# Self-host Matrix to bypass EU Chat Control scanning

> Walkthrough for self-hosting a Matrix homeserver behind Caddy on a non-EU VPS to defeat mass Chat Control scanning while keeping encryption keys on-device.

Published: 2026-07-02
URL: https://daniliants.com/insights/self-host-matrix-to-bypass-eu-chat-control-scanning/
Tags: self-hosting, privacy, encryption, docker

---

## Summary

A short walkthrough for self-hosting a private, end-to-end-encrypted chat server as a hedge against the EU's proposed Chat Control message-scanning legislation. The stack: a cheap VPS abroad, a reverse proxy with logging disabled, a lightweight Matrix homeserver, and the Element client, so encryption keys never leave the user's device and there's no central provider to compel into scanning.

## Key Insight

- The core argument: mass client-side or server-side scanning only works against centralized platforms (WhatsApp, Signal's infrastructure, etc.) where a single company can be legally compelled to comply. Self-hosting removes that single point of leverage.
- Suggested stack, two Docker containers behind one VPS:
  - **Reverse proxy** (transcript says "Keddy", almost certainly a mis-transcription of Caddy, the popular auto-HTTPS reverse proxy) configured to discard visitor IP logs immediately, so the host operator has nothing to hand over even if compelled.
  - **Conduit**, a lightweight Matrix homeserver written in Rust, handles routing of encrypted messages but never holds the encryption keys.
  - **Element** is the client app users install; it just points at the custom domain.
- VPS jurisdiction matters: the suggestion is a KVM VPS with a dedicated public IP hosted in Switzerland or Iceland, both outside EU jurisdiction and with stronger privacy law traditions than most EU states.
- Honest limitation acknowledged: this defeats *mass, passive* scanning, not *targeted* surveillance. A state actor with tools like Pegasus can still compromise an individual's physical device, self-hosting raises the cost of surveillance from "scan everyone automatically" to "actively target one person," it doesn't make anyone unhackable.
- Underlying point about trust: relying on any single corporation (WhatsApp, Signal Foundation, etc.) to protect user privacy is fragile by design, that trust can be legislated away in a way self-owned infrastructure resists.