diff --git a/CHANGELOG.md b/CHANGELOG.md index 19df1b28..e6dedf38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2019-11-10 + +## Tightened security around room directory publishing + +As per this [advisory blog post](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers), we've decided to change the default publishing rules for the Matrix room directory. + +Our general goal is to favor privacy and security when running personal (family & friends) and corporate homeservers. +Both of these likely benefit from having a more secure default of **not showing the room directory without authentication** and **not publishing the room directory over federation**. + +As with anything else, these new defaults can be overriden by changing the `matrix_synapse_allow_public_rooms_without_auth` and `matrix_synapse_allow_public_rooms_over_federation` variables, respectively. + + # 2019-10-05 ## Improved Postgres upgrading/importing diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f1b453f3..7651bf64 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -136,6 +136,15 @@ matrix_synapse_report_stats: false # disabling this will decrease server load significantly. matrix_synapse_use_presence: true +# Controls whether accessing the server's public rooms directory can be done without authentication. +# For private servers, you most likely wish to require authentication, +# unless you know what list of rooms you're publishing to the world and explicitly want to do it. +matrix_synapse_allow_public_rooms_without_auth: false + +# Controls whether remote servers can fetch this server's public rooms directory via federation. +# For private servers, you most likely wish to forbid it. +matrix_synapse_allow_public_rooms_over_federation: false + # Controls whether people with access to the homeserver can register by themselves. matrix_synapse_enable_registration: false diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9d8da346..d7adb26a 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -48,12 +48,12 @@ use_presence: {{ matrix_synapse_use_presence|to_json }} # If set to 'false', requires authentication to access the server's public rooms # directory through the client API. Defaults to 'true'. # -#allow_public_rooms_without_auth: false +allow_public_rooms_without_auth: {{ matrix_synapse_allow_public_rooms_without_auth|to_json }} # If set to 'false', forbids any other homeserver to fetch the server's public # rooms directory via federation. Defaults to 'true'. # -#allow_public_rooms_over_federation: false +allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_federation|to_json }} # The default room version for newly created rooms. #