matrix.disobey.net

matrix homeserver for disobey.net

threat model

This is not an anonymous service. The disobey.net homeserver admins can still see unencrypted room content in rooms because they are not end-to-end encrypted (matrix sucks). Federation also means that messages delivered to other servers are subject to their policies.

tuwunel policy

server name

disobey.net

software

tuwunel

registration

allow_registration = false

federation

allow_federation = true

end-to-end encryption

allow_encryption = true

public room directory

allow_public_room_directory_over_federation = false
allow_public_room_directory_without_auth = false

room search by ID

allow_public_room_search_by_id = false
allow_unlisted_room_search_by_id = false

profile lookups

require_auth_for_profile_requests = true
allow_inbound_profile_lookup_federation_requests = false

presence, typing, receipts metadata

allow_incoming_presence = false
allow_outgoing_presence = false
allow_incoming_typing = false
allow_outgoing_typing = false
allow_incoming_read_receipts = false
allow_outgoing_read_receipts = false
allow_local_presence = false

TURN guests

turn_allow_guests = false

legacy media API

allow_legacy_media = false

nginx policy

Incoming traffic terminates at nginx before it hits the Matrix backend. Relevant hardening:

	
	access_log off;
	server_tokens off;
	ssl_early_data off;
	proxy_set_header X-Forwarded-For "";