Homeserver administration
Draupnir offers capabilities for homeserver admins that are particularly relevant when registration on a homeserver is open or public:
-
Room management: Draupnir can provide insight into the Matrix rooms your server is participaiting in and allow them to be blocked and takendown.
- See the Room takedown protection.
-
Invitation management: Draupnir can block invitations from users, servers, or rooms. And reject invitations sent on behalf of your users that were sent from takendown rooms.
-
Report forwarding and review: Draupnir can be used to view reports submitted by users on your homserver.
-
User management: Accounts can be deactivated using the
!draupnir deactivate
command.
These features may require either a synapse admin acount or synapse-http-antispam to be available to Draupnir.
Enabling readable abuse reports
Draupnir offers the ability to replace the Matrix endpoint used to report abuse and display it into a room, instead of requiring you to request this data from an admin API.
This requires two configuration steps:
- In your Draupnir configuration file, typically
/etc/draupnir/config/production.yaml
, copy and paste theweb
section fromdefault.yaml
, if you don't have it yet (it appears with version 1.20) and setenabled: true
for bothweb
andabuseReporting
. - Setup a reverse proxy that will redirect requests from
^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$
tohttp://host:port/api/1/report/$2/$3
, wherehost
is the host where you run Draupnir, andport
is the port you configured inproduction.yaml
. For an example nginx configuration, seetest/nginx.conf
. It's the confirmation we use during runtime testing.
Security note
This mechanism can extract some information from unencrypted rooms. We have taken precautions to ensure that this cannot be abused: the only case in which this feature will publish information from room foo is:
- If it is used by a member of room foo; AND
- If said member did witness the event; AND
- If the event was unencrypted; AND
- If the event was not redacted/removed/...
Essentially, this is a more restricted variant of the Admin APIs available on homeservers.
However, if you are uncomfortable with this, please do not activate this
feature. Also, you should probably setup your production.yaml
to ensure that
the web server can only receive requests from your reverse proxy (e.g.
localhost
).