code> (for PostgreSQL). If no name is specified Synapse will default to SQLite.</p>
  1118. </li>
  1119. <li>
  1120. <p><code>txn_limit</code> gives the maximum number of transactions to run per connection
  1121. before reconnecting. Defaults to 0, which means no limit.</p>
  1122. </li>
  1123. <li>
  1124. <p><code>allow_unsafe_locale</code> is an option specific to Postgres. Under the default behavior, Synapse will refuse to
  1125. start if the postgres db is set to a non-C locale. You can override this behavior (which is <em>not</em> recommended)
  1126. by setting <code>allow_unsafe_locale</code> to true. Note that doing so may corrupt your database. You can find more information
  1127. <a href="../../postgres.html#fixing-incorrect-collate-or-ctype">here</a> and <a href="https://wiki.postgresql.org/wiki/Locale_data_changes">here</a>.</p>
  1128. </li>
  1129. <li>
  1130. <p><code>args</code> gives options which are passed through to the database engine,
  1131. except for options starting with <code>cp_</code>, which are used to configure the Twisted
  1132. connection pool. For a reference to valid arguments, see:</p>
  1133. <ul>
  1134. <li>for <a href="https://docs.python.org/3/library/sqlite3.html#sqlite3.connect">sqlite</a></li>
  1135. <li>for <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS">postgres</a></li>
  1136. <li>for <a href="https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__">the connection pool</a></li>
  1137. </ul>
  1138. </li>
  1139. </ul>
  1140. <p>For more information on using Synapse with Postgres,
  1141. see <a href="../../postgres.html">here</a>.</p>
  1142. <p>Example SQLite configuration:</p>
  1143. <pre><code class="language-yaml">database:
  1144. name: sqlite3
  1145. args:
  1146. database: /path/to/homeserver.db
  1147. </code></pre>
  1148. <p>Example Postgres configuration:</p>
  1149. <pre><code class="language-yaml">database:
  1150. name: psycopg2
  1151. txn_limit: 10000
  1152. args:
  1153. user: synapse_user
  1154. password: secretpassword
  1155. database: synapse
  1156. host: localhost
  1157. port: 5432
  1158. cp_min: 5
  1159. cp_max: 10
  1160. </code></pre>
  1161. <hr />
  1162. <h3 id="databases"><a class="header" href="#databases"><code>databases</code></a></h3>
  1163. <p>The <code>databases</code> option allows specifying a mapping between certain database tables and
  1164. database host details, spreading the load of a single Synapse instance across multiple
  1165. database backends. This is often referred to as &quot;database sharding&quot;. This option is only
  1166. supported for PostgreSQL database backends.</p>
  1167. <p><strong>Important note:</strong> This is a supported option, but is not currently used in production by the
  1168. Matrix.org Foundation. Proceed with caution and always make backups.</p>
  1169. <p><code>databases</code> is a dictionary of arbitrarily-named database entries. Each entry is equivalent
  1170. to the value of the <code>database</code> homeserver config option (see above), with the addition of
  1171. a <code>data_stores</code> key. <code>data_stores</code> is an array of strings that specifies the data store(s)
  1172. (a defined label for a set of tables) that should be stored on the associated database
  1173. backend entry.</p>
  1174. <p>The currently defined values for <code>data_stores</code> are:</p>
  1175. <ul>
  1176. <li>
  1177. <p><code>&quot;state&quot;</code>: Database that relates to state groups will be stored in this database.</p>
  1178. <p>Specifically, that means the following tables:</p>
  1179. <ul>
  1180. <li><code>state_groups</code></li>
  1181. <li><code>state_group_edges</code></li>
  1182. <li><code>state_groups_state</code></li>
  1183. </ul>
  1184. <p>And the following sequences:</p>
  1185. <ul>
  1186. <li><code>state_groups_seq_id</code></li>
  1187. </ul>
  1188. </li>
  1189. <li>
  1190. <p><code>&quot;main&quot;</code>: All other database tables and sequences.</p>
  1191. </li>
  1192. </ul>
  1193. <p>All databases will end up with additional tables used for tracking database schema migrations
  1194. and any pending background updates. Synapse will create these automatically on startup when checking for
  1195. and/or performing database schema migrations.</p>
  1196. <p>To migrate an existing database configuration (e.g. all tables on a single database) to a different
  1197. configuration (e.g. the &quot;main&quot; data store on one database, and &quot;state&quot; on another), do the following:</p>
  1198. <ol>
  1199. <li>
  1200. <p>Take a backup of your existing database. Things can and do go wrong and database corruption is no joke!</p>
  1201. </li>
  1202. <li>
  1203. <p>Ensure all pending database migrations have been applied and background updates have run. The simplest
  1204. way to do this is to use the <code>update_synapse_database</code> script supplied with your Synapse installation.</p>
  1205. <pre><code class="language-sh">update_synapse_database --database-config homeserver.yaml --run-background-updates
  1206. </code></pre>
  1207. </li>
  1208. <li>
  1209. <p>Copy over the necessary tables and sequences from one database to the other. Tables relating to database
  1210. migrations, schemas, schema versions and background updates should <strong>not</strong> be copied.</p>
  1211. <p>As an example, say that you'd like to split out the &quot;state&quot; data store from an existing database which
  1212. currently contains all data stores.</p>
  1213. <p>Simply copy the tables and sequences defined above for the &quot;state&quot; datastore from the existing database
  1214. to the secondary database. As noted above, additional tables will be created in the secondary database
  1215. when Synapse is started.</p>
  1216. </li>
  1217. <li>
  1218. <p>Modify/create the <code>databases</code> option in your <code>homeserver.yaml</code> to match the desired database configuration.</p>
  1219. </li>
  1220. <li>
  1221. <p>Start Synapse. Check that it starts up successfully and that things generally seem to be working.</p>
  1222. </li>
  1223. <li>
  1224. <p>Drop the old tables that were copied in step 3.</p>
  1225. </li>
  1226. </ol>
  1227. <p>Only one of the options <code>database</code> or <code>databases</code> may be specified in your config, but not both.</p>
  1228. <p>Example configuration:</p>
  1229. <pre><code class="language-yaml">databases:
  1230. basement_box:
  1231. name: psycopg2
  1232. txn_limit: 10000
  1233. data_stores: [&quot;main&quot;]
  1234. args:
  1235. user: synapse_user
  1236. password: secretpassword
  1237. database: synapse_main
  1238. host: localhost
  1239. port: 5432
  1240. cp_min: 5
  1241. cp_max: 10
  1242. my_other_database:
  1243. name: psycopg2
  1244. txn_limit: 10000
  1245. data_stores: [&quot;state&quot;]
  1246. args:
  1247. user: synapse_user
  1248. password: secretpassword
  1249. database: synapse_state
  1250. host: localhost
  1251. port: 5432
  1252. cp_min: 5
  1253. cp_max: 10
  1254. </code></pre>
  1255. <hr />
  1256. <h2 id="logging"><a class="header" href="#logging">Logging</a></h2>
  1257. <p>Config options related to logging.</p>
  1258. <hr />
  1259. <h3 id="log_config"><a class="header" href="#log_config"><code>log_config</code></a></h3>
  1260. <p>This option specifies a yaml python logging config file as described <a href="https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema">here</a>.</p>
  1261. <p>Example configuration:</p>
  1262. <pre><code class="language-yaml">log_config: &quot;CONFDIR/SERVERNAME.log.config&quot;
  1263. </code></pre>
  1264. <hr />
  1265. <h2 id="ratelimiting"><a class="header" href="#ratelimiting">Ratelimiting</a></h2>
  1266. <p>Options related to ratelimiting in Synapse.</p>
  1267. <p>Each ratelimiting configuration is made of two parameters:</p>
  1268. <ul>
  1269. <li><code>per_second</code>: number of requests a client can send per second.</li>
  1270. <li><code>burst_count</code>: number of requests a client can send before being throttled.</li>
  1271. </ul>
  1272. <hr />
  1273. <h3 id="rc_message"><a class="header" href="#rc_message"><code>rc_message</code></a></h3>
  1274. <p>Ratelimiting settings for client messaging.</p>
  1275. <p>This is a ratelimiting option for messages that ratelimits sending based on the account the client
  1276. is using. It defaults to: <code>per_second: 0.2</code>, <code>burst_count: 10</code>.</p>
  1277. <p>Example configuration:</p>
  1278. <pre><code class="language-yaml">rc_message:
  1279. per_second: 0.5
  1280. burst_count: 15
  1281. </code></pre>
  1282. <hr />
  1283. <h3 id="rc_registration"><a class="header" href="#rc_registration"><code>rc_registration</code></a></h3>
  1284. <p>This option ratelimits registration requests based on the client's IP address.
  1285. It defaults to <code>per_second: 0.17</code>, <code>burst_count: 3</code>.</p>
  1286. <p>Example configuration:</p>
  1287. <pre><code class="language-yaml">rc_registration:
  1288. per_second: 0.15
  1289. burst_count: 2
  1290. </code></pre>
  1291. <hr />
  1292. <h3 id="rc_registration_token_validity"><a class="header" href="#rc_registration_token_validity"><code>rc_registration_token_validity</code></a></h3>
  1293. <p>This option checks the validity of registration tokens that ratelimits requests based on
  1294. the client's IP address.
  1295. Defaults to <code>per_second: 0.1</code>, <code>burst_count: 5</code>.</p>
  1296. <p>Example configuration:</p>
  1297. <pre><code class="language-yaml">rc_registration_token_validity:
  1298. per_second: 0.3
  1299. burst_count: 6
  1300. </code></pre>
  1301. <hr />
  1302. <h3 id="rc_login"><a class="header" href="#rc_login"><code>rc_login</code></a></h3>
  1303. <p>This option specifies several limits for login:</p>
  1304. <ul>
  1305. <li>
  1306. <p><code>address</code> ratelimits login requests based on the client's IP
  1307. address. Defaults to <code>per_second: 0.17</code>, <code>burst_count: 3</code>.</p>
  1308. </li>
  1309. <li>
  1310. <p><code>account</code> ratelimits login requests based on the account the
  1311. client is attempting to log into. Defaults to <code>per_second: 0.17</code>,
  1312. <code>burst_count: 3</code>.</p>
  1313. </li>
  1314. <li>
  1315. <p><code>failted_attempts</code> ratelimits login requests based on the account the
  1316. client is attempting to log into, based on the amount of failed login
  1317. attempts for this account. Defaults to <code>per_second: 0.17</code>, <code>burst_count: 3</code>.</p>
  1318. </li>
  1319. </ul>
  1320. <p>Example configuration:</p>
  1321. <pre><code class="language-yaml">rc_login:
  1322. address:
  1323. per_second: 0.15
  1324. burst_count: 5
  1325. account:
  1326. per_second: 0.18
  1327. burst_count: 4
  1328. failed_attempts:
  1329. per_second: 0.19
  1330. burst_count: 7
  1331. </code></pre>
  1332. <hr />
  1333. <h3 id="rc_admin_redaction"><a class="header" href="#rc_admin_redaction"><code>rc_admin_redaction</code></a></h3>
  1334. <p>This option sets ratelimiting redactions by room admins. If this is not explicitly
  1335. set then it uses the same ratelimiting as per <code>rc_message</code>. This is useful
  1336. to allow room admins to deal with abuse quickly.</p>
  1337. <p>Example configuration:</p>
  1338. <pre><code class="language-yaml">rc_admin_redaction:
  1339. per_second: 1
  1340. burst_count: 50
  1341. </code></pre>
  1342. <hr />
  1343. <h3 id="rc_joins"><a class="header" href="#rc_joins"><code>rc_joins</code></a></h3>
  1344. <p>This option allows for ratelimiting number of rooms a user can join. This setting has the following sub-options:</p>
  1345. <ul>
  1346. <li>
  1347. <p><code>local</code>: ratelimits when users are joining rooms the server is already in.
  1348. Defaults to <code>per_second: 0.1</code>, <code>burst_count: 10</code>.</p>
  1349. </li>
  1350. <li>
  1351. <p><code>remote</code>: ratelimits when users are trying to join rooms not on the server (which
  1352. can be more computationally expensive than restricting locally). Defaults to
  1353. <code>per_second: 0.01</code>, <code>burst_count: 10</code></p>
  1354. </li>
  1355. </ul>
  1356. <p>Example configuration:</p>
  1357. <pre><code class="language-yaml">rc_joins:
  1358. local:
  1359. per_second: 0.2
  1360. burst_count: 15
  1361. remote:
  1362. per_second: 0.03
  1363. burst_count: 12
  1364. </code></pre>
  1365. <hr />
  1366. <h3 id="rc_joins_per_room"><a class="header" href="#rc_joins_per_room"><code>rc_joins_per_room</code></a></h3>
  1367. <p>This option allows admins to ratelimit joins to a room based on the number of recent
  1368. joins (local or remote) to that room. It is intended to mitigate mass-join spam
  1369. waves which target multiple homeservers.</p>
  1370. <p>By default, one join is permitted to a room every second, with an accumulating
  1371. buffer of up to ten instantaneous joins.</p>
  1372. <p>Example configuration (default values):</p>
  1373. <pre><code class="language-yaml">rc_joins_per_room:
  1374. per_second: 1
  1375. burst_count: 10
  1376. </code></pre>
  1377. <p><em>Added in Synapse 1.64.0.</em></p>
  1378. <hr />
  1379. <h3 id="rc_3pid_validation"><a class="header" href="#rc_3pid_validation"><code>rc_3pid_validation</code></a></h3>
  1380. <p>This option ratelimits how often a user or IP can attempt to validate a 3PID.
  1381. Defaults to <code>per_second: 0.003</code>, <code>burst_count: 5</code>.</p>
  1382. <p>Example configuration:</p>
  1383. <pre><code class="language-yaml">rc_3pid_validation:
  1384. per_second: 0.003
  1385. burst_count: 5
  1386. </code></pre>
  1387. <hr />
  1388. <h3 id="rc_invites"><a class="header" href="#rc_invites"><code>rc_invites</code></a></h3>
  1389. <p>This option sets ratelimiting how often invites can be sent in a room or to a
  1390. specific user. <code>per_room</code> defaults to <code>per_second: 0.3</code>, <code>burst_count: 10</code> and
  1391. <code>per_user</code> defaults to <code>per_second: 0.003</code>, <code>burst_count: 5</code>.</p>
  1392. <p>Client requests that invite user(s) when <a href="https://spec.matrix.org/v1.2/client-server-api/#post_matrixclientv3createroom">creating a
  1393. room</a>
  1394. will count against the <code>rc_invites.per_room</code> limit, whereas
  1395. client requests to <a href="https://spec.matrix.org/v1.2/client-server-api/#post_matrixclientv3roomsroomidinvite">invite a single user to a
  1396. room</a>
  1397. will count against both the <code>rc_invites.per_user</code> and <code>rc_invites.per_room</code> limits.</p>
  1398. <p>Federation requests to invite a user will count against the <code>rc_invites.per_user</code>
  1399. limit only, as Synapse presumes ratelimiting by room will be done by the sending server.</p>
  1400. <p>The <code>rc_invites.per_user</code> limit applies to the <em>receiver</em> of the invite, rather than the
  1401. sender, meaning that a <code>rc_invite.per_user.burst_count</code> of 5 mandates that a single user
  1402. cannot <em>receive</em> more than a burst of 5 invites at a time.</p>
  1403. <p>In contrast, the <code>rc_invites.per_issuer</code> limit applies to the <em>issuer</em> of the invite, meaning that a <code>rc_invite.per_issuer.burst_count</code> of 5 mandates that single user cannot <em>send</em> more than a burst of 5 invites at a time.</p>
  1404. <p><em>Changed in version 1.63:</em> added the <code>per_issuer</code> limit.</p>
  1405. <p>Example configuration:</p>
  1406. <pre><code class="language-yaml">rc_invites:
  1407. per_room:
  1408. per_second: 0.5
  1409. burst_count: 5
  1410. per_user:
  1411. per_second: 0.004
  1412. burst_count: 3
  1413. per_issuer:
  1414. per_second: 0.5
  1415. burst_count: 5
  1416. </code></pre>
  1417. <hr />
  1418. <h3 id="rc_third_party_invite"><a class="header" href="#rc_third_party_invite"><code>rc_third_party_invite</code></a></h3>
  1419. <p>This option ratelimits 3PID invites (i.e. invites sent to a third-party ID
  1420. such as an email address or a phone number) based on the account that's
  1421. sending the invite. Defaults to <code>per_second: 0.2</code>, <code>burst_count: 10</code>.</p>
  1422. <p>Example configuration:</p>
  1423. <pre><code class="language-yaml">rc_third_party_invite:
  1424. per_second: 0.2
  1425. burst_count: 10
  1426. </code></pre>
  1427. <hr />
  1428. <h3 id="rc_federation"><a class="header" href="#rc_federation"><code>rc_federation</code></a></h3>
  1429. <p>Defines limits on federation requests.</p>
  1430. <p>The <code>rc_federation</code> configuration has the following sub-options:</p>
  1431. <ul>
  1432. <li><code>window_size</code>: window size in milliseconds. Defaults to 1000.</li>
  1433. <li><code>sleep_limit</code>: number of federation requests from a single server in
  1434. a window before the server will delay processing the request. Defaults to 10.</li>
  1435. <li><code>sleep_delay</code>: duration in milliseconds to delay processing events
  1436. from remote servers by if they go over the sleep limit. Defaults to 500.</li>
  1437. <li><code>reject_limit</code>: maximum number of concurrent federation requests
  1438. allowed from a single server. Defaults to 50.</li>
  1439. <li><code>concurrent</code>: number of federation requests to concurrently process
  1440. from a single server. Defaults to 3.</li>
  1441. </ul>
  1442. <p>Example configuration:</p>
  1443. <pre><code class="language-yaml">rc_federation:
  1444. window_size: 750
  1445. sleep_limit: 15
  1446. sleep_delay: 400
  1447. reject_limit: 40
  1448. concurrent: 5
  1449. </code></pre>
  1450. <hr />
  1451. <h3 id="federation_rr_transactions_per_room_per_second"><a class="header" href="#federation_rr_transactions_per_room_per_second"><code>federation_rr_transactions_per_room_per_second</code></a></h3>
  1452. <p>Sets outgoing federation transaction frequency for sending read-receipts,
  1453. per-room.</p>
  1454. <p>If we end up trying to send out more read-receipts, they will get buffered up
  1455. into fewer transactions. Defaults to 50.</p>
  1456. <p>Example configuration:</p>
  1457. <pre><code class="language-yaml">federation_rr_transactions_per_room_per_second: 40
  1458. </code></pre>
  1459. <hr />
  1460. <h2 id="media-store"><a class="header" href="#media-store">Media Store</a></h2>
  1461. <p>Config options related to Synapse's media store.</p>
  1462. <hr />
  1463. <h3 id="enable_media_repo"><a class="header" href="#enable_media_repo"><code>enable_media_repo</code></a></h3>
  1464. <p>Enable the media store service in the Synapse master. Defaults to true.
  1465. Set to false if you are using a separate media store worker.</p>
  1466. <p>Example configuration:</p>
  1467. <pre><code class="language-yaml">enable_media_repo: false
  1468. </code></pre>
  1469. <hr />
  1470. <h3 id="media_store_path"><a class="header" href="#media_store_path"><code>media_store_path</code></a></h3>
  1471. <p>Directory where uploaded images and attachments are stored.</p>
  1472. <p>Example configuration:</p>
  1473. <pre><code class="language-yaml">media_store_path: &quot;DATADIR/media_store&quot;
  1474. </code></pre>
  1475. <hr />
  1476. <h3 id="media_storage_providers"><a class="header" href="#media_storage_providers"><code>media_storage_providers</code></a></h3>
  1477. <p>Media storage providers allow media to be stored in different
  1478. locations. Defaults to none. Associated sub-options are:</p>
  1479. <ul>
  1480. <li><code>module</code>: type of resource, e.g. <code>file_system</code>.</li>
  1481. <li><code>store_local</code>: whether to store newly uploaded local files</li>
  1482. <li><code>store_remote</code>: whether to store newly downloaded local files</li>
  1483. <li><code>store_synchronous</code>: whether to wait for successful storage for local uploads</li>
  1484. <li><code>config</code>: sets a path to the resource through the <code>directory</code> option</li>
  1485. </ul>
  1486. <p>Example configuration:</p>
  1487. <pre><code class="language-yaml">media_storage_providers:
  1488. - module: file_system
  1489. store_local: false
  1490. store_remote: false
  1491. store_synchronous: false
  1492. config:
  1493. directory: /mnt/some/other/directory
  1494. </code></pre>
  1495. <hr />
  1496. <h3 id="max_upload_size"><a class="header" href="#max_upload_size"><code>max_upload_size</code></a></h3>
  1497. <p>The largest allowed upload size in bytes.</p>
  1498. <p>If you are using a reverse proxy you may also need to set this value in
  1499. your reverse proxy's config. Defaults to 50M. Notably Nginx has a small max body size by default.
  1500. See <a href="../../reverse_proxy.html">here</a> for more on using a reverse proxy with Synapse.</p>
  1501. <p>Example configuration:</p>
  1502. <pre><code class="language-yaml">max_upload_size: 60M
  1503. </code></pre>
  1504. <hr />
  1505. <h3 id="max_image_pixels"><a class="header" href="#max_image_pixels"><code>max_image_pixels</code></a></h3>
  1506. <p>Maximum number of pixels that will be thumbnailed. Defaults to 32M.</p>
  1507. <p>Example configuration:</p>
  1508. <pre><code class="language-yaml">max_image_pixels: 35M
  1509. </code></pre>
  1510. <hr />
  1511. <h3 id="dynamic_thumbnails"><a class="header" href="#dynamic_thumbnails"><code>dynamic_thumbnails</code></a></h3>
  1512. <p>Whether to generate new thumbnails on the fly to precisely match
  1513. the resolution requested by the client. If true then whenever
  1514. a new resolution is requested by the client the server will
  1515. generate a new thumbnail. If false the server will pick a thumbnail
  1516. from a precalculated list. Defaults to false.</p>
  1517. <p>Example configuration:</p>
  1518. <pre><code class="language-yaml">dynamic_thumbnails: true
  1519. </code></pre>
  1520. <hr />
  1521. <h3 id="thumbnail_sizes"><a class="header" href="#thumbnail_sizes"><code>thumbnail_sizes</code></a></h3>
  1522. <p>List of thumbnails to precalculate when an image is uploaded. Associated sub-options are:</p>
  1523. <ul>
  1524. <li><code>width</code></li>
  1525. <li><code>height</code></li>
  1526. <li><code>method</code>: i.e. <code>crop</code>, <code>scale</code>, etc.</li>
  1527. </ul>
  1528. <p>Example configuration:</p>
  1529. <pre><code class="language-yaml">thumbnail_sizes:
  1530. - width: 32
  1531. height: 32
  1532. method: crop
  1533. - width: 96
  1534. height: 96
  1535. method: crop
  1536. - width: 320
  1537. height: 240
  1538. method: scale
  1539. - width: 640
  1540. height: 480
  1541. method: scale
  1542. - width: 800
  1543. height: 600
  1544. method: scale
  1545. </code></pre>
  1546. <hr />
  1547. <h3 id="media_retention"><a class="header" href="#media_retention"><code>media_retention</code></a></h3>
  1548. <p>Controls whether local media and entries in the remote media cache
  1549. (media that is downloaded from other homeservers) should be removed
  1550. under certain conditions, typically for the purpose of saving space.</p>
  1551. <p>Purging media files will be the carried out by the media worker
  1552. (that is, the worker that has the <code>enable_media_repo</code> homeserver config
  1553. option set to 'true'). This may be the main process.</p>
  1554. <p>The <code>media_retention.local_media_lifetime</code> and
  1555. <code>media_retention.remote_media_lifetime</code> config options control whether
  1556. media will be purged if it has not been accessed in a given amount of
  1557. time. Note that media is 'accessed' when loaded in a room in a client, or
  1558. otherwise downloaded by a local or remote user. If the media has never
  1559. been accessed, the media's creation time is used instead. Both thumbnails
  1560. and the original media will be removed. If either of these options are unset,
  1561. then media of that type will not be purged.</p>
  1562. <p>Local or cached remote media that has been
  1563. <a href="../../admin_api/media_admin_api.html#quarantining-media-in-a-room">quarantined</a>
  1564. will not be deleted. Similarly, local media that has been marked as
  1565. <a href="../../admin_api/media_admin_api.html#protecting-media-from-being-quarantined">protected from quarantine</a>
  1566. will not be deleted.</p>
  1567. <p>Example configuration:</p>
  1568. <pre><code class="language-yaml">media_retention:
  1569. local_media_lifetime: 90d
  1570. remote_media_lifetime: 14d
  1571. </code></pre>
  1572. <hr />
  1573. <h3 id="url_preview_enabled"><a class="header" href="#url_preview_enabled"><code>url_preview_enabled</code></a></h3>
  1574. <p>This setting determines whether the preview URL API is enabled.
  1575. It is disabled by default. Set to true to enable. If enabled you must specify a
  1576. <code>url_preview_ip_range_blacklist</code> blacklist.</p>
  1577. <p>Example configuration:</p>
  1578. <pre><code class="language-yaml">url_preview_enabled: true
  1579. </code></pre>
  1580. <hr />
  1581. <h3 id="url_preview_ip_range_blacklist"><a class="header" href="#url_preview_ip_range_blacklist"><code>url_preview_ip_range_blacklist</code></a></h3>
  1582. <p>List of IP address CIDR ranges that the URL preview spider is denied
  1583. from accessing. There are no defaults: you must explicitly
  1584. specify a list for URL previewing to work. You should specify any
  1585. internal services in your network that you do not want synapse to try
  1586. to connect to, otherwise anyone in any Matrix room could cause your
  1587. synapse to issue arbitrary GET requests to your internal services,
  1588. causing serious security issues.</p>
  1589. <p>(0.0.0.0 and :: are always blacklisted, whether or not they are explicitly
  1590. listed here, since they correspond to unroutable addresses.)</p>
  1591. <p>This must be specified if <code>url_preview_enabled</code> is set. It is recommended that
  1592. you use the following example list as a starting point.</p>
  1593. <p>Note: The value is ignored when an HTTP proxy is in use.</p>
  1594. <p>Example configuration:</p>
  1595. <pre><code class="language-yaml">url_preview_ip_range_blacklist:
  1596. - '127.0.0.0/8'
  1597. - '10.0.0.0/8'
  1598. - '172.16.0.0/12'
  1599. - '192.168.0.0/16'
  1600. - '100.64.0.0/10'
  1601. - '192.0.0.0/24'
  1602. - '169.254.0.0/16'
  1603. - '192.88.99.0/24'
  1604. - '198.18.0.0/15'
  1605. - '192.0.2.0/24'
  1606. - '198.51.100.0/24'
  1607. - '203.0.113.0/24'
  1608. - '224.0.0.0/4'
  1609. - '::1/128'
  1610. - 'fe80::/10'
  1611. - 'fc00::/7'
  1612. - '2001:db8::/32'
  1613. - 'ff00::/8'
  1614. - 'fec0::/10'
  1615. </code></pre>
  1616. <hr />
  1617. <h3 id="url_preview_ip_range_whitelist"><a class="header" href="#url_preview_ip_range_whitelist"><code>url_preview_ip_range_whitelist</code></a></h3>
  1618. <p>This option sets a list of IP address CIDR ranges that the URL preview spider is allowed
  1619. to access even if they are specified in <code>url_preview_ip_range_blacklist</code>.
  1620. This is useful for specifying exceptions to wide-ranging blacklisted
  1621. target IP ranges - e.g. for enabling URL previews for a specific private
  1622. website only visible in your network. Defaults to none.</p>
  1623. <p>Example configuration:</p>
  1624. <pre><code class="language-yaml">url_preview_ip_range_whitelist:
  1625. - '192.168.1.1'
  1626. </code></pre>
  1627. <hr />
  1628. <h3 id="url_preview_url_blacklist"><a class="header" href="#url_preview_url_blacklist"><code>url_preview_url_blacklist</code></a></h3>
  1629. <p>Optional list of URL matches that the URL preview spider is
  1630. denied from accessing. You should use <code>url_preview_ip_range_blacklist</code>
  1631. in preference to this, otherwise someone could define a public DNS
  1632. entry that points to a private IP address and circumvent the blacklist.
  1633. This is more useful if you know there is an entire shape of URL that
  1634. you know that will never want synapse to try to spider.</p>
  1635. <p>Each list entry is a dictionary of url component attributes as returned
  1636. by urlparse.urlsplit as applied to the absolute form of the URL. See
  1637. <a href="https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit">here</a> for more
  1638. information. Some examples are:</p>
  1639. <ul>
  1640. <li><code>username</code></li>
  1641. <li><code>netloc</code></li>
  1642. <li><code>scheme</code></li>
  1643. <li><code>path</code></li>
  1644. </ul>
  1645. <p>The values of the dictionary are treated as a filename match pattern
  1646. applied to that component of URLs, unless they start with a ^ in which
  1647. case they are treated as a regular expression match. If all the
  1648. specified component matches for a given list item succeed, the URL is
  1649. blacklisted.</p>
  1650. <p>Example configuration:</p>
  1651. <pre><code class="language-yaml">url_preview_url_blacklist:
  1652. # blacklist any URL with a username in its URI
  1653. - username: '*'
  1654. # blacklist all *.google.com URLs
  1655. - netloc: 'google.com'
  1656. - netloc: '*.google.com'
  1657. # blacklist all plain HTTP URLs
  1658. - scheme: 'http'
  1659. # blacklist http(s)://www.acme.com/foo
  1660. - netloc: 'www.acme.com'
  1661. path: '/foo'
  1662. # blacklist any URL with a literal IPv4 address
  1663. - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
  1664. </code></pre>
  1665. <hr />
  1666. <h3 id="max_spider_size"><a class="header" href="#max_spider_size"><code>max_spider_size</code></a></h3>
  1667. <p>The largest allowed URL preview spidering size in bytes. Defaults to 10M.</p>
  1668. <p>Example configuration:</p>
  1669. <pre><code class="language-yaml">max_spider_size: 8M
  1670. </code></pre>
  1671. <hr />
  1672. <h3 id="url_preview_accept_language"><a class="header" href="#url_preview_accept_language"><code>url_preview_accept_language</code></a></h3>
  1673. <p>A list of values for the Accept-Language HTTP header used when
  1674. downloading webpages during URL preview generation. This allows
  1675. Synapse to specify the preferred languages that URL previews should
  1676. be in when communicating with remote servers.</p>
  1677. <p>Each value is a IETF language tag; a 2-3 letter identifier for a
  1678. language, optionally followed by subtags separated by '-', specifying
  1679. a country or region variant.</p>
  1680. <p>Multiple values can be provided, and a weight can be added to each by
  1681. using quality value syntax (;q=). '*' translates to any language.</p>
  1682. <p>Defaults to &quot;en&quot;.</p>
  1683. <p>Example configuration:</p>
  1684. <pre><code class="language-yaml"> url_preview_accept_language:
  1685. - 'en-UK'
  1686. - 'en-US;q=0.9'
  1687. - 'fr;q=0.8'
  1688. - '*;q=0.7'
  1689. </code></pre>
  1690. <hr />
  1691. <h3 id="oembed"><a class="header" href="#oembed"><code>oembed</code></a></h3>
  1692. <p>oEmbed allows for easier embedding content from a website. It can be
  1693. used for generating URLs previews of services which support it. A default list of oEmbed providers
  1694. is included with Synapse. Set <code>disable_default_providers</code> to true to disable using
  1695. these default oEmbed URLs. Use <code>additional_providers</code> to specify additional files with oEmbed configuration (each
  1696. should be in the form of providers.json). By default this list is empty.</p>
  1697. <p>Example configuration:</p>
  1698. <pre><code class="language-yaml">oembed:
  1699. disable_default_providers: true
  1700. additional_providers:
  1701. - oembed/my_providers.json
  1702. </code></pre>
  1703. <hr />
  1704. <h2 id="captcha"><a class="header" href="#captcha">Captcha</a></h2>
  1705. <p>See <a href="../../CAPTCHA_SETUP.html">here</a> for full details on setting up captcha.</p>
  1706. <hr />
  1707. <h3 id="recaptcha_public_key"><a class="header" href="#recaptcha_public_key"><code>recaptcha_public_key</code></a></h3>
  1708. <p>This homeserver's ReCAPTCHA public key. Must be specified if <code>enable_registration_captcha</code> is
  1709. enabled.</p>
  1710. <p>Example configuration:</p>
  1711. <pre><code class="language-yaml">recaptcha_public_key: &quot;YOUR_PUBLIC_KEY&quot;
  1712. </code></pre>
  1713. <hr />
  1714. <h3 id="recaptcha_private_key"><a class="header" href="#recaptcha_private_key"><code>recaptcha_private_key</code></a></h3>
  1715. <p>This homeserver's ReCAPTCHA private key. Must be specified if <code>enable_registration_captcha</code> is
  1716. enabled.</p>
  1717. <p>Example configuration:</p>
  1718. <pre><code class="language-yaml">recaptcha_private_key: &quot;YOUR_PRIVATE_KEY&quot;
  1719. </code></pre>
  1720. <hr />
  1721. <h3 id="enable_registration_captcha"><a class="header" href="#enable_registration_captcha"><code>enable_registration_captcha</code></a></h3>
  1722. <p>Set to true to enable ReCaptcha checks when registering, preventing signup
  1723. unless a captcha is answered. Requires a valid ReCaptcha public/private key.
  1724. Defaults to false.</p>
  1725. <p>Example configuration:</p>
  1726. <pre><code class="language-yaml">enable_registration_captcha: true
  1727. </code></pre>
  1728. <hr />
  1729. <h3 id="recaptcha_siteverify_api"><a class="header" href="#recaptcha_siteverify_api"><code>recaptcha_siteverify_api</code></a></h3>
  1730. <p>The API endpoint to use for verifying <code>m.login.recaptcha</code> responses.
  1731. Defaults to <code>https://www.recaptcha.net/recaptcha/api/siteverify</code>.</p>
  1732. <p>Example configuration:</p>
  1733. <pre><code class="language-yaml">recaptcha_siteverify_api: &quot;https://my.recaptcha.site&quot;
  1734. </code></pre>
  1735. <hr />
  1736. <h2 id="turn"><a class="header" href="#turn">TURN</a></h2>
  1737. <p>Options related to adding a TURN server to Synapse.</p>
  1738. <hr />
  1739. <h3 id="turn_uris"><a class="header" href="#turn_uris"><code>turn_uris</code></a></h3>
  1740. <p>The public URIs of the TURN server to give to clients.</p>
  1741. <p>Example configuration:</p>
  1742. <pre><code class="language-yaml">turn_uris: [turn:example.org]
  1743. </code></pre>
  1744. <hr />
  1745. <h3 id="turn_shared_secret"><a class="header" href="#turn_shared_secret"><code>turn_shared_secret</code></a></h3>
  1746. <p>The shared secret used to compute passwords for the TURN server.</p>
  1747. <p>Example configuration:</p>
  1748. <pre><code class="language-yaml">turn_shared_secret: &quot;YOUR_SHARED_SECRET&quot;
  1749. </code></pre>
  1750. <hr />
  1751. <h3 id="turn_username-and-turn_password"><a class="header" href="#turn_username-and-turn_password"><code>turn_username</code> and <code>turn_password</code></a></h3>
  1752. <p>The Username and password if the TURN server needs them and does not use a token.</p>
  1753. <p>Example configuration:</p>
  1754. <pre><code class="language-yaml">turn_username: &quot;TURNSERVER_USERNAME&quot;
  1755. turn_password: &quot;TURNSERVER_PASSWORD&quot;
  1756. </code></pre>
  1757. <hr />
  1758. <h3 id="turn_user_lifetime"><a class="header" href="#turn_user_lifetime"><code>turn_user_lifetime</code></a></h3>
  1759. <p>How long generated TURN credentials last. Defaults to 1h.</p>
  1760. <p>Example configuration:</p>
  1761. <pre><code class="language-yaml">turn_user_lifetime: 2h
  1762. </code></pre>
  1763. <hr />
  1764. <h3 id="turn_allow_guests"><a class="header" href="#turn_allow_guests"><code>turn_allow_guests</code></a></h3>
  1765. <p>Whether guests should be allowed to use the TURN server. This defaults to true, otherwise
  1766. VoIP will be unreliable for guests. However, it does introduce a slight security risk as
  1767. it allows users to connect to arbitrary endpoints without having first signed up for a valid account (e.g. by passing a CAPTCHA).</p>
  1768. <p>Example configuration:</p>
  1769. <pre><code class="language-yaml">turn_allow_guests: false
  1770. </code></pre>
  1771. <hr />
  1772. <h2 id="registration"><a class="header" href="#registration">Registration</a></h2>
  1773. <p>Registration can be rate-limited using the parameters in the <a href="#ratelimiting">Ratelimiting</a> section of this manual.</p>
  1774. <hr />
  1775. <h3 id="enable_registration"><a class="header" href="#enable_registration"><code>enable_registration</code></a></h3>
  1776. <p>Enable registration for new users. Defaults to false. It is highly recommended that if you enable registration,
  1777. you use either captcha, email, or token-based verification to verify that new users are not bots. In order to enable registration
  1778. without any verification, you must also set <code>enable_registration_without_verification</code> to true.</p>
  1779. <p>Example configuration:</p>
  1780. <pre><code class="language-yaml">enable_registration: true
  1781. </code></pre>
  1782. <hr />
  1783. <h3 id="enable_registration_without_verification"><a class="header" href="#enable_registration_without_verification"><code>enable_registration_without_verification</code></a></h3>
  1784. <p>Enable registration without email or captcha verification. Note: this option is <em>not</em> recommended,
  1785. as registration without verification is a known vector for spam and abuse. Defaults to false. Has no effect
  1786. unless <code>enable_registration</code> is also enabled.</p>
  1787. <p>Example configuration:</p>
  1788. <pre><code class="language-yaml">enable_registration_without_verification: true
  1789. </code></pre>
  1790. <hr />
  1791. <h3 id="session_lifetime"><a class="header" href="#session_lifetime"><code>session_lifetime</code></a></h3>
  1792. <p>Time that a user's session remains valid for, after they log in.</p>
  1793. <p>Note that this is not currently compatible with guest logins.</p>
  1794. <p>Note also that this is calculated at login time: changes are not applied retrospectively to users who have already
  1795. logged in.</p>
  1796. <p>By default, this is infinite.</p>
  1797. <p>Example configuration:</p>
  1798. <pre><code class="language-yaml">session_lifetime: 24h
  1799. </code></pre>
  1800. <hr />
  1801. <h3 id="refresh_access_token_lifetime"><a class="header" href="#refresh_access_token_lifetime"><code>refresh_access_token_lifetime</code></a></h3>
  1802. <p>Time that an access token remains valid for, if the session is using refresh tokens.</p>
  1803. <p>For more information about refresh tokens, please see the <a href="user_authentication/refresh_tokens.html">manual</a>.</p>
  1804. <p>Note that this only applies to clients which advertise support for refresh tokens.</p>
  1805. <p>Note also that this is calculated at login time and refresh time: changes are not applied to
  1806. existing sessions until they are refreshed.</p>
  1807. <p>By default, this is 5 minutes.</p>
  1808. <p>Example configuration:</p>
  1809. <pre><code class="language-yaml">refreshable_access_token_lifetime: 10m
  1810. </code></pre>
  1811. <hr />
  1812. <h3 id="refresh_token_lifetime-24h"><a class="header" href="#refresh_token_lifetime-24h"><code>refresh_token_lifetime: 24h</code></a></h3>
  1813. <p>Time that a refresh token remains valid for (provided that it is not
  1814. exchanged for another one first).
  1815. This option can be used to automatically log-out inactive sessions.
  1816. Please see the manual for more information.</p>
  1817. <p>Note also that this is calculated at login time and refresh time:
  1818. changes are not applied to existing sessions until they are refreshed.</p>
  1819. <p>By default, this is infinite.</p>
  1820. <p>Example configuration:</p>
  1821. <pre><code class="language-yaml">refresh_token_lifetime: 24h
  1822. </code></pre>
  1823. <hr />
  1824. <h3 id="nonrefreshable_access_token_lifetime"><a class="header" href="#nonrefreshable_access_token_lifetime"><code>nonrefreshable_access_token_lifetime</code></a></h3>
  1825. <p>Time that an access token remains valid for, if the session is NOT
  1826. using refresh tokens.</p>
  1827. <p>Please note that not all clients support refresh tokens, so setting
  1828. this to a short value may be inconvenient for some users who will
  1829. then be logged out frequently.</p>
  1830. <p>Note also that this is calculated at login time: changes are not applied
  1831. retrospectively to existing sessions for users that have already logged in.</p>
  1832. <p>By default, this is infinite.</p>
  1833. <p>Example configuration:</p>
  1834. <pre><code class="language-yaml">nonrefreshable_access_token_lifetime: 24h
  1835. </code></pre>
  1836. <hr />
  1837. <h3 id="registrations_require_3pid"><a class="header" href="#registrations_require_3pid"><code>registrations_require_3pid</code></a></h3>
  1838. <p>If this is set, the user must provide all of the specified types of 3PID when registering.</p>
  1839. <p>Example configuration:</p>
  1840. <pre><code class="language-yaml">registrations_require_3pid:
  1841. - email
  1842. - msisdn
  1843. </code></pre>
  1844. <hr />
  1845. <h3 id="disable_msisdn_registration"><a class="header" href="#disable_msisdn_registration"><code>disable_msisdn_registration</code></a></h3>
  1846. <p>Explicitly disable asking for MSISDNs from the registration
  1847. flow (overrides <code>registrations_require_3pid</code> if MSISDNs are set as required).</p>
  1848. <p>Example configuration:</p>
  1849. <pre><code class="language-yaml">disable_msisdn_registration: true
  1850. </code></pre>
  1851. <hr />
  1852. <h3 id="allowed_local_3pids"><a class="header" href="#allowed_local_3pids"><code>allowed_local_3pids</code></a></h3>
  1853. <p>Mandate that users are only allowed to associate certain formats of
  1854. 3PIDs with accounts on this server, as specified by the <code>medium</code> and <code>pattern</code> sub-options.</p>
  1855. <p>Example configuration:</p>
  1856. <pre><code class="language-yaml">allowed_local_3pids:
  1857. - medium: email
  1858. pattern: '^[^@]+@matrix\.org$'
  1859. - medium: email
  1860. pattern: '^[^@]+@vector\.im$'
  1861. - medium: msisdn
  1862. pattern: '\+44'
  1863. </code></pre>
  1864. <hr />
  1865. <h3 id="enable_3pid_lookup"><a class="header" href="#enable_3pid_lookup"><code>enable_3pid_lookup</code></a></h3>
  1866. <p>Enable 3PIDs lookup requests to identity servers from this server. Defaults to true.</p>
  1867. <p>Example configuration:</p>
  1868. <pre><code class="language-yaml">enable_3pid_lookup: false
  1869. </code></pre>
  1870. <hr />
  1871. <h3 id="registration_requires_token"><a class="header" href="#registration_requires_token"><code>registration_requires_token</code></a></h3>
  1872. <p>Require users to submit a token during registration.
  1873. Tokens can be managed using the admin <a href="../administration/admin_api/registration_tokens.html">API</a>.
  1874. Note that <code>enable_registration</code> must be set to true.
  1875. Disabling this option will not delete any tokens previously generated.
  1876. Defaults to false. Set to true to enable.</p>
  1877. <p>Example configuration:</p>
  1878. <pre><code class="language-yaml">registration_requires_token: true
  1879. </code></pre>
  1880. <hr />
  1881. <h3 id="registration_shared_secret"><a class="header" href="#registration_shared_secret"><code>registration_shared_secret</code></a></h3>
  1882. <p>If set, allows registration of standard or admin accounts by anyone who
  1883. has the shared secret, even if registration is otherwise disabled.</p>
  1884. <p>Example configuration:</p>
  1885. <pre><code class="language-yaml">registration_shared_secret: &lt;PRIVATE STRING&gt;
  1886. </code></pre>
  1887. <hr />
  1888. <h3 id="bcrypt_rounds"><a class="header" href="#bcrypt_rounds"><code>bcrypt_rounds</code></a></h3>
  1889. <p>Set the number of bcrypt rounds used to generate password hash.
  1890. Larger numbers increase the work factor needed to generate the hash.
  1891. The default number is 12 (which equates to 2^12 rounds).
  1892. N.B. that increasing this will exponentially increase the time required
  1893. to register or login - e.g. 24 =&gt; 2^24 rounds which will take &gt;20 mins.
  1894. Example configuration:</p>
  1895. <pre><code class="language-yaml">bcrypt_rounds: 14
  1896. </code></pre>
  1897. <hr />
  1898. <h3 id="allow_guest_access"><a class="header" href="#allow_guest_access"><code>allow_guest_access</code></a></h3>
  1899. <p>Allows users to register as guests without a password/email/etc, and
  1900. participate in rooms hosted on this server which have been made
  1901. accessible to anonymous users. Defaults to false.</p>
  1902. <p>Example configuration:</p>
  1903. <pre><code class="language-yaml">allow_guest_access: true
  1904. </code></pre>
  1905. <hr />
  1906. <h3 id="default_identity_server"><a class="header" href="#default_identity_server"><code>default_identity_server</code></a></h3>
  1907. <p>The identity server which we suggest that clients should use when users log
  1908. in on this server.</p>
  1909. <p>(By default, no suggestion is made, so it is left up to the client.
  1910. This setting is ignored unless <code>public_baseurl</code> is also explicitly set.)</p>
  1911. <p>Example configuration:</p>
  1912. <pre><code class="language-yaml">default_identity_server: https://matrix.org
  1913. </code></pre>
  1914. <hr />
  1915. <h3 id="account_threepid_delegates"><a class="header" href="#account_threepid_delegates"><code>account_threepid_delegates</code></a></h3>
  1916. <p>Delegate verification of phone numbers to an identity server.</p>
  1917. <p>When a user wishes to add a phone number to their account, we need to verify that they
  1918. actually own that phone number, which requires sending them a text message (SMS).
  1919. Currently Synapse does not support sending those texts itself and instead delegates the
  1920. task to an identity server. The base URI for the identity server to be used is
  1921. specified by the <code>account_threepid_delegates.msisdn</code> option.</p>
  1922. <p>If this is left unspecified, Synapse will not allow users to add phone numbers to
  1923. their account.</p>
  1924. <p>(Servers handling the these requests must answer the <code>/requestToken</code> endpoints defined
  1925. by the Matrix Identity Service API
  1926. <a href="https://matrix.org/docs/spec/identity_service/latest">specification</a>.)</p>
  1927. <p><em>Deprecated in Synapse 1.64.0</em>: The <code>email</code> option is deprecated.</p>
  1928. <p><em>Removed in Synapse 1.66.0</em>: The <code>email</code> option has been removed.
  1929. If present, Synapse will report a configuration error on startup.</p>
  1930. <p>Example configuration:</p>
  1931. <pre><code class="language-yaml">account_threepid_delegates:
  1932. msisdn: http://localhost:8090 # Delegate SMS sending to this local process
  1933. </code></pre>
  1934. <hr />
  1935. <h3 id="enable_set_displayname"><a class="header" href="#enable_set_displayname"><code>enable_set_displayname</code></a></h3>
  1936. <p>Whether users are allowed to change their displayname after it has
  1937. been initially set. Useful when provisioning users based on the
  1938. contents of a third-party directory.</p>
  1939. <p>Does not apply to server administrators. Defaults to true.</p>
  1940. <p>Example configuration:</p>
  1941. <pre><code class="language-yaml">enable_set_displayname: false
  1942. </code></pre>
  1943. <hr />
  1944. <h3 id="enable_set_avatar_url"><a class="header" href="#enable_set_avatar_url"><code>enable_set_avatar_url</code></a></h3>
  1945. <p>Whether users are allowed to change their avatar after it has been
  1946. initially set. Useful when provisioning users based on the contents
  1947. of a third-party directory.</p>
  1948. <p>Does not apply to server administrators. Defaults to true.</p>
  1949. <p>Example configuration:</p>
  1950. <pre><code class="language-yaml">enable_set_avatar_url: false
  1951. </code></pre>
  1952. <hr />
  1953. <h3 id="enable_3pid_changes"><a class="header" href="#enable_3pid_changes"><code>enable_3pid_changes</code></a></h3>
  1954. <p>Whether users can change the third-party IDs associated with their accounts
  1955. (email address and msisdn).</p>
  1956. <p>Defaults to true.</p>
  1957. <p>Example configuration:</p>
  1958. <pre><code class="language-yaml">enable_3pid_changes: false
  1959. </code></pre>
  1960. <hr />
  1961. <h3 id="auto_join_rooms"><a class="header" href="#auto_join_rooms"><code>auto_join_rooms</code></a></h3>
  1962. <p>Users who register on this homeserver will automatically be joined
  1963. to the rooms listed under this option.</p>
  1964. <p>By default, any room aliases included in this list will be created
  1965. as a publicly joinable room when the first user registers for the
  1966. homeserver. If the room already exists, make certain it is a publicly joinable
  1967. room, i.e. the join rule of the room must be set to 'public'. You can find more options
  1968. relating to auto-joining rooms below.</p>
  1969. <p>Example configuration:</p>
  1970. <pre><code class="language-yaml">auto_join_rooms:
  1971. - &quot;#exampleroom:example.com&quot;
  1972. - &quot;#anotherexampleroom:example.com&quot;
  1973. </code></pre>
  1974. <hr />
  1975. <h3 id="autocreate_auto_join_rooms"><a class="header" href="#autocreate_auto_join_rooms"><code>autocreate_auto_join_rooms</code></a></h3>
  1976. <p>Where <code>auto_join_rooms</code> are specified, setting this flag ensures that
  1977. the rooms exist by creating them when the first user on the
  1978. homeserver registers.</p>
  1979. <p>By default the auto-created rooms are publicly joinable from any federated
  1980. server. Use the <code>autocreate_auto_join_rooms_federated</code> and
  1981. <code>autocreate_auto_join_room_preset</code> settings to customise this behaviour.</p>
  1982. <p>Setting to false means that if the rooms are not manually created,
  1983. users cannot be auto-joined since they do not exist.</p>
  1984. <p>Defaults to true.</p>
  1985. <p>Example configuration:</p>
  1986. <pre><code class="language-yaml">autocreate_auto_join_rooms: false
  1987. </code></pre>
  1988. <hr />
  1989. <h3 id="autocreate_auto_join_rooms_federated"><a class="header" href="#autocreate_auto_join_rooms_federated"><code>autocreate_auto_join_rooms_federated</code></a></h3>
  1990. <p>Whether the rooms listen in <code>auto_join_rooms</code> that are auto-created are available
  1991. via federation. Only has an effect if <code>autocreate_auto_join_rooms</code> is true.</p>
  1992. <p>Note that whether a room is federated cannot be modified after
  1993. creation.</p>
  1994. <p>Defaults to true: the room will be joinable from other servers.
  1995. Set to false to prevent users from other homeservers from
  1996. joining these rooms.</p>
  1997. <p>Example configuration:</p>
  1998. <pre><code class="language-yaml">autocreate_auto_join_rooms_federated: false
  1999. </code></pre>
  2000. <hr />
  2001. <h3 id="autocreate_auto_join_room_preset"><a class="header" href="#autocreate_auto_join_room_preset"><code>autocreate_auto_join_room_preset</code></a></h3>
  2002. <p>The room preset to use when auto-creating one of <code>auto_join_rooms</code>. Only has an
  2003. effect if <code>autocreate_auto_join_rooms</code> is true.</p>
  2004. <p>Possible values for this option are:</p>
  2005. <ul>
  2006. <li>&quot;public_chat&quot;: the room is joinable by anyone, including
  2007. federated servers if <code>autocreate_auto_join_rooms_federated</code> is true (the default).</li>
  2008. <li>&quot;private_chat&quot;: an invitation is required to join these rooms.</li>
  2009. <li>&quot;trusted_private_chat&quot;: an invitation is required to join this room and the invitee is
  2010. assigned a power level of 100 upon joining the room.</li>
  2011. </ul>
  2012. <p>If a value of &quot;private_chat&quot; or &quot;trusted_private_chat&quot; is used then
  2013. <code>auto_join_mxid_localpart</code> must also be configured.</p>
  2014. <p>Defaults to &quot;public_chat&quot;.</p>
  2015. <p>Example configuration:</p>
  2016. <pre><code class="language-yaml">autocreate_auto_join_room_preset: private_chat
  2017. </code></pre>
  2018. <hr />
  2019. <h3 id="auto_join_mxid_localpart"><a class="header" href="#auto_join_mxid_localpart"><code>auto_join_mxid_localpart</code></a></h3>
  2020. <p>The local part of the user id which is used to create <code>auto_join_rooms</code> if
  2021. <code>autocreate_auto_join_rooms</code> is true. If this is not provided then the
  2022. initial user account that registers will be used to create the rooms.</p>
  2023. <p>The user id is also used to invite new users to any auto-join rooms which
  2024. are set to invite-only.</p>
  2025. <p>It <em>must</em> be configured if <code>autocreate_auto_join_room_preset</code> is set to
  2026. &quot;private_chat&quot; or &quot;trusted_private_chat&quot;.</p>
  2027. <p>Note that this must be specified in order for new users to be correctly
  2028. invited to any auto-join rooms which have been set to invite-only (either
  2029. at the time of creation or subsequently).</p>
  2030. <p>Note that, if the room already exists, this user must be joined and
  2031. have the appropriate permissions to invite new members.</p>
  2032. <p>Example configuration:</p>
  2033. <pre><code class="language-yaml">auto_join_mxid_localpart: system
  2034. </code></pre>
  2035. <hr />
  2036. <h3 id="auto_join_rooms_for_guests"><a class="header" href="#auto_join_rooms_for_guests"><code>auto_join_rooms_for_guests</code></a></h3>
  2037. <p>When <code>auto_join_rooms</code> is specified, setting this flag to false prevents
  2038. guest accounts from being automatically joined to the rooms.</p>
  2039. <p>Defaults to true.</p>
  2040. <p>Example configuration:</p>
  2041. <pre><code class="language-yaml">auto_join_rooms_for_guests: false
  2042. </code></pre>
  2043. <hr />
  2044. <h3 id="inhibit_user_in_use_error"><a class="header" href="#inhibit_user_in_use_error"><code>inhibit_user_in_use_error</code></a></h3>
  2045. <p>Whether to inhibit errors raised when registering a new account if the user ID
  2046. already exists. If turned on, requests to <code>/register/available</code> will always
  2047. show a user ID as available, and Synapse won't raise an error when starting
  2048. a registration with a user ID that already exists. However, Synapse will still
  2049. raise an error if the registration completes and the username conflicts.</p>
  2050. <p>Defaults to false.</p>
  2051. <p>Example configuration:</p>
  2052. <pre><code class="language-yaml">inhibit_user_in_use_error: true
  2053. </code></pre>
  2054. <hr />
  2055. <h2 id="metrics"><a class="header" href="#metrics">Metrics</a></h2>
  2056. <p>Config options related to metrics.</p>
  2057. <hr />
  2058. <h3 id="enable_metrics"><a class="header" href="#enable_metrics"><code>enable_metrics</code></a></h3>
  2059. <p>Set to true to enable collection and rendering of performance metrics.
  2060. Defaults to false.</p>
  2061. <p>Example configuration:</p>
  2062. <pre><code class="language-yaml">enable_metrics: true
  2063. </code></pre>
  2064. <hr />
  2065. <h3 id="sentry"><a class="header" href="#sentry"><code>sentry</code></a></h3>
  2066. <p>Use this option to enable sentry integration. Provide the DSN assigned to you by sentry
  2067. with the <code>dsn</code> setting.</p>
  2068. <p>NOTE: While attempts are made to ensure that the logs don't contain
  2069. any sensitive information, this cannot be guaranteed. By enabling
  2070. this option the sentry server may therefore receive sensitive
  2071. information, and it in turn may then disseminate sensitive information
  2072. through insecure notification channels if so configured.</p>
  2073. <p>Example configuration:</p>
  2074. <pre><code class="language-yaml">sentry:
  2075. dsn: &quot;...&quot;
  2076. </code></pre>
  2077. <hr />
  2078. <h3 id="metrics_flags"><a class="header" href="#metrics_flags"><code>metrics_flags</code></a></h3>
  2079. <p>Flags to enable Prometheus metrics which are not suitable to be
  2080. enabled by default, either for performance reasons or limited use.
  2081. Currently the only option is <code>known_servers</code>, which publishes
  2082. <code>synapse_federation_known_servers</code>, a gauge of the number of
  2083. servers this homeserver knows about, including itself. May cause
  2084. performance problems on large homeservers.</p>
  2085. <p>Example configuration:</p>
  2086. <pre><code class="language-yaml">metrics_flags:
  2087. known_servers: true
  2088. </code></pre>
  2089. <hr />
  2090. <h3 id="report_stats"><a class="header" href="#report_stats"><code>report_stats</code></a></h3>
  2091. <p>Whether or not to report homeserver usage statistics. This is originally
  2092. set when generating the config. Set this option to true or false to change the current
  2093. behavior. See
  2094. <a href="../administration/monitoring/reporting_homeserver_usage_statistics.html">Reporting Homeserver Usage Statistics</a>
  2095. for information on what data is reported.</p>
  2096. <p>Statistics will be reported 5 minutes after Synapse starts, and then every 3 hours
  2097. after that.</p>
  2098. <p>Example configuration:</p>
  2099. <pre><code class="language-yaml">report_stats: true
  2100. </code></pre>
  2101. <hr />
  2102. <h3 id="report_stats_endpoint"><a class="header" href="#report_stats_endpoint"><code>report_stats_endpoint</code></a></h3>
  2103. <p>The endpoint to report homeserver usage statistics to.
  2104. Defaults to https://matrix.org/report-usage-stats/push</p>
  2105. <p>Example configuration:</p>
  2106. <pre><code class="language-yaml">report_stats_endpoint: https://example.com/report-usage-stats/push
  2107. </code></pre>
  2108. <hr />
  2109. <h2 id="api-configuration"><a class="header" href="#api-configuration">API Configuration</a></h2>
  2110. <p>Config settings related to the client/server API</p>
  2111. <hr />
  2112. <h3 id="room_prejoin_state"><a class="header" href="#room_prejoin_state"><code>room_prejoin_state:</code></a></h3>
  2113. <p>Controls for the state that is shared with users who receive an invite
  2114. to a room. By default, the following state event types are shared with users who
  2115. receive invites to the room:</p>
  2116. <ul>
  2117. <li>m.room.join_rules</li>
  2118. <li>m.room.canonical_alias</li>
  2119. <li>m.room.avatar</li>
  2120. <li>m.room.encryption</li>
  2121. <li>m.room.name</li>
  2122. <li>m.room.create</li>
  2123. <li>m.room.topic</li>
  2124. </ul>
  2125. <p>To change the default behavior, use the following sub-options:</p>
  2126. <ul>
  2127. <li><code>disable_default_event_types</code>: set to true to disable the above defaults. If this
  2128. is enabled, only the event types listed in <code>additional_event_types</code> are shared.
  2129. Defaults to false.</li>
  2130. <li><code>additional_event_types</code>: Additional state event types to share with users when they are invited
  2131. to a room. By default, this list is empty (so only the default event types are shared).</li>
  2132. </ul>
  2133. <p>Example configuration:</p>
  2134. <pre><code class="language-yaml">room_prejoin_state:
  2135. disable_default_event_types: true
  2136. additional_event_types:
  2137. - org.example.custom.event.type
  2138. - m.room.join_rules
  2139. </code></pre>
  2140. <hr />
  2141. <h3 id="track_puppeted_user_ips"><a class="header" href="#track_puppeted_user_ips"><code>track_puppeted_user_ips</code></a></h3>
  2142. <p>We record the IP address of clients used to access the API for various
  2143. reasons, including displaying it to the user in the &quot;Where you're signed in&quot;
  2144. dialog.</p>
  2145. <p>By default, when puppeting another user via the admin API, the client IP
  2146. address is recorded against the user who created the access token (ie, the
  2147. admin user), and <em>not</em> the puppeted user.</p>
  2148. <p>Set this option to true to also record the IP address against the puppeted
  2149. user. (This also means that the puppeted user will count as an &quot;active&quot; user
  2150. for the purpose of monthly active user tracking - see <code>limit_usage_by_mau</code> etc
  2151. above.)</p>
  2152. <p>Example configuration:</p>
  2153. <pre><code class="language-yaml">track_puppeted_user_ips: true
  2154. </code></pre>
  2155. <hr />
  2156. <h3 id="app_service_config_files"><a class="header" href="#app_service_config_files"><code>app_service_config_files</code></a></h3>
  2157. <p>A list of application service config files to use.</p>
  2158. <p>Example configuration:</p>
  2159. <pre><code class="language-yaml">app_service_config_files:
  2160. - app_service_1.yaml
  2161. - app_service_2.yaml
  2162. </code></pre>
  2163. <hr />
  2164. <h3 id="track_appservice_user_ips"><a class="header" href="#track_appservice_user_ips"><code>track_appservice_user_ips</code></a></h3>
  2165. <p>Defaults to false. Set to true to enable tracking of application service IP addresses.
  2166. Implicitly enables MAU tracking for application service users.</p>
  2167. <p>Example configuration:</p>
  2168. <pre><code class="language-yaml">track_appservice_user_ips: true
  2169. </code></pre>
  2170. <hr />
  2171. <h3 id="macaroon_secret_key"><a class="header" href="#macaroon_secret_key"><code>macaroon_secret_key</code></a></h3>
  2172. <p>A secret which is used to sign</p>
  2173. <ul>
  2174. <li>access token for guest users,</li>
  2175. <li>short-term login token used during SSO logins (OIDC or SAML2) and</li>
  2176. <li>token used for unsubscribing from email notifications.</li>
  2177. </ul>
  2178. <p>If none is specified, the <code>registration_shared_secret</code> is used, if one is given;
  2179. otherwise, a secret key is derived from the signing key.</p>
  2180. <p>Example configuration:</p>
  2181. <pre><code class="language-yaml">macaroon_secret_key: &lt;PRIVATE STRING&gt;
  2182. </code></pre>
  2183. <hr />
  2184. <h3 id="form_secret"><a class="header" href="#form_secret"><code>form_secret</code></a></h3>
  2185. <p>A secret which is used to calculate HMACs for form values, to stop
  2186. falsification of values. Must be specified for the User Consent
  2187. forms to work.</p>
  2188. <p>Example configuration:</p>
  2189. <pre><code class="language-yaml">form_secret: &lt;PRIVATE STRING&gt;
  2190. </code></pre>
  2191. <hr />
  2192. <h2 id="signing-keys"><a class="header" href="#signing-keys">Signing Keys</a></h2>
  2193. <p>Config options relating to signing keys</p>
  2194. <hr />
  2195. <h3 id="signing_key_path"><a class="header" href="#signing_key_path"><code>signing_key_path</code></a></h3>
  2196. <p>Path to the signing key to sign messages with.</p>
  2197. <p>Example configuration:</p>
  2198. <pre><code class="language-yaml">signing_key_path: &quot;CONFDIR/SERVERNAME.signing.key&quot;
  2199. </code></pre>
  2200. <hr />
  2201. <h3 id="old_signing_keys"><a class="header" href="#old_signing_keys"><code>old_signing_keys</code></a></h3>
  2202. <p>The keys that the server used to sign messages with but won't use
  2203. to sign new messages. For each key, <code>key</code> should be the base64-encoded public key, and
  2204. <code>expired_ts</code>should be the time (in milliseconds since the unix epoch) that
  2205. it was last used.</p>
  2206. <p>It is possible to build an entry from an old <code>signing.key</code> file using the
  2207. <code>export_signing_key</code> script which is provided with synapse.</p>
  2208. <p>Example configuration:</p>
  2209. <pre><code class="language-yaml">old_signing_keys:
  2210. &quot;ed25519:id&quot;: { key: &quot;base64string&quot;, expired_ts: 123456789123 }
  2211. </code></pre>
  2212. <hr />
  2213. <h3 id="key_refresh_interval"><a class="header" href="#key_refresh_interval"><code>key_refresh_interval</code></a></h3>
  2214. <p>How long key response published by this server is valid for.
  2215. Used to set the <code>valid_until_ts</code> in <code>/key/v2</code> APIs.
  2216. Determines how quickly servers will query to check which keys
  2217. are still valid. Defaults to 1d.</p>
  2218. <p>Example configuration:</p>
  2219. <pre><code class="language-yaml">key_refresh_interval: 2d
  2220. </code></pre>
  2221. <hr />
  2222. <h3 id="trusted_key_servers"><a class="header" href="#trusted_key_servers"><code>trusted_key_servers:</code></a></h3>
  2223. <p>The trusted servers to download signing keys from.</p>
  2224. <p>When we need to fetch a signing key, each server is tried in parallel.</p>
  2225. <p>Normally, the connection to the key server is validated via TLS certificates.
  2226. Additional security can be provided by configuring a <code>verify key</code>, which
  2227. will make synapse check that the response is signed by that key.</p>
  2228. <p>This setting supercedes an older setting named <code>perspectives</code>. The old format
  2229. is still supported for backwards-compatibility, but it is deprecated.</p>
  2230. <p><code>trusted_key_servers</code> defaults to matrix.org, but using it will generate a
  2231. warning on start-up. To suppress this warning, set
  2232. <code>suppress_key_server_warning</code> to true.</p>
  2233. <p>Options for each entry in the list include:</p>
  2234. <ul>
  2235. <li><code>server_name</code>: the name of the server. Required.</li>
  2236. <li><code>verify_keys</code>: an optional map from key id to base64-encoded public key.
  2237. If specified, we will check that the response is signed by at least
  2238. one of the given keys.</li>
  2239. <li><code>accept_keys_insecurely</code>: a boolean. Normally, if <code>verify_keys</code> is unset,
  2240. and <code>federation_verify_certificates</code> is not <code>true</code>, synapse will refuse
  2241. to start, because this would allow anyone who can spoof DNS responses
  2242. to masquerade as the trusted key server. If you know what you are doing
  2243. and are sure that your network environment provides a secure connection
  2244. to the key server, you can set this to <code>true</code> to override this behaviour.</li>
  2245. </ul>
  2246. <p>Example configuration #1:</p>
  2247. <pre><code class="language-yaml">trusted_key_servers:
  2248. - server_name: &quot;my_trusted_server.example.com&quot;
  2249. verify_keys:
  2250. &quot;ed25519:auto&quot;: &quot;abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr&quot;
  2251. - server_name: &quot;my_other_trusted_server.example.com&quot;
  2252. </code></pre>
  2253. <p>Example configuration #2:</p>
  2254. <pre><code class="language-yaml">trusted_key_servers:
  2255. - server_name: &quot;matrix.org&quot;
  2256. </code></pre>
  2257. <hr />
  2258. <h3 id="suppress_key_server_warning"><a class="header" href="#suppress_key_server_warning"><code>suppress_key_server_warning</code></a></h3>
  2259. <p>Set the following to true to disable the warning that is emitted when the
  2260. <code>trusted_key_servers</code> include 'matrix.org'. See above.</p>
  2261. <p>Example configuration:</p>
  2262. <pre><code class="language-yaml">suppress_key_server_warning: true
  2263. </code></pre>
  2264. <hr />
  2265. <h3 id="key_server_signing_keys_path"><a class="header" href="#key_server_signing_keys_path"><code>key_server_signing_keys_path</code></a></h3>
  2266. <p>The signing keys to use when acting as a trusted key server. If not specified
  2267. defaults to the server signing key.</p>
  2268. <p>Can contain multiple keys, one per line.</p>
  2269. <p>Example configuration:</p>
  2270. <pre><code class="language-yaml">key_server_signing_keys_path: &quot;key_server_signing_keys.key&quot;
  2271. </code></pre>
  2272. <hr />
  2273. <h2 id="single-sign-on-integration"><a class="header" href="#single-sign-on-integration">Single sign-on integration</a></h2>
  2274. <p>The following settings can be used to make Synapse use a single sign-on
  2275. provider for authentication, instead of its internal password database.</p>
  2276. <p>You will probably also want to set the following options to false to
  2277. disable the regular login/registration flows:</p>
  2278. <ul>
  2279. <li><code>enable_registration</code></li>
  2280. <li><code>password_config.enabled</code></li>
  2281. </ul>
  2282. <p>You will also want to investigate the settings under the &quot;sso&quot; configuration
  2283. section below.</p>
  2284. <hr />
  2285. <h3 id="saml2_config"><a class="header" href="#saml2_config"><code>saml2_config</code></a></h3>
  2286. <p>Enable SAML2 for registration and login. Uses pysaml2. To learn more about pysaml and
  2287. to find a full list options for configuring pysaml, read the docs <a href="https://pysaml2.readthedocs.io/en/latest/">here</a>.</p>
  2288. <p>At least one of <code>sp_config</code> or <code>config_path</code> must be set in this section to
  2289. enable SAML login. You can either put your entire pysaml config inline using the <code>sp_config</code>
  2290. option, or you can specify a path to a psyaml config file with the sub-option <code>config_path</code>.
  2291. This setting has the following sub-options:</p>
  2292. <ul>
  2293. <li><code>sp_config</code>: the configuration for the pysaml2 Service Provider. See pysaml2 docs for format of config.
  2294. Default values will be used for the <code>entityid</code> and <code>service</code> settings,
  2295. so it is not normally necessary to specify them unless you need to
  2296. override them. Here are a few useful sub-options for configuring pysaml:
  2297. <ul>
  2298. <li><code>metadata</code>: Point this to the IdP's metadata. You must provide either a local
  2299. file via the <code>local</code> attribute or (preferably) a URL via the
  2300. <code>remote</code> attribute.</li>
  2301. <li><code>accepted_time_diff: 3</code>: Allowed clock difference in seconds between the homeserver and IdP.
  2302. Defaults to 0.</li>
  2303. <li><code>service</code>: By default, the user has to go to our login page first. If you'd like
  2304. to allow IdP-initiated login, set <code>allow_unsolicited</code> to true under <code>sp</code> in the <code>service</code>
  2305. section.</li>
  2306. </ul>
  2307. </li>
  2308. <li><code>config_path</code>: specify a separate pysaml2 configuration file thusly:
  2309. <code>config_path: &quot;CONFDIR/sp_conf.py&quot;</code></li>
  2310. <li><code>saml_session_lifetime</code>: The lifetime of a SAML session. This defines how long a user has to
  2311. complete the authentication process, if <code>allow_unsolicited</code> is unset. The default is 15 minutes.</li>
  2312. <li><code>user_mapping_provider</code>: Using this option, an external module can be provided as a
  2313. custom solution to mapping attributes returned from a saml provider onto a matrix user. The
  2314. <code>user_mapping_provider</code> has the following attributes:
  2315. <ul>
  2316. <li><code>module</code>: The custom module's class.</li>
  2317. <li><code>config</code>: Custom configuration values for the module. Use the values provided in the
  2318. example if you are using the built-in user_mapping_provider, or provide your own
  2319. config values for a custom class if you are using one. This section will be passed as a Python
  2320. dictionary to the module's <code>parse_config</code> method. The built-in provider takes the following two
  2321. options:
  2322. <ul>
  2323. <li><code>mxid_source_attribute</code>: The SAML attribute (after mapping via the attribute maps) to use
  2324. to derive the Matrix ID from. It is 'uid' by default. Note: This used to be configured by the
  2325. <code>saml2_config.mxid_source_attribute option</code>. If that is still defined, its value will be used instead.</li>
  2326. <li><code>mxid_mapping</code>: The mapping system to use for mapping the saml attribute onto a
  2327. matrix ID. Options include: <code>hexencode</code> (which maps unpermitted characters to '=xx')
  2328. and <code>dotreplace</code> (which replaces unpermitted characters with '.').
  2329. The default is <code>hexencode</code>. Note: This used to be configured by the
  2330. <code>saml2_config.mxid_mapping option</code>. If that is still defined, its value will be used instead.</li>
  2331. </ul>
  2332. </li>
  2333. </ul>
  2334. </li>
  2335. <li><code>grandfathered_mxid_source_attribute</code>: In previous versions of synapse, the mapping from SAML attribute to
  2336. MXID was always calculated dynamically rather than stored in a table. For backwards- compatibility, we will look for <code>user_ids</code>
  2337. matching such a pattern before creating a new account. This setting controls the SAML attribute which will be used for this
  2338. backwards-compatibility lookup. Typically it should be 'uid', but if the attribute maps are changed, it may be necessary to change it.
  2339. The default is 'uid'.</li>
  2340. <li><code>attribute_requirements</code>: It is possible to configure Synapse to only allow logins if SAML attributes
  2341. match particular values. The requirements can be listed under
  2342. <code>attribute_requirements</code> as shown in the example. All of the listed attributes must
  2343. match for the login to be permitted.</li>
  2344. <li><code>idp_entityid</code>: If the metadata XML contains multiple IdP entities then the <code>idp_entityid</code>
  2345. option must be set to the entity to redirect users to.
  2346. Most deployments only have a single IdP entity and so should omit this option.</li>
  2347. </ul>
  2348. <p>Once SAML support is enabled, a metadata file will be exposed at
  2349. <code>https://&lt;server&gt;:&lt;port&gt;/_synapse/client/saml2/metadata.xml</code>, which you may be able to
  2350. use to configure your SAML IdP with. Alternatively, you can manually configure
  2351. the IdP to use an ACS location of
  2352. <code>https://&lt;server&gt;:&lt;port&gt;/_synapse/client/saml2/authn_response</code>.</p>
  2353. <p>Example configuration:</p>
  2354. <pre><code class="language-yaml">saml2_config:
  2355. sp_config:
  2356. metadata:
  2357. local: [&quot;saml2/idp.xml&quot;]
  2358. remote:
  2359. - url: https://our_idp/metadata.xml
  2360. accepted_time_diff: 3
  2361. service:
  2362. sp:
  2363. allow_unsolicited: true
  2364. # The examples below are just used to generate our metadata xml, and you
  2365. # may well not need them, depending on your setup. Alternatively you
  2366. # may need a whole lot more detail - see the pysaml2 docs!
  2367. description: [&quot;My awesome SP&quot;, &quot;en&quot;]
  2368. name: [&quot;Test SP&quot;, &quot;en&quot;]
  2369. ui_info:
  2370. display_name:
  2371. - lang: en
  2372. text: &quot;Display Name is the descriptive name of your service.&quot;
  2373. description:
  2374. - lang: en
  2375. text: &quot;Description should be a short paragraph explaining the purpose of the service.&quot;
  2376. information_url:
  2377. - lang: en
  2378. text: &quot;https://example.com/terms-of-service&quot;
  2379. privacy_statement_url:
  2380. - lang: en
  2381. text: &quot;https://example.com/privacy-policy&quot;
  2382. keywords:
  2383. - lang: en
  2384. text: [&quot;Matrix&quot;, &quot;Element&quot;]
  2385. logo:
  2386. - lang: en
  2387. text: &quot;https://example.com/logo.svg&quot;
  2388. width: &quot;200&quot;
  2389. height: &quot;80&quot;
  2390. organization:
  2391. name: Example com
  2392. display_name:
  2393. - [&quot;Example co&quot;, &quot;en&quot;]
  2394. url: &quot;http://example.com&quot;
  2395. contact_person:
  2396. - given_name: Bob
  2397. sur_name: &quot;the Sysadmin&quot;
  2398. email_address&quot;: [&quot;admin@example.com&quot;]
  2399. contact_type&quot;: technical
  2400. saml_session_lifetime: 5m
  2401. user_mapping_provider:
  2402. # Below options are intended for the built-in provider, they should be
  2403. # changed if using a custom module.
  2404. config:
  2405. mxid_source_attribute: displayName
  2406. mxid_mapping: dotreplace
  2407. grandfathered_mxid_source_attribute: upn
  2408. attribute_requirements:
  2409. - attribute: userGroup
  2410. value: &quot;staff&quot;
  2411. - attribute: department
  2412. value: &quot;sales&quot;
  2413. idp_entityid: 'https://our_idp/entityid'
  2414. </code></pre>
  2415. <hr />
  2416. <h3 id="oidc_providers"><a class="header" href="#oidc_providers"><code>oidc_providers</code></a></h3>
  2417. <p>List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
  2418. and login. See <a href="../../openid.html">here</a>
  2419. for information on how to configure these options.</p>
  2420. <p>For backwards compatibility, it is also possible to configure a single OIDC
  2421. provider via an <code>oidc_config</code> setting. This is now deprecated and admins are
  2422. advised to migrate to the <code>oidc_providers</code> format. (When doing that migration,
  2423. use <code>oidc</code> for the <code>idp_id</code> to ensure that existing users continue to be
  2424. recognised.)</p>
  2425. <p>Options for each entry include:</p>
  2426. <ul>
  2427. <li>
  2428. <p><code>idp_id</code>: a unique identifier for this identity provider. Used internally
  2429. by Synapse; should be a single word such as 'github'.
  2430. Note that, if this is changed, users authenticating via that provider
  2431. will no longer be recognised as the same user!
  2432. (Use &quot;oidc&quot; here if you are migrating from an old <code>oidc_config</code> configuration.)</p>
  2433. </li>
  2434. <li>
  2435. <p><code>idp_name</code>: A user-facing name for this identity provider, which is used to
  2436. offer the user a choice of login mechanisms.</p>
  2437. </li>
  2438. <li>
  2439. <p><code>idp_icon</code>: An optional icon for this identity provider, which is presented
  2440. by clients and Synapse's own IdP picker page. If given, must be an
  2441. MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
  2442. obtain such an MXC URI is to upload an image to an (unencrypted) room
  2443. and then copy the &quot;url&quot; from the source of the event.)</p>
  2444. </li>
  2445. <li>
  2446. <p><code>idp_brand</code>: An optional brand for this identity provider, allowing clients
  2447. to style the login flow according to the identity provider in question.
  2448. See the <a href="https://spec.matrix.org/latest/">spec</a> for possible options here.</p>
  2449. </li>
  2450. <li>
  2451. <p><code>discover</code>: set to false to disable the use of the OIDC discovery mechanism
  2452. to discover endpoints. Defaults to true.</p>
  2453. </li>
  2454. <li>
  2455. <p><code>issuer</code>: Required. The OIDC issuer. Used to validate tokens and (if discovery
  2456. is enabled) to discover the provider's endpoints.</p>
  2457. </li>
  2458. <li>
  2459. <p><code>client_id</code>: Required. oauth2 client id to use.</p>
  2460. </li>
  2461. <li>
  2462. <p><code>client_secret</code>: oauth2 client secret to use. May be omitted if
  2463. <code>client_secret_jwt_key</code> is given, or if <code>client_auth_method</code> is 'none'.</p>
  2464. </li>
  2465. <li>
  2466. <p><code>client_secret_jwt_key</code>: Alternative to client_secret: details of a key used
  2467. to create a JSON Web Token to be used as an OAuth2 client secret. If
  2468. given, must be a dictionary with the following properties:</p>
  2469. <ul>
  2470. <li>
  2471. <p><code>key</code>: a pem-encoded signing key. Must be a suitable key for the
  2472. algorithm specified. Required unless <code>key_file</code> is given.</p>
  2473. </li>
  2474. <li>
  2475. <p><code>key_file</code>: the path to file containing a pem-encoded signing key file.
  2476. Required unless <code>key</code> is given.</p>
  2477. </li>
  2478. <li>
  2479. <p><code>jwt_header</code>: a dictionary giving properties to include in the JWT
  2480. header. Must include the key <code>alg</code>, giving the algorithm used to
  2481. sign the JWT, such as &quot;ES256&quot;, using the JWA identifiers in
  2482. RFC7518.</p>
  2483. </li>
  2484. <li>
  2485. <p><code>jwt_payload</code>: an optional dictionary giving properties to include in
  2486. the JWT payload. Normally this should include an <code>iss</code> key.</p>
  2487. </li>
  2488. </ul>
  2489. </li>
  2490. <li>
  2491. <p><code>client_auth_method</code>: auth method to use when exchanging the token. Valid
  2492. values are <code>client_secret_basic</code> (default), <code>client_secret_post</code> and
  2493. <code>none</code>.</p>
  2494. </li>
  2495. <li>
  2496. <p><code>scopes</code>: list of scopes to request. This should normally include the &quot;openid&quot;
  2497. scope. Defaults to [&quot;openid&quot;].</p>
  2498. </li>
  2499. <li>
  2500. <p><code>authorization_endpoint</code>: the oauth2 authorization endpoint. Required if
  2501. provider discovery is disabled.</p>
  2502. </li>
  2503. <li>
  2504. <p><code>token_endpoint</code>: the oauth2 token endpoint. Required if provider discovery is
  2505. disabled.</p>
  2506. </li>
  2507. <li>
  2508. <p><code>userinfo_endpoint</code>: the OIDC userinfo endpoint. Required if discovery is
  2509. disabled and the 'openid' scope is not requested.</p>
  2510. </li>
  2511. <li>
  2512. <p><code>jwks_uri</code>: URI where to fetch the JWKS. Required if discovery is disabled and
  2513. the 'openid' scope is used.</p>
  2514. </li>
  2515. <li>
  2516. <p><code>skip_verification</code>: set to 'true' to skip metadata verification. Use this if
  2517. you are connecting to a provider that is not OpenID Connect compliant.
  2518. Defaults to false. Avoid this in production.</p>
  2519. </li>
  2520. <li>
  2521. <p><code>user_profile_method</code>: Whether to fetch the user profile from the userinfo
  2522. endpoint, or to rely on the data returned in the id_token from the <code>token_endpoint</code>.
  2523. Valid values are: <code>auto</code> or <code>userinfo_endpoint</code>.
  2524. Defaults to <code>auto</code>, which uses the userinfo endpoint if <code>openid</code> is
  2525. not included in <code>scopes</code>. Set to <code>userinfo_endpoint</code> to always use the
  2526. userinfo endpoint.</p>
  2527. </li>
  2528. <li>
  2529. <p><code>allow_existing_users</code>: set to true to allow a user logging in via OIDC to
  2530. match a pre-existing account instead of failing. This could be used if
  2531. switching from password logins to OIDC. Defaults to false.</p>
  2532. </li>
  2533. <li>
  2534. <p><code>user_mapping_provider</code>: Configuration for how attributes returned from a OIDC
  2535. provider are mapped onto a matrix user. This setting has the following
  2536. sub-properties:</p>
  2537. <ul>
  2538. <li>
  2539. <p><code>module</code>: The class name of a custom mapping module. Default is
  2540. <code>synapse.handlers.oidc.JinjaOidcMappingProvider</code>.
  2541. See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers
  2542. for information on implementing a custom mapping provider.</p>
  2543. </li>
  2544. <li>
  2545. <p><code>config</code>: Configuration for the mapping provider module. This section will
  2546. be passed as a Python dictionary to the user mapping provider
  2547. module's <code>parse_config</code> method.</p>
  2548. <p>For the default provider, the following settings are available:</p>
  2549. <ul>
  2550. <li>
  2551. <p>subject_claim: name of the claim containing a unique identifier
  2552. for the user. Defaults to 'sub', which OpenID Connect
  2553. compliant providers should provide.</p>
  2554. </li>
  2555. <li>
  2556. <p><code>localpart_template</code>: Jinja2 template for the localpart of the MXID.
  2557. If this is not set, the user will be prompted to choose their
  2558. own username (see the documentation for the <code>sso_auth_account_details.html</code>
  2559. template). This template can use the <code>localpart_from_email</code> filter.</p>
  2560. </li>
  2561. <li>
  2562. <p><code>confirm_localpart</code>: Whether to prompt the user to validate (or
  2563. change) the generated localpart (see the documentation for the
  2564. 'sso_auth_account_details.html' template), instead of
  2565. registering the account right away.</p>
  2566. </li>
  2567. <li>
  2568. <p><code>display_name_template</code>: Jinja2 template for the display name to set
  2569. on first login. If unset, no displayname will be set.</p>
  2570. </li>
  2571. <li>
  2572. <p><code>email_template</code>: Jinja2 template for the email address of the user.
  2573. If unset, no email address will be added to the account.</p>
  2574. </li>
  2575. <li>
  2576. <p><code>extra_attributes</code>: a map of Jinja2 templates for extra attributes
  2577. to send back to the client during login. Note that these are non-standard and clients will ignore them
  2578. without modifications.</p>
  2579. </li>
  2580. </ul>
  2581. </li>
  2582. </ul>
  2583. <p>When rendering, the Jinja2 templates are given a 'user' variable,
  2584. which is set to the claims returned by the UserInfo Endpoint and/or
  2585. in the ID Token.</p>
  2586. </li>
  2587. </ul>
  2588. <p>It is possible to configure Synapse to only allow logins if certain attributes
  2589. match particular values in the OIDC userinfo. The requirements can be listed under
  2590. <code>attribute_requirements</code> as shown here:</p>
  2591. <pre><code class="language-yaml">attribute_requirements:
  2592. - attribute: family_name
  2593. value: &quot;Stephensson&quot;
  2594. - attribute: groups
  2595. value: &quot;admin&quot;
  2596. </code></pre>
  2597. <p>All of the listed attributes must match for the login to be permitted. Additional attributes can be added to
  2598. userinfo by expanding the <code>scopes</code> section of the OIDC config to retrieve
  2599. additional information from the OIDC provider.</p>
  2600. <p>If the OIDC claim is a list, then the attribute must match any value in the list.
  2601. Otherwise, it must exactly match the value of the claim. Using the example
  2602. above, the <code>family_name</code> claim MUST be &quot;Stephensson&quot;, but the <code>groups</code>
  2603. claim MUST contain &quot;admin&quot;.</p>
  2604. <p>Example configuration:</p>
  2605. <pre><code class="language-yaml">oidc_providers:
  2606. # Generic example
  2607. #
  2608. - idp_id: my_idp
  2609. idp_name: &quot;My OpenID provider&quot;
  2610. idp_icon: &quot;mxc://example.com/mediaid&quot;
  2611. discover: false
  2612. issuer: &quot;https://accounts.example.com/&quot;
  2613. client_id: &quot;provided-by-your-issuer&quot;
  2614. client_secret: &quot;provided-by-your-issuer&quot;
  2615. client_auth_method: client_secret_post
  2616. scopes: [&quot;openid&quot;, &quot;profile&quot;]
  2617. authorization_endpoint: &quot;https://accounts.example.com/oauth2/auth&quot;
  2618. token_endpoint: &quot;https://accounts.example.com/oauth2/token&quot;
  2619. userinfo_endpoint: &quot;https://accounts.example.com/userinfo&quot;
  2620. jwks_uri: &quot;https://accounts.example.com/.well-known/jwks.json&quot;
  2621. skip_verification: true
  2622. user_mapping_provider:
  2623. config:
  2624. subject_claim: &quot;id&quot;
  2625. localpart_template: &quot;{{ user.login }}&quot;
  2626. display_name_template: &quot;{{ user.name }}&quot;
  2627. email_template: &quot;{{ user.email }}&quot;
  2628. attribute_requirements:
  2629. - attribute: userGroup
  2630. value: &quot;synapseUsers&quot;
  2631. </code></pre>
  2632. <hr />
  2633. <h3 id="cas_config"><a class="header" href="#cas_config"><code>cas_config</code></a></h3>
  2634. <p>Enable Central Authentication Service (CAS) for registration and login.
  2635. Has the following sub-options:</p>
  2636. <ul>
  2637. <li><code>enabled</code>: Set this to true to enable authorization against a CAS server.
  2638. Defaults to false.</li>
  2639. <li><code>server_url</code>: The URL of the CAS authorization endpoint.</li>
  2640. <li><code>displayname_attribute</code>: The attribute of the CAS response to use as the display name.
  2641. If no name is given here, no displayname will be set.</li>
  2642. <li><code>required_attributes</code>: It is possible to configure Synapse to only allow logins if CAS attributes
  2643. match particular values. All of the keys given below must exist
  2644. and the values must match the given value. Alternately if the given value
  2645. is <code>None</code> then any value is allowed (the attribute just must exist).
  2646. All of the listed attributes must match for the login to be permitted.</li>
  2647. </ul>
  2648. <p>Example configuration:</p>
  2649. <pre><code class="language-yaml">cas_config:
  2650. enabled: true
  2651. server_url: &quot;https://cas-server.com&quot;
  2652. displayname_attribute: name
  2653. required_attributes:
  2654. userGroup: &quot;staff&quot;
  2655. department: None
  2656. </code></pre>
  2657. <hr />
  2658. <h3 id="sso"><a class="header" href="#sso"><code>sso</code></a></h3>
  2659. <p>Additional settings to use with single-sign on systems such as OpenID Connect,
  2660. SAML2 and CAS.</p>
  2661. <p>Server admins can configure custom templates for pages related to SSO. See
  2662. <a href="../../templates.html">here</a> for more information.</p>
  2663. <p>Options include:</p>
  2664. <ul>
  2665. <li><code>client_whitelist</code>: A list of client URLs which are whitelisted so that the user does not
  2666. have to confirm giving access to their account to the URL. Any client
  2667. whose URL starts with an entry in the following list will not be subject
  2668. to an additional confirmation step after the SSO login is completed.
  2669. WARNING: An entry such as &quot;https://my.client&quot; is insecure, because it
  2670. will also match &quot;https://my.client.evil.site&quot;, exposing your users to
  2671. phishing attacks from evil.site. To avoid this, include a slash after the
  2672. hostname: &quot;https://my.client/&quot;.
  2673. The login fallback page (used by clients that don't natively support the
  2674. required login flows) is whitelisted in addition to any URLs in this list.
  2675. By default, this list contains only the login fallback page.</li>
  2676. <li><code>update_profile_information</code>: Use this setting to keep a user's profile fields in sync with information from
  2677. the identity provider. Currently only syncing the displayname is supported. Fields
  2678. are checked on every SSO login, and are updated if necessary.
  2679. Note that enabling this option will override user profile information,
  2680. regardless of whether users have opted-out of syncing that
  2681. information when first signing in. Defaults to false.</li>
  2682. </ul>
  2683. <p>Example configuration:</p>
  2684. <pre><code class="language-yaml">sso:
  2685. client_whitelist:
  2686. - https://riot.im/develop
  2687. - https://my.custom.client/
  2688. update_profile_information: true
  2689. </code></pre>
  2690. <hr />
  2691. <h3 id="jwt_config"><a class="header" href="#jwt_config"><code>jwt_config</code></a></h3>
  2692. <p>JSON web token integration. The following settings can be used to make
  2693. Synapse JSON web tokens for authentication, instead of its internal
  2694. password database.</p>
  2695. <p>Each JSON Web Token needs to contain a &quot;sub&quot; (subject) claim, which is
  2696. used as the localpart of the mxid.</p>
  2697. <p>Additionally, the expiration time (&quot;exp&quot;), not before time (&quot;nbf&quot;),
  2698. and issued at (&quot;iat&quot;) claims are validated if present.</p>
  2699. <p>Note that this is a non-standard login type and client support is
  2700. expected to be non-existent.</p>
  2701. <p>See <a href="../../jwt.html">here</a> for more.</p>
  2702. <p>Additional sub-options for this setting include:</p>
  2703. <ul>
  2704. <li><code>enabled</code>: Set to true to enable authorization using JSON web
  2705. tokens. Defaults to false.</li>
  2706. <li><code>secret</code>: This is either the private shared secret or the public key used to
  2707. decode the contents of the JSON web token. Required if <code>enabled</code> is set to true.</li>
  2708. <li><code>algorithm</code>: The algorithm used to sign (or HMAC) the JSON web token.
  2709. Supported algorithms are listed
  2710. <a href="https://docs.authlib.org/en/latest/specs/rfc7518.html">here (section JWS)</a>.
  2711. Required if <code>enabled</code> is set to true.</li>
  2712. <li><code>subject_claim</code>: Name of the claim containing a unique identifier for the user.
  2713. Optional, defaults to <code>sub</code>.</li>
  2714. <li><code>issuer</code>: The issuer to validate the &quot;iss&quot; claim against. Optional. If provided the
  2715. &quot;iss&quot; claim will be required and validated for all JSON web tokens.</li>
  2716. <li><code>audiences</code>: A list of audiences to validate the &quot;aud&quot; claim against. Optional.
  2717. If provided the &quot;aud&quot; claim will be required and validated for all JSON web tokens.
  2718. Note that if the &quot;aud&quot; claim is included in a JSON web token then
  2719. validation will fail without configuring audiences.</li>
  2720. </ul>
  2721. <p>Example configuration:</p>
  2722. <pre><code class="language-yaml">jwt_config:
  2723. enabled: true
  2724. secret: &quot;provided-by-your-issuer&quot;
  2725. algorithm: &quot;provided-by-your-issuer&quot;
  2726. subject_claim: &quot;name_of_claim&quot;
  2727. issuer: &quot;provided-by-your-issuer&quot;
  2728. audiences:
  2729. - &quot;provided-by-your-issuer&quot;
  2730. </code></pre>
  2731. <hr />
  2732. <h3 id="password_config"><a class="header" href="#password_config"><code>password_config</code></a></h3>
  2733. <p>Use this setting to enable password-based logins.</p>
  2734. <p>This setting has the following sub-options:</p>
  2735. <ul>
  2736. <li><code>enabled</code>: Defaults to true.
  2737. Set to false to disable password authentication.
  2738. Set to <code>only_for_reauth</code> to allow users with existing passwords to use them
  2739. to log in and reauthenticate, whilst preventing new users from setting passwords.</li>
  2740. <li><code>localdb_enabled</code>: Set to false to disable authentication against the local password
  2741. database. This is ignored if <code>enabled</code> is false, and is only useful
  2742. if you have other <code>password_providers</code>. Defaults to true.</li>
  2743. <li><code>pepper</code>: Set the value here to a secret random string for extra security.
  2744. DO NOT CHANGE THIS AFTER INITIAL SETUP!</li>
  2745. <li><code>policy</code>: Define and enforce a password policy, such as minimum lengths for passwords, etc.
  2746. Each parameter is optional. This is an implementation of MSC2000. Parameters are as follows:
  2747. <ul>
  2748. <li><code>enabled</code>: Defaults to false. Set to true to enable.</li>
  2749. <li><code>minimum_length</code>: Minimum accepted length for a password. Defaults to 0.</li>
  2750. <li><code>require_digit</code>: Whether a password must contain at least one digit.
  2751. Defaults to false.</li>
  2752. <li><code>require_symbol</code>: Whether a password must contain at least one symbol.
  2753. A symbol is any character that's not a number or a letter. Defaults to false.</li>
  2754. <li><code>require_lowercase</code>: Whether a password must contain at least one lowercase letter.
  2755. Defaults to false.</li>
  2756. <li><code>require_uppercase</code>: Whether a password must contain at least one uppercase letter.
  2757. Defaults to false.</li>
  2758. </ul>
  2759. </li>
  2760. </ul>
  2761. <p>Example configuration:</p>
  2762. <pre><code class="language-yaml">password_config:
  2763. enabled: false
  2764. localdb_enabled: false
  2765. pepper: &quot;EVEN_MORE_SECRET&quot;
  2766. policy:
  2767. enabled: true
  2768. minimum_length: 15
  2769. require_digit: true
  2770. require_symbol: true
  2771. require_lowercase: true
  2772. require_uppercase: true
  2773. </code></pre>
  2774. <hr />
  2775. <h3 id="ui_auth"><a class="header" href="#ui_auth"><code>ui_auth</code></a></h3>
  2776. <p>The amount of time to allow a user-interactive authentication session to be active.</p>
  2777. <p>This defaults to 0, meaning the user is queried for their credentials
  2778. before every action, but this can be overridden to allow a single
  2779. validation to be re-used. This weakens the protections afforded by
  2780. the user-interactive authentication process, by allowing for multiple
  2781. (and potentially different) operations to use the same validation session.</p>
  2782. <p>This is ignored for potentially &quot;dangerous&quot; operations (including
  2783. deactivating an account, modifying an account password, and
  2784. adding a 3PID).</p>
  2785. <p>Use the <code>session_timeout</code> sub-option here to change the time allowed for credential validation.</p>
  2786. <p>Example configuration:</p>
  2787. <pre><code class="language-yaml">ui_auth:
  2788. session_timeout: &quot;15s&quot;
  2789. </code></pre>
  2790. <hr />
  2791. <h3 id="email"><a class="header" href="#email"><code>email</code></a></h3>
  2792. <p>Configuration for sending emails from Synapse.</p>
  2793. <p>Server admins can configure custom templates for email content. See
  2794. <a href="../../templates.html">here</a> for more information.</p>
  2795. <p>This setting has the following sub-options:</p>
  2796. <ul>
  2797. <li>
  2798. <p><code>smtp_host</code>: The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.</p>
  2799. </li>
  2800. <li>
  2801. <p><code>smtp_port</code>: The port on the mail server for outgoing SMTP. Defaults to 465 if <code>force_tls</code> is true, else 25.</p>
  2802. <p><em>Changed in Synapse 1.64.0:</em> the default port is now aware of <code>force_tls</code>.</p>
  2803. </li>
  2804. <li>
  2805. <p><code>smtp_user</code> and <code>smtp_pass</code>: Username/password for authentication to the SMTP server. By default, no
  2806. authentication is attempted.</p>
  2807. </li>
  2808. <li>
  2809. <p><code>force_tls</code>: By default, Synapse connects over plain text and then optionally upgrades
  2810. to TLS via STARTTLS. If this option is set to true, TLS is used from the start (Implicit TLS),
  2811. and the option <code>require_transport_security</code> is ignored.
  2812. It is recommended to enable this if supported by your mail server.</p>
  2813. <p><em>New in Synapse 1.64.0.</em></p>
  2814. </li>
  2815. <li>
  2816. <p><code>require_transport_security</code>: Set to true to require TLS transport security for SMTP.
  2817. By default, Synapse will connect over plain text, and will then switch to
  2818. TLS via STARTTLS <em>if the SMTP server supports it</em>. If this option is set,
  2819. Synapse will refuse to connect unless the server supports STARTTLS.</p>
  2820. </li>
  2821. <li>
  2822. <p><code>enable_tls</code>: By default, if the server supports TLS, it will be used, and the server
  2823. must present a certificate that is valid for 'smtp_host'. If this option
  2824. is set to false, TLS will not be used.</p>
  2825. </li>
  2826. <li>
  2827. <p><code>notif_from</code>: defines the &quot;From&quot; address to use when sending emails.
  2828. It must be set if email sending is enabled. The placeholder '%(app)s' will be replaced by the application name,
  2829. which is normally set in <code>app_name</code>, but may be overridden by the
  2830. Matrix client application. Note that the placeholder must be written '%(app)s', including the
  2831. trailing 's'.</p>
  2832. </li>
  2833. <li>
  2834. <p><code>app_name</code>: <code>app_name</code> defines the default value for '%(app)s' in <code>notif_from</code> and email
  2835. subjects. It defaults to 'Matrix'.</p>
  2836. </li>
  2837. <li>
  2838. <p><code>enable_notifs</code>: Set to true to enable sending emails for messages that the user
  2839. has missed. Disabled by default.</p>
  2840. </li>
  2841. <li>
  2842. <p><code>notif_for_new_users</code>: Set to false to disable automatic subscription to email
  2843. notifications for new users. Enabled by default.</p>
  2844. </li>
  2845. <li>
  2846. <p><code>client_base_url</code>: Custom URL for client links within the email notifications. By default
  2847. links will be based on &quot;https://matrix.to&quot;. (This setting used to be called <code>riot_base_url</code>;
  2848. the old name is still supported for backwards-compatibility but is now deprecated.)</p>
  2849. </li>
  2850. <li>
  2851. <p><code>validation_token_lifetime</code>: Configures the time that a validation email will expire after sending.
  2852. Defaults to 1h.</p>
  2853. </li>
  2854. <li>
  2855. <p><code>invite_client_location</code>: The web client location to direct users to during an invite. This is passed
  2856. to the identity server as the <code>org.matrix.web_client_location</code> key. Defaults
  2857. to unset, giving no guidance to the identity server.</p>
  2858. </li>
  2859. <li>
  2860. <p><code>subjects</code>: Subjects to use when sending emails from Synapse. The placeholder '%(app)s' will
  2861. be replaced with the value of the <code>app_name</code> setting, or by a value dictated by the Matrix client application.
  2862. In addition, each subject can use the following placeholders: '%(person)s', which will be replaced by the displayname
  2863. of the user(s) that sent the message(s), e.g. &quot;Alice and Bob&quot;, and '%(room)s', which will be replaced by the name of the room the
  2864. message(s) have been sent to, e.g. &quot;My super room&quot;. In addition, emails related to account administration will
  2865. can use the '%(server_name)s' placeholder, which will be replaced by the value of the
  2866. <code>server_name</code> setting in your Synapse configuration.</p>
  2867. <p>Here is a list of subjects for notification emails that can be set:</p>
  2868. <ul>
  2869. <li><code>message_from_person_in_room</code>: Subject to use to notify about one message from one or more user(s) in a
  2870. room which has a name. Defaults to &quot;[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room...&quot;</li>
  2871. <li><code>message_from_person</code>: Subject to use to notify about one message from one or more user(s) in a
  2872. room which doesn't have a name. Defaults to &quot;[%(app)s] You have a message on %(app)s from %(person)s...&quot;</li>
  2873. <li><code>messages_from_person</code>: Subject to use to notify about multiple messages from one or more users in
  2874. a room which doesn't have a name. Defaults to &quot;[%(app)s] You have messages on %(app)s from %(person)s...&quot;</li>
  2875. <li><code>messages_in_room</code>: Subject to use to notify about multiple messages in a room which has a
  2876. name. Defaults to &quot;[%(app)s] You have messages on %(app)s in the %(room)s room...&quot;</li>
  2877. <li><code>messages_in_room_and_others</code>: Subject to use to notify about multiple messages in multiple rooms.
  2878. Defaults to &quot;[%(app)s] You have messages on %(app)s in the %(room)s room and others...&quot;</li>
  2879. <li><code>messages_from_person_and_others</code>: Subject to use to notify about multiple messages from multiple persons in
  2880. multiple rooms. This is similar to the setting above except it's used when
  2881. the room in which the notification was triggered has no name. Defaults to
  2882. &quot;[%(app)s] You have messages on %(app)s from %(person)s and others...&quot;</li>
  2883. <li><code>invite_from_person_to_room</code>: Subject to use to notify about an invite to a room which has a name.
  2884. Defaults to &quot;[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s...&quot;</li>
  2885. <li><code>invite_from_person</code>: Subject to use to notify about an invite to a room which doesn't have a
  2886. name. Defaults to &quot;[%(app)s] %(person)s has invited you to chat on %(app)s...&quot;</li>
  2887. <li><code>password_reset</code>: Subject to use when sending a password reset email. Defaults to &quot;[%(server_name)s] Password reset&quot;</li>
  2888. <li><code>email_validation</code>: Subject to use when sending a verification email to assert an address's
  2889. ownership. Defaults to &quot;[%(server_name)s] Validate your email&quot;</li>
  2890. </ul>
  2891. </li>
  2892. </ul>
  2893. <p>Example configuration:</p>
  2894. <pre><code class="language-yaml">email:
  2895. smtp_host: mail.server
  2896. smtp_port: 587
  2897. smtp_user: &quot;exampleusername&quot;
  2898. smtp_pass: &quot;examplepassword&quot;
  2899. force_tls: true
  2900. require_transport_security: true
  2901. enable_tls: false
  2902. notif_from: &quot;Your Friendly %(app)s homeserver &lt;noreply@example.com&gt;&quot;
  2903. app_name: my_branded_matrix_server
  2904. enable_notifs: true
  2905. notif_for_new_users: false
  2906. client_base_url: &quot;http://localhost/riot&quot;
  2907. validation_token_lifetime: 15m
  2908. invite_client_location: https://app.element.io
  2909. subjects:
  2910. message_from_person_in_room: &quot;[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room...&quot;
  2911. message_from_person: &quot;[%(app)s] You have a message on %(app)s from %(person)s...&quot;
  2912. messages_from_person: &quot;[%(app)s] You have messages on %(app)s from %(person)s...&quot;
  2913. messages_in_room: &quot;[%(app)s] You have messages on %(app)s in the %(room)s room...&quot;
  2914. messages_in_room_and_others: &quot;[%(app)s] You have messages on %(app)s in the %(room)s room and others...&quot;
  2915. messages_from_person_and_others: &quot;[%(app)s] You have messages on %(app)s from %(person)s and others...&quot;
  2916. invite_from_person_to_room: &quot;[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s...&quot;
  2917. invite_from_person: &quot;[%(app)s] %(person)s has invited you to chat on %(app)s...&quot;
  2918. password_reset: &quot;[%(server_name)s] Password reset&quot;
  2919. email_validation: &quot;[%(server_name)s] Validate your email&quot;
  2920. </code></pre>
  2921. <hr />
  2922. <h2 id="push"><a class="header" href="#push">Push</a></h2>
  2923. <p>Configuration settings related to push notifications</p>
  2924. <hr />
  2925. <h3 id="push-1"><a class="header" href="#push-1"><code>push</code></a></h3>
  2926. <p>This setting defines options for push notifications.</p>
  2927. <p>This option has a number of sub-options. They are as follows:</p>
  2928. <ul>
  2929. <li><code>include_content</code>: Clients requesting push notifications can either have the body of
  2930. the message sent in the notification poke along with other details
  2931. like the sender, or just the event ID and room ID (<code>event_id_only</code>).
  2932. If clients choose the to have the body sent, this option controls whether the
  2933. notification request includes the content of the event (other details
  2934. like the sender are still included). If <code>event_id_only</code> is enabled, it
  2935. has no effect.
  2936. For modern android devices the notification content will still appear
  2937. because it is loaded by the app. iPhone, however will send a
  2938. notification saying only that a message arrived and who it came from.
  2939. Defaults to true. Set to false to only include the event ID and room ID in push notification payloads.</li>
  2940. <li><code>group_unread_count_by_room: false</code>: When a push notification is received, an unread count is also sent.
  2941. This number can either be calculated as the number of unread messages for the user, or the number of <em>rooms</em> the
  2942. user has unread messages in. Defaults to true, meaning push clients will see the number of
  2943. rooms with unread messages in them. Set to false to instead send the number
  2944. of unread messages.</li>
  2945. </ul>
  2946. <p>Example configuration:</p>
  2947. <pre><code class="language-yaml">push:
  2948. include_content: false
  2949. group_unread_count_by_room: false
  2950. </code></pre>
  2951. <hr />
  2952. <h2 id="rooms"><a class="header" href="#rooms">Rooms</a></h2>
  2953. <p>Config options relating to rooms.</p>
  2954. <hr />
  2955. <h3 id="encryption_enabled_by_default"><a class="header" href="#encryption_enabled_by_default"><code>encryption_enabled_by_default</code></a></h3>
  2956. <p>Controls whether locally-created rooms should be end-to-end encrypted by
  2957. default.</p>
  2958. <p>Possible options are &quot;all&quot;, &quot;invite&quot;, and &quot;off&quot;. They are defined as:</p>
  2959. <ul>
  2960. <li>&quot;all&quot;: any locally-created room</li>
  2961. <li>&quot;invite&quot;: any room created with the <code>private_chat</code> or <code>trusted_private_chat</code>
  2962. room creation presets</li>
  2963. <li>&quot;off&quot;: this option will take no effect</li>
  2964. </ul>
  2965. <p>The default value is &quot;off&quot;.</p>
  2966. <p>Note that this option will only affect rooms created after it is set. It
  2967. will also not affect rooms created by other servers.</p>
  2968. <p>Example configuration:</p>
  2969. <pre><code class="language-yaml">encryption_enabled_by_default_for_room_type: invite
  2970. </code></pre>
  2971. <hr />
  2972. <h3 id="user_directory"><a class="header" href="#user_directory"><code>user_directory</code></a></h3>
  2973. <p>This setting defines options related to the user directory.</p>
  2974. <p>This option has the following sub-options:</p>
  2975. <ul>
  2976. <li><code>enabled</code>: Defines whether users can search the user directory. If false then
  2977. empty responses are returned to all queries. Defaults to true.</li>
  2978. <li><code>search_all_users</code>: Defines whether to search all users visible to your HS when searching
  2979. the user directory. If false, search results will only contain users
  2980. visible in public rooms and users sharing a room with the requester.
  2981. Defaults to false.
  2982. NB. If you set this to true, and the last time the user_directory search
  2983. indexes were (re)built was before Synapse 1.44, you'll have to
  2984. rebuild the indexes in order to search through all known users.
  2985. These indexes are built the first time Synapse starts; admins can
  2986. manually trigger a rebuild via API following the instructions at
  2987. https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
  2988. Set to true to return search results containing all known users, even if that
  2989. user does not share a room with the requester.</li>
  2990. <li><code>prefer_local_users</code>: Defines whether to prefer local users in search query results.
  2991. If set to true, local users are more likely to appear above remote users when searching the
  2992. user directory. Defaults to false.</li>
  2993. </ul>
  2994. <p>Example configuration:</p>
  2995. <pre><code class="language-yaml">user_directory:
  2996. enabled: false
  2997. search_all_users: true
  2998. prefer_local_users: true
  2999. </code></pre>
  3000. <hr />
  3001. <h3 id="user_consent"><a class="header" href="#user_consent"><code>user_consent</code></a></h3>
  3002. <p>For detailed instructions on user consent configuration, see <a href="../../consent_tracking.html">here</a>.</p>
  3003. <p>Parts of this section are required if enabling the <code>consent</code> resource under
  3004. <a href="#listeners"><code>listeners</code></a>, in particular <code>template_dir</code> and <code>version</code>.</p>
  3005. <ul>
  3006. <li>
  3007. <p><code>template_dir</code>: gives the location of the templates for the HTML forms.
  3008. This directory should contain one subdirectory per language (eg, <code>en</code>, <code>fr</code>),
  3009. and each language directory should contain the policy document (named as
  3010. <version>.html) and a success page (success.html).</p>
  3011. </li>
  3012. <li>
  3013. <p><code>version</code>: specifies the 'current' version of the policy document. It defines
  3014. the version to be served by the consent resource if there is no 'v'
  3015. parameter.</p>
  3016. </li>
  3017. <li>
  3018. <p><code>server_notice_content</code>: if enabled, will send a user a &quot;Server Notice&quot;
  3019. asking them to consent to the privacy policy. The <a href="#server_notices"><code>server_notices</code> section</a>
  3020. must also be configured for this to work. Notices will <em>not</em> be sent to
  3021. guest users unless <code>send_server_notice_to_guests</code> is set to true.</p>
  3022. </li>
  3023. <li>
  3024. <p><code>block_events_error</code>, if set, will block any attempts to send events
  3025. until the user consents to the privacy policy. The value of the setting is
  3026. used as the text of the error.</p>
  3027. </li>
  3028. <li>
  3029. <p><code>require_at_registration</code>, if enabled, will add a step to the registration
  3030. process, similar to how captcha works. Users will be required to accept the
  3031. policy before their account is created.</p>
  3032. </li>
  3033. <li>
  3034. <p><code>policy_name</code> is the display name of the policy users will see when registering
  3035. for an account. Has no effect unless <code>require_at_registration</code> is enabled.
  3036. Defaults to &quot;Privacy Policy&quot;.</p>
  3037. </li>
  3038. </ul>
  3039. <p>Example configuration:</p>
  3040. <pre><code class="language-yaml">user_consent:
  3041. template_dir: res/templates/privacy
  3042. version: 1.0
  3043. server_notice_content:
  3044. msgtype: m.text
  3045. body: &gt;-
  3046. To continue using this homeserver you must review and agree to the
  3047. terms and conditions at %(consent_uri)s
  3048. send_server_notice_to_guests: true
  3049. block_events_error: &gt;-
  3050. To continue using this homeserver you must review and agree to the
  3051. terms and conditions at %(consent_uri)s
  3052. require_at_registration: false
  3053. policy_name: Privacy Policy
  3054. </code></pre>
  3055. <hr />
  3056. <h3 id="stats"><a class="header" href="#stats"><code>stats</code></a></h3>
  3057. <p>Settings for local room and user statistics collection. See <a href="../../room_and_user_statistics.html">here</a>
  3058. for more.</p>
  3059. <ul>
  3060. <li><code>enabled</code>: Set to false to disable room and user statistics. Note that doing
  3061. so may cause certain features (such as the room directory) not to work
  3062. correctly. Defaults to true.</li>
  3063. </ul>
  3064. <p>Example configuration:</p>
  3065. <pre><code class="language-yaml">stats:
  3066. enabled: false
  3067. </code></pre>
  3068. <hr />
  3069. <h3 id="server_notices"><a class="header" href="#server_notices"><code>server_notices</code></a></h3>
  3070. <p>Use this setting to enable a room which can be used to send notices
  3071. from the server to users. It is a special room which users cannot leave; notices
  3072. in the room come from a special &quot;notices&quot; user id.</p>
  3073. <p>If you use this setting, you <em>must</em> define the <code>system_mxid_localpart</code>
  3074. sub-setting, which defines the id of the user which will be used to send the
  3075. notices.</p>
  3076. <p>Sub-options for this setting include:</p>
  3077. <ul>
  3078. <li><code>system_mxid_display_name</code>: set the display name of the &quot;notices&quot; user</li>
  3079. <li><code>system_mxid_avatar_url</code>: set the avatar for the &quot;notices&quot; user</li>
  3080. <li><code>room_name</code>: set the room name of the server notices room</li>
  3081. </ul>
  3082. <p>Example configuration:</p>
  3083. <pre><code class="language-yaml">server_notices:
  3084. system_mxid_localpart: notices
  3085. system_mxid_display_name: &quot;Server Notices&quot;
  3086. system_mxid_avatar_url: &quot;mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ&quot;
  3087. room_name: &quot;Server Notices&quot;
  3088. </code></pre>
  3089. <hr />
  3090. <h3 id="enable_room_list_search"><a class="header" href="#enable_room_list_search"><code>enable_room_list_search</code></a></h3>
  3091. <p>Set to false to disable searching the public room list. When disabled
  3092. blocks searching local and remote room lists for local and remote
  3093. users by always returning an empty list for all queries. Defaults to true.</p>
  3094. <p>Example configuration:</p>
  3095. <pre><code class="language-yaml">enable_room_list_search: false
  3096. </code></pre>
  3097. <hr />
  3098. <h3 id="alias_creation"><a class="header" href="#alias_creation"><code>alias_creation</code></a></h3>
  3099. <p>The <code>alias_creation</code> option controls who is allowed to create aliases
  3100. on this server.</p>
  3101. <p>The format of this option is a list of rules that contain globs that
  3102. match against user_id, room_id and the new alias (fully qualified with
  3103. server name). The action in the first rule that matches is taken,
  3104. which can currently either be &quot;allow&quot; or &quot;deny&quot;.</p>
  3105. <p>Missing user_id/room_id/alias fields default to &quot;*&quot;.</p>
  3106. <p>If no rules match the request is denied. An empty list means no one
  3107. can create aliases.</p>
  3108. <p>Options for the rules include:</p>
  3109. <ul>
  3110. <li><code>user_id</code>: Matches against the creator of the alias. Defaults to &quot;*&quot;.</li>
  3111. <li><code>alias</code>: Matches against the alias being created. Defaults to &quot;*&quot;.</li>
  3112. <li><code>room_id</code>: Matches against the room ID the alias is being pointed at. Defaults to &quot;*&quot;</li>
  3113. <li><code>action</code>: Whether to &quot;allow&quot; or &quot;deny&quot; the request if the rule matches. Defaults to allow.</li>
  3114. </ul>
  3115. <p>Example configuration:</p>
  3116. <pre><code class="language-yaml">alias_creation_rules:
  3117. - user_id: &quot;bad_user&quot;
  3118. alias: &quot;spammy_alias&quot;
  3119. room_id: &quot;*&quot;
  3120. action: deny
  3121. </code></pre>
  3122. <hr />
  3123. <h3 id="room_list_publication_rules"><a class="header" href="#room_list_publication_rules"><code>room_list_publication_rules</code></a></h3>
  3124. <p>The <code>room_list_publication_rules</code> option controls who can publish and
  3125. which rooms can be published in the public room list.</p>
  3126. <p>The format of this option is the same as that for
  3127. <code>alias_creation_rules</code>.</p>
  3128. <p>If the room has one or more aliases associated with it, only one of
  3129. the aliases needs to match the alias rule. If there are no aliases
  3130. then only rules with <code>alias: *</code> match.</p>
  3131. <p>If no rules match the request is denied. An empty list means no one
  3132. can publish rooms.</p>
  3133. <p>Options for the rules include:</p>
  3134. <ul>
  3135. <li><code>user_id</code>: Matches against the creator of the alias. Defaults to &quot;*&quot;.</li>
  3136. <li><code>alias</code>: Matches against any current local or canonical aliases associated with the room. Defaults to &quot;*&quot;.</li>
  3137. <li><code>room_id</code>: Matches against the room ID being published. Defaults to &quot;*&quot;.</li>
  3138. <li><code>action</code>: Whether to &quot;allow&quot; or &quot;deny&quot; the request if the rule matches. Defaults to allow.</li>
  3139. </ul>
  3140. <p>Example configuration:</p>
  3141. <pre><code class="language-yaml">room_list_publication_rules:
  3142. - user_id: &quot;*&quot;
  3143. alias: &quot;*&quot;
  3144. room_id: &quot;*&quot;
  3145. action: allow
  3146. </code></pre>
  3147. <hr />
  3148. <h3 id="default_power_level_content_override"><a class="header" href="#default_power_level_content_override"><code>default_power_level_content_override</code></a></h3>
  3149. <p>The <code>default_power_level_content_override</code> option controls the default power
  3150. levels for rooms.</p>
  3151. <p>Useful if you know that your users need special permissions in rooms
  3152. that they create (e.g. to send particular types of state events without
  3153. needing an elevated power level). This takes the same shape as the
  3154. <code>power_level_content_override</code> parameter in the /createRoom API, but
  3155. is applied before that parameter.</p>
  3156. <p>Note that each key provided inside a preset (for example <code>events</code> in the example
  3157. below) will overwrite all existing defaults inside that key. So in the example
  3158. below, newly-created private_chat rooms will have no rules for any event types
  3159. except <code>com.example.foo</code>.</p>
  3160. <p>Example configuration:</p>
  3161. <pre><code class="language-yaml">default_power_level_content_override:
  3162. private_chat: { &quot;events&quot;: { &quot;com.example.foo&quot; : 0 } }
  3163. trusted_private_chat: null
  3164. public_chat: null
  3165. </code></pre>
  3166. <hr />
  3167. <h2 id="opentracing"><a class="header" href="#opentracing">Opentracing</a></h2>
  3168. <p>Configuration options related to Opentracing support.</p>
  3169. <hr />
  3170. <h3 id="opentracing-1"><a class="header" href="#opentracing-1"><code>opentracing</code></a></h3>
  3171. <p>These settings enable and configure opentracing, which implements distributed tracing.
  3172. This allows you to observe the causal chains of events across servers
  3173. including requests, key lookups etc., across any server running
  3174. synapse or any other services which support opentracing
  3175. (specifically those implemented with Jaeger).</p>
  3176. <p>Sub-options include:</p>
  3177. <ul>
  3178. <li><code>enabled</code>: whether tracing is enabled. Set to true to enable. Disabled by default.</li>
  3179. <li><code>homeserver_whitelist</code>: The list of homeservers we wish to send and receive span contexts and span baggage.
  3180. See <a href="../../opentracing.html">here</a> for more.
  3181. This is a list of regexes which are matched against the <code>server_name</code> of the homeserver.
  3182. By default, it is empty, so no servers are matched.</li>
  3183. <li><code>force_tracing_for_users</code>: # A list of the matrix IDs of users whose requests will always be traced,
  3184. even if the tracing system would otherwise drop the traces due to probabilistic sampling.
  3185. By default, the list is empty.</li>
  3186. <li><code>jaeger_config</code>: Jaeger can be configured to sample traces at different rates.
  3187. All configuration options provided by Jaeger can be set here. Jaeger's configuration is
  3188. mostly related to trace sampling which is documented <a href="https://www.jaegertracing.io/docs/latest/sampling/">here</a>.</li>
  3189. </ul>
  3190. <p>Example configuration:</p>
  3191. <pre><code class="language-yaml">opentracing:
  3192. enabled: true
  3193. homeserver_whitelist:
  3194. - &quot;.*&quot;
  3195. force_tracing_for_users:
  3196. - &quot;@user1:server_name&quot;
  3197. - &quot;@user2:server_name&quot;
  3198. jaeger_config:
  3199. sampler:
  3200. type: const
  3201. param: 1
  3202. logging:
  3203. false
  3204. </code></pre>
  3205. <hr />
  3206. <h2 id="workers"><a class="header" href="#workers">Workers</a></h2>
  3207. <p>Configuration options related to workers.</p>
  3208. <hr />
  3209. <h3 id="send_federation"><a class="header" href="#send_federation"><code>send_federation</code></a></h3>
  3210. <p>Controls sending of outbound federation transactions on the main process.
  3211. Set to false if using a federation sender worker. Defaults to true.</p>
  3212. <p>Example configuration:</p>
  3213. <pre><code class="language-yaml">send_federation: false
  3214. </code></pre>
  3215. <hr />
  3216. <h3 id="federation_sender_instances"><a class="header" href="#federation_sender_instances"><code>federation_sender_instances</code></a></h3>
  3217. <p>It is possible to run multiple federation sender workers, in which case the
  3218. work is balanced across them. Use this setting to list the senders.</p>
  3219. <p>This configuration setting must be shared between all federation sender workers, and if
  3220. changed all federation sender workers must be stopped at the same time and then
  3221. started, to ensure that all instances are running with the same config (otherwise
  3222. events may be dropped).</p>
  3223. <p>Example configuration:</p>
  3224. <pre><code class="language-yaml">federation_sender_instances:
  3225. - federation_sender1
  3226. </code></pre>
  3227. <hr />
  3228. <h3 id="instance_map"><a class="header" href="#instance_map"><code>instance_map</code></a></h3>
  3229. <p>When using workers this should be a map from worker name to the
  3230. HTTP replication listener of the worker, if configured.</p>
  3231. <p>Example configuration:</p>
  3232. <pre><code class="language-yaml">instance_map:
  3233. worker1:
  3234. host: localhost
  3235. port: 8034
  3236. </code></pre>
  3237. <hr />
  3238. <h3 id="stream_writers"><a class="header" href="#stream_writers"><code>stream_writers</code></a></h3>
  3239. <p>Experimental: When using workers you can define which workers should
  3240. handle event persistence and typing notifications. Any worker
  3241. specified here must also be in the <code>instance_map</code>.</p>
  3242. <p>Example configuration:</p>
  3243. <pre><code class="language-yaml">stream_writers:
  3244. events: worker1
  3245. typing: worker1
  3246. </code></pre>
  3247. <hr />
  3248. <h3 id="run_background_tasks_on"><a class="header" href="#run_background_tasks_on"><code>run_background_tasks_on</code></a></h3>
  3249. <p>The worker that is used to run background tasks (e.g. cleaning up expired
  3250. data). If not provided this defaults to the main process.</p>
  3251. <p>Example configuration:</p>
  3252. <pre><code class="language-yaml">run_background_tasks_on: worker1
  3253. </code></pre>
  3254. <hr />
  3255. <h3 id="worker_replication_secret"><a class="header" href="#worker_replication_secret"><code>worker_replication_secret</code></a></h3>
  3256. <p>A shared secret used by the replication APIs to authenticate HTTP requests
  3257. from workers.</p>
  3258. <p>By default this is unused and traffic is not authenticated.</p>
  3259. <p>Example configuration:</p>
  3260. <pre><code class="language-yaml">worker_replication_secret: &quot;secret_secret&quot;
  3261. </code></pre>
  3262. <h3 id="redis"><a class="header" href="#redis"><code>redis</code></a></h3>
  3263. <p>Configuration for Redis when using workers. This <em>must</em> be enabled when
  3264. using workers (unless using old style direct TCP configuration).
  3265. This setting has the following sub-options:</p>
  3266. <ul>
  3267. <li><code>enabled</code>: whether to use Redis support. Defaults to false.</li>
  3268. <li><code>host</code> and <code>port</code>: Optional host and port to use to connect to redis. Defaults to
  3269. localhost and 6379</li>
  3270. <li><code>password</code>: Optional password if configured on the Redis instance.</li>
  3271. </ul>
  3272. <p>Example configuration:</p>
  3273. <pre><code class="language-yaml">redis:
  3274. enabled: true
  3275. host: localhost
  3276. port: 6379
  3277. password: &lt;secret_password&gt;
  3278. </code></pre>
  3279. <h2 id="background-updates"><a class="header" href="#background-updates">Background Updates</a></h2>
  3280. <p>Configuration settings related to background updates.</p>
  3281. <hr />
  3282. <h3 id="background_updates"><a class="header" href="#background_updates"><code>background_updates</code></a></h3>
  3283. <p>Background updates are database updates that are run in the background in batches.
  3284. The duration, minimum batch size, default batch size, whether to sleep between batches and if so, how long to
  3285. sleep can all be configured. This is helpful to speed up or slow down the updates.
  3286. This setting has the following sub-options:</p>
  3287. <ul>
  3288. <li><code>background_update_duration_ms</code>: How long in milliseconds to run a batch of background updates for. Defaults to 100.
  3289. Set a different time to change the default.</li>
  3290. <li><code>sleep_enabled</code>: Whether to sleep between updates. Defaults to true. Set to false to change the default.</li>
  3291. <li><code>sleep_duration_ms</code>: If sleeping between updates, how long in milliseconds to sleep for. Defaults to 1000.
  3292. Set a duration to change the default.</li>
  3293. <li><code>min_batch_size</code>: Minimum size a batch of background updates can be. Must be greater than 0. Defaults to 1.
  3294. Set a size to change the default.</li>
  3295. <li><code>default_batch_size</code>: The batch size to use for the first iteration of a new background update. The default is 100.
  3296. Set a size to change the default.</li>
  3297. </ul>
  3298. <p>Example configuration:</p>
  3299. <pre><code class="language-yaml">background_updates:
  3300. background_update_duration_ms: 500
  3301. sleep_enabled: false
  3302. sleep_duration_ms: 300
  3303. min_batch_size: 10
  3304. default_batch_size: 50
  3305. </code></pre>
  3306. </main>
  3307. <nav class="nav-wrapper" aria-label="Page navigation">
  3308. <!-- Mobile navigation buttons -->
  3309. <a rel="prev" href="../../usage/configuration/index.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
  3310. <i class="fa fa-angle-left"></i>
  3311. </a>
  3312. <a rel="next" href="../../usage/configuration/homeserver_sample_config.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
  3313. <i class="fa fa-angle-right"></i>
  3314. </a>
  3315. <div style="clear: both"></div>
  3316. </nav>
  3317. </div>
  3318. </div>
  3319. <nav class="nav-wide-wrapper" aria-label="Page navigation">
  3320. <a rel="prev" href="../../usage/configuration/index.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
  3321. <i class="fa fa-angle-left"></i>
  3322. </a>
  3323. <a rel="next" href="../../usage/configuration/homeserver_sample_config.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
  3324. <i class="fa fa-angle-right"></i>
  3325. </a>
  3326. </nav>
  3327. </div>
  3328. <script type="text/javascript">
  3329. window.playground_copyable = true;
  3330. </script>
  3331. <script src="../../elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
  3332. <script src="../../mark.min.js" type="text/javascript" charset="utf-8"></script>
  3333. <script src="../../searcher.js" type="text/javascript" charset="utf-8"></script>
  3334. <script src="../../clipboard.min.js" type="text/javascript" charset="utf-8"></script>
  3335. <script src="../../highlight.js" type="text/javascript" charset="utf-8"></script>
  3336. <script src="../../book.js" type="text/javascript" charset="utf-8"></script>
  3337. <!-- Custom JS scripts -->
  3338. <script type="text/javascript" src="../../docs/website_files/table-of-contents.js"></script>
  3339. <script type="text/javascript" src="../../docs/website_files/version-picker.js"></script>
  3340. <script type="text/javascript" src="../../docs/website_files/version.js"></script>
  3341. </body>
  3342. </html>