Project

General

Profile

Actions

Ungleich Matrix-as-a-Service (MaaS) » History » Revision 27

« Previous | Revision 27/52 (diff) | Next »
Sanghee Kim, 08/24/2020 08:43 PM


Ungleich Matrix-as-a-Service (MaaS)

This document concerns end-users/customers. See The ungleich Matrix infrastructure page for server-side documentation.

Status

This document is in PRODUCTION

Overview

Matrix is an open and decentralized IM system supporting modern features such as end-to-end encryption, message history, bridging to other networks, VoIP and more. It is based a federated structure, similar to what is done with emails: users use a home server as 'gateway' to the network. Our MaaS offer provides you with such a server as well as an hosted web client, Riot.

"Riot's features page"https://about.riot.im/features gives you a good overview of Matrix's possibilities.

Domain

Q: What server name will I get?

You can either use your own domain name (see below) or ask us for $ORGANIZATION.0co2.cloud.

Q: Can I use a custom domain name?

Yes! You will have to give us three domain names:

  • a) the homeserver: this is where the actual server is running - this can be on domain "A" - in case of ungleich we use ungleich.matrix.ungleich.cloud and give away YOURNAME.matrix.ungleich.cloud for free
  • b) the address of the web client - this is where people with their webbrowser go to - this should be different from "A". Often this is something like chat.example.org or matrix.example.org. In case of ungleich this domain is matrix.ungleich.ch.
  • c) the main matrix domain: the one you use for users and rooms. This is usually your main domain and is different from A. For ungleich this is ungleich.ch. Most people will choose their "main domain", for instance example.org here.

You will also need to configure 2 files below the main matrix domain

- /.well-known/matrix/server containing {"m.server": "homeserver:443"}.
Example:

$ curl https://ungleich.ch/.well-known/matrix/server
{"m.server": "ungleich.matrix.ungleich.cloud:443"}

- /.well-known/matrix/client containing { "m.homeserver": { "base_url": "https://homeserver" } }. Example:
curl https://ungleich.ch/.well-known/matrix/client 
{ "m.homeserver": { "base_url": "https://ungleich.matrix.ungleich.cloud" } }

Q: Can I change the subdomain after the Matrix setup?

No, since your homeserver will federate with the broader network.

Q: Why can't I use the same domain for everything?

The home server should be on a different domain to prevent possible XSS (cross site scripting) attacks.
You can find details about it on https://github.com/matrix-org/synapse#security-note.

For this reason we offer YOURNAME.matrix.ungleich.cloud for free for all homeservers.

Q: How many domains do I need for a standard matrix setup?

Typically 3 domain names are used:

  • The domain that defines your room and user names (for ungleich this is ungleich.ch)
  • The domain that your users type in the web browser to join the chat (for ungleich this is matrix.ungleich.ch)
  • The domain on which your homeserver (the server providing the matrix server) is reachable (for ungleich this is ungleich.matrix.ungleich.cloud)

The homeserver needs to be on a different domain than the other two to avoid possible XSS attacks.

Registration

Q: What kind of registration policy could be implemented for a matrix instance?

You can easily:

- Close registrations, create users by hand from the admin UI.
- Let anyone register.
- Filter registrations on email pattern (e.g. anyone with a @ungleich.ch email address can register).
- Use an external source for authentication (e.g. company directory / account system).
- Use a token based registration (https://matrix.org/docs/projects/other/matrix-registration)

If your use case is in the above list, you can get in touch with our team to find a fitting solution.

Q: We would like to be able to moderate registration requests. For example, we'll have a list of approved emails to reference against those submitted. Would this be possible?

There is not 'approval' system in matrix/synapse right now. Either:

Everyone can register.
You register new users via the admin interface.
Approval is handled on a third-party service, which provides an authentication backend to matrix/synapse.
We filter on registration details -> if you have a list of email, we should be able to only allow those emails (hardcoded config in matrix homserver, will require an intervention on the ungleich side for edition) to register.

Encryption

Q: Are video/audio calls in Matrix End-to-end-encrypted(E2EE)?

Video & Phone is handled by a jitsi server by default - matrix adds it as an integration, but does not handle video/audio directly. So the answer is: not E2EE for audio/video.

Q: Does ungleich have access to my Matrix admin UI? How does my chat content stay secure?

Once you change the initial password we do not have external access to the software anymore but we have access to the underlying server since we manage it: we can read and change things in the database 'by hand' since we have physical access to it. However end-to-end encrypted rooms stay secure. The content is encrypted with the user's keys and to us it will be shown in ciphertext.

FAQ

Q: How many users can I have? What are the resources allocated to my matrix server?

We do not enforce a limit of the number of users: you can do anythign you want as long as you fit the resources allocated to your homeserver. You are provided with 1GB of memory, 1vCPU and 20GB of storage with the base offer, which can be extended on demand (Pricing is the same as ipv6onlyhosting VMs, since that's what we use underneath).

Q: What server implementation and version do you use?

We use the synapse reference homeserver package provided by the buster-backports repository.

Q: What client can I use? Do you recommend one?

We recommend and provide you a web version of the Riot client (desktop and mobile) but you can use any matrix client.

Q: Can I set option X in synapse/riot?

Yes! Contact the ungleich support with the requested changes, which we will apply to the deployment configuration of your instance.

Q: Do you provide a TURN server for VoIP?

Yes.

Q: What are application services can I use?

We support bridging to other services (IRC, Matrix, Telegram, Slack, ...) via matterbridge, deployed on demand.

Q: If I do not use an LDAP directory, can I still manage my users?

Yes! We provide you with a management UI on https://admin.matrix.ungleich.cloud. You will have to use the full address of your matrix homeserver (e.g. ungleich.matrix.ungleich.cloud).

Q: How can I delete rooms in Matrix?

To delete a room, simply everybody in the room needs to leave the room. Then the room gets removed from the server. If you are admin, you can kick everybody in the room if you want to force remove the room.

Updated by Sanghee Kim over 3 years ago · 27 revisions