GitHub/ess-docker-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security hardening: Caddy admin API, Synapse admin endpoint, public room settings

Browse Source 
- Caddy admin API: bind to localhost:2019 instead of 0.0.0.0:2019 (local + production)
- Production Caddyfile: block /_synapse/admin* with 403 (not needed publicly)
- homeserver.yaml: explicitly set allow_public_rooms_without_auth/over_federation to false

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
wmair
2026-03-24 09:10:36 +01:00
parent 74b0a3ecb9
commit 88806d12fb
2 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy.sh
+16 -4
View File
@@ -980,6 +980,10 @@ sed -i '/^# Experimental features$/d' synapse/data/homeserver.yaml
sed -i '/^# Enable registration/d' synapse/data/homeserver.yaml
sed -i '/^enable_registration:/d' synapse/data/homeserver.yaml
# Remove old public room settings if present (re-added explicitly below)
sed -i '/^allow_public_rooms_without_auth:/d' synapse/data/homeserver.yaml
sed -i '/^allow_public_rooms_over_federation:/d' synapse/data/homeserver.yaml
# Remove old double-puppeting appservice registration if present (prevents duplication on re-run)
sed -i '/^# Double-puppeting appservice/d' synapse/data/homeserver.yaml
sed -i '/^app_service_config_files:/,/^[^ ]/{ /^app_service_config_files:/d; /^[^ ]/!d }' synapse/data/homeserver.yaml
@@ -1006,6 +1010,9 @@ database:
# Enable registration (disabled when using MAS/OAuth delegation)
enable_registration: false
allow_guest_access: false
allow_public_rooms_without_auth: false
allow_public_rooms_over_federation: false
# MAS Integration (Synapse 1.136+ stable config — replaces deprecated experimental_features.msc3861)
matrix_authentication_service:
@@ -1081,8 +1088,8 @@ if [[ "$DEPLOYMENT_MODE" == "local" ]]; then
{
# Use local CA for self-signed certificates
local_certs
# Enable admin API
admin 0.0.0.0:2019
# Enable admin API (localhost only)
admin localhost:2019
}
CADDYEOF
@@ -1560,8 +1567,8 @@ if [[ "$DEPLOYMENT_MODE" == "production" ]]; then
{
email ${LETSENCRYPT_EMAIL}
# Enable admin API (restrict access in firewall)
admin 0.0.0.0:2019
# Enable admin API (localhost only)
admin localhost:2019
}
# =========================
@@ -1634,6 +1641,11 @@ ${MATRIX_DOMAIN} {
}
}
# Block public access to Synapse admin API
handle /_synapse/admin* {
respond "Forbidden" 403
}
handle {
reverse_proxy ${MATRIX_SERVER_IP}:8008
}
templates/homeserver.yaml
+4
View File
@@ -45,6 +45,10 @@ registration_shared_secret: "{{SYNAPSE_REGISTRATION_SHARED_SECRET}}"
# Allow guest access
allow_guest_access: false
# Public room directory visibility
allow_public_rooms_without_auth: false
allow_public_rooms_over_federation: false
# Matrix Authentication Service (MAS) integration (Synapse 1.136+)
# Replaces deprecated experimental_features.msc3861
matrix_authentication_service: