Open brainscar opened 5 years ago
I can write a wiki article if everyone helps with ideas.
想知道怎么查看已经安装的synapse的版本 还有就是怎么版本控制
I second this request; it will make version management a bit easier, since we won't have to guess how out-of-date our rooms are.
On Thu, May 23, 2019 at 9:15 PM yang202 notifications@github.com wrote:
想知道怎么查看已经安装的synapse的版本 还有就是怎么版本控制
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/matrix-org/synapse/issues/5141?email_source=notifications&email_token=ACBYGLK7336VZOWHPA7LT2LPW46S3A5CNFSM4HK4GBO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWD4QYA#issuecomment-495437920, or mute the thread https://github.com/notifications/unsubscribe-auth/ACBYGLK7HYQX7YOQKUPD3STPW46S3ANCNFSM4HK4GBOQ .
It's been a while but since I still can't find any good source on hardening a synapse server to this day, I want to share my personal thoughts on securing a matrix/synapse instance - Maybe it's of use to anyone...
DISCLAIMER: This is no guideline or professional advice of any kind! Just some random internet-guy's ideas
iptables
in my case) - As far as I've figured out, the following configuration is necessary for a matrix server to work properly (suggestions for further restrictions/improvements are very welcome!):
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8448 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
,
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
,
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
(change SSH port accordingly)I'm running synapse on nginx basis, so these are some measures I successfully applied to my nginx configuration:
/etc/nginx/nginx.conf
- it contains a SSL section!) but also within the Let's Encrypt config file (/etc/letsencrypt/options-ssl-nginx.conf
)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
I also checked (via cat /etc/nginx/sites-available/* | grep ssl_protocols
) if there were any overrides of the protocol version, but there were none in my case
openssl dhparam -out dhparams.pem 4096
sudo mkdir -p /opt/cert && sudo cp dhparams.pem /opt/cert/
Added the following line to the nginx configuration file (/etc/nginx/nginx.conf
):
ssl_dhparam /opt/cert/dhparams.pem;
/etc/nginx/nginx.conf
):
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header X-Frame-Options "SAMEORIGIN";
There are a lot more nginx specific security settings covered in these resources, e.g.
But since I'm not that much into synapse, I don't know which HTTP methods synapse uses and how to set good resource values to still support sharing images and videos on the matrix homeserver.
Maybe there's someone out there who is willing to experiment and maybe even wants to help writing a community guide for hardening synapse.
Thanks for adding this! I wonder if you would be willing to open a PR against our docs with this information?
The intended action here was for someone on the Synapse team to write something here, possibly based on the contributions in #11758.
I think we could easily create a "Security best practices" list on https://matrix-org.github.io/synapse/latest, containing a list of bullet points like:
It doesn't need to be perfect - just a placeholder that we can extend over time would be a great start.
(I don't think we should include general server-hardening best practices like locking down SSH access and using a firewall - we're not here to teach people server administration)
Hi,
I was wondering what the best practices are for hardening a Synapse server?
For example, I noticed Synapse listens on http://127.0.0.1:8008
Does it make sense to get a local certificate to change it to https://127.0.0.1:8008 ?
I hope we can share ideas.
Thank you.