diff --git a/raw/configuring_an_xmpp_server_prosody_0.10.md b/raw/configuring_an_xmpp_server_prosody_0.10.md index d5630cb..ee907cf 100644 --- a/raw/configuring_an_xmpp_server_prosody_0.10.md +++ b/raw/configuring_an_xmpp_server_prosody_0.10.md @@ -4,9 +4,16 @@ Category: xmpp Tags: xmpp, chat, guide, instant messaging, prosody Slug: configuring-a-modern-xmpp-server Description: Hands-on step-by-step guide that shows how to configure Prosody 0.10 for security, mobile messaging and ease of use. +status: draft [TOC] + + + This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line. To make your server communicate make sure following ports are open in your firewall: @@ -120,12 +127,12 @@ Install the newest prosody plugins: cd /usr/src hg clone https://hg.prosody.im/prosody-modules/ prosody-modules -Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.cfg.lua) +Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.10.cfg.lua) :::console cd /etc/prosody cp prosody.cfg.lua prosody.cfg.lua.original - wget https://homebrewserver.club/downloads/prosody.cfg.lua + wget https://homebrewserver.club/downloads/prosody.0.10.cfg.lua -O prosody.cfg.lua The homebrewserver.club prosody config: @@ -240,3 +247,4 @@ This guide is a companion to our article [Have You Considered The Alternative?]( **edit 9th of january 2018** updated config for new debian stable and prosody 0.10 +Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html) \ No newline at end of file diff --git a/raw/configuring_an_xmpp_server_prosody_0.11.md b/raw/configuring_an_xmpp_server_prosody_0.11.md new file mode 100644 index 0000000..1be43c6 --- /dev/null +++ b/raw/configuring_an_xmpp_server_prosody_0.11.md @@ -0,0 +1,232 @@ +Title: Configuring an XMPP server for secure, mobile instant messaging +Date: 2018-11-17 +Category: xmpp +Tags: xmpp, chat, guide, instant messaging, prosody +Slug: configuring-a-modern-xmpp-server-0.11 +Description: Hands-on step-by-step guide that shows how to configure Prosody 0.11 aimed at security, mobile messaging, rich features and ease of use. +Status: draft + +[TOC] + +This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line. + +To make your server communicate make sure following ports are open in your firewall: + + :::console + 5000 (for proxying large file transfers between clients) + 5222 (for client to server) + 5269 (server to server) + 5280 (default http port for prosody) + 5281 (default https port for prosody) + +Additionally make sure you have set up a domain name and have A-records for the following subdomains: + + :::console + muc.myserver.org (for the groupchats) + dump.myserver.org (for the HTTP-Upload component) + proxy.myserver.org (for the file transfer proxy) + +This guide uses the ones above but feel free to come up with more creative subdomains :) + + +Enabling HTTPS +--- + +First we acquire a signed HTTPS-certificate via [Let's Encrypt](https://letsencrypt.org/): +This is among others required for Gajim plugins to work properly; self-generated certs will not work. + +Install Certbot and get new certificates for your domain (replace myserver.org with your own): + + :::console + sudo apt-get update && sudo apt-get install certbot + certbot certonly -d myserver.org -d muc.myserver.org -d dump.myserver.org -d proxy.myserver.org + +Should you succeed, you will be able to read something like: + + :::console + - Congratulations! Your certificate and chain have been saved at + /etc/letsencrypt/live/myserver.org/fullchain.pem. Your + cert will expire on 2019-02-15. To obtain a new or tweaked version + of this certificate in the future, simply run certbot again. To + non-interactively renew *all* of your certificates, run "certbot + renew" + + +Take note of the path where the certificate is stored as we will use it later. + +TODO: Upgrading MySQL +--- + +Previous versions of this guide included instructions how to set up a MySQL database backend. This was done because some message archived features had that as a dependency in older versions of prosody. It is however overkill for small etc etc + + +Installing and configuring Prosody, the XMPP server +--- + +Install the newest version of Prosody and its dependencies from the official prosody repository: + + :::console + echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list + + wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add - + + sudo apt-get update && sudo apt-get install prosody-0.11 + +Install the newest prosody plugins: + + :::console + apt-get install mercurial + cd /usr/src + hg clone https://hg.prosody.im/prosody-modules/ prosody-modules + + +Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.11.cfg.lua) + + :::console + cd /etc/prosody + cp prosody.cfg.lua prosody.cfg.lua.original + wget https://homebrewserver.club/downloads/prosody.0.11.cfg.lua -O prosody.cfg.lua + +The homebrewserver.club prosody config: + + :::console + -- a custom prosody config focused on high security and ease of use across (mobile) clients + -- provided to you by the homebrewserver.club + -- the original config file (prosody.cfg.lua.original) will have more information + + plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial + + modules_enabled = { + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + "private"; -- Private XML storage (for room bookmarks, etc.) + "vcard4"; -- User Profiles (stored in PEP) + "vcard_legacy" -- Conversion between legacy vCard and PEP Avatar, vcard + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "register"; --Allows clients to register an account on your server + "pep"; -- Enables users to publish their mood, activity, playing music and more + "carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices + "smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds + "mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server + "csi_simple"; -- XEP-0352: Client State Indication + "http"; -- mod_http needed for XEP-363 + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + "blocklist"; -- XEP-0191 blocking of users + "proxy"; --XEP-065 Allows the server to negotiate a bytestream between clients for large file transfers + "bookmarks"; -- Synchronize currently joined groupchat between different clients. + --"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS. + -- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS. + -- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have. + "server_contact_info"; --add contact info in the case of issues with the server + + }; + + allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts + + certificates = "/etc/prosody/certs" + https_certificate = "certs/myserver.org" + + c2s_require_encryption = true -- Force clients to use encrypted connections + + -- Force certificate authentication for server-to-server connections? + -- This provides ideal security, but requires servers you communicate + -- with to support encryption AND present valid, trusted certificates. + -- NOTE: Your version of LuaSec must support certificate verification! + -- For more information see http://prosody.im/doc/s2s#security + + s2s_secure_auth = true + + pidfile = "/var/run/prosody/prosody.pid" + + authentication = "internal_hashed" + + -- Archiving + -- If mod_mam is enabled, Prosody will store a copy of every message. This + -- is used to synchronize conversations between multiple clients, even if + -- they are offline. This setting controls how long Prosody will keep + -- messages in the archive before removing them. + + archive_expires_after = "1w" -- Remove archived messages after 1 week + + log = { --disable for extra privacy + info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging + error = "/var/log/prosody/prosody.err"; + "*syslog"; + } + + VirtualHost "myserver.org" + + -- Enable http_upload to allow image sharing across multiple devices and clients + Component "dump.myserver.org" "http_upload" + + -- Set up a MUC (multi-user chat) room server on conference.example.com: + Component "muc.myserver.org" "muc" + modules_enabled = { "muc_mam", "vcard_muc" } + + -- Set up a file transfer proxy to facilitate clients sending larger files to each other + Component "proxy.myserver.org" "proxy65" + + +Replace all instances of the placeholder domain name and passwords in the config file with your own: + + :::console + sed -i 's/myserver.org/yourdomain.net/g' prosody.cfg.lua + +Alternatively you can change them by hand. They are on line 62, 70, 73, 76 of prosody.cfg.lua + +Make Prosody import the LetsEncrypt certificates: + + :::console + prosodyctl --root cert import /etc/letsencrypt/live + +You might get the following output: + + No certificate for host muc.myserver.org found :( + No certificate for host dump.myserver.org found :( + No certificate for host proxy.myserver.org found :( + Imported certificate and key for hosts myserver.org + +However, no need to worry since the last certificate contains information for all the above subdomains. + +Finishing up +--- + +Add an entry to cron to automatically renew LetsEncrypt certificates + + :::console + sudo crontab -e + +And add: + + :::console + 0 4 * * * /usr/bin/certbot renew && prosodyctl --root cert import /etc/letsencrypt/live + +This will check and renew the certificates every day at 04:00. + + +After you've set up all of the above it is time to start the server: + + :::console + /etc/init.d/prosody restart + +Users can be added from the command line, you will also be prompted for a password: + + :::console + prosodyctl adduser me@myserver.org + +Alternatively you can change "allow_registration = false;" to "allow_registration = true;" in the config (line 35) to allow users to register accounts on your server via their clients. + +Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password. + +If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp://prosody.conference.prosody.im?join) + +This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html). + +Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html) and [Prosody 0.10](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.10.html) \ No newline at end of file diff --git a/raw/configuring_an_xmpp_server_prosody_0.9.md b/raw/configuring_an_xmpp_server_prosody_0.9.md index 85a7e69..98e947c 100644 --- a/raw/configuring_an_xmpp_server_prosody_0.9.md +++ b/raw/configuring_an_xmpp_server_prosody_0.9.md @@ -2,10 +2,15 @@ Title: Configuring an XMPP server for secure, mobile instant messaging Date: 2017-3-07 Category: xmpp Tags: xmpp, chat, guide, instant messaging, prosody -Slug: configuring-a-modern-xmpp-server +Slug: configuring-a-modern-xmpp-server-0.9 Description: Hands-on step-by-step guide that shows how to configure Prosody for security, mobile messaging and ease of use. Status: draft +Attention! +--- +This article describes how to set up Prosody 0.9 and kept online only for archival reasons! You are probably looking for the following article + + This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line. To make your server communicate make sure following ports are open in your firewall: @@ -119,12 +124,12 @@ Install the newest prosody plugins: cd /usr/src hg clone https://hg.prosody.im/prosody-modules/ prosody-modules -Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.cfg.lua) +Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.9.cfg.lua) :::console cd /etc/prosody cp prosody.cfg.lua prosody.cfg.lua.original - wget https://homebrewserver.club/downloads/prosody.cfg.lua + wget https://homebrewserver.club/downloads/prosody.0.9.cfg.lua -O prosody.cfg.lua The homebrewserver.club prosody config: diff --git a/raw/downloads/prosody.0.11.cfg.lua b/raw/downloads/prosody.0.11.cfg.lua new file mode 100644 index 0000000..46b6591 --- /dev/null +++ b/raw/downloads/prosody.0.11.cfg.lua @@ -0,0 +1,88 @@ +-- a custom prosody 0.11 config focused on high security and ease of use across (mobile) clients +-- provided to you by the homebrewserver.club +-- the original config file (prosody.cfg.lua.original) will have more information + +plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial + +modules_enabled = { + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + "private"; -- Private XML storage (for room bookmarks, etc.) + "vcard4"; -- User Profiles (stored in PEP) + "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "register"; --Allows clients to register an account on your server + "pep"; -- Enables users to publish their mood, activity, playing music and more + "carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices + "smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds + "mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server + "csi_simple"; -- XEP-0352: Client State Indication + "http"; -- mod_http needed for XEP-363 + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + "blocklist"; -- XEP-0191 blocking of users + "proxy"; ---XEP-065 Allows the server to negotiate a bytestream between clients for large file transfers + "bookmarks"; -- Synchronize currently joined groupchat between different clients. + "server_contact_info"; --add contact info in the case of issues with the server + --"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS. + -- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS. + -- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have. +}; + +allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts + +certificates = "/etc/prosody/certs" -- Path where prosody looks for the certificates see: https://prosody.im/doc/letsencrypt + +https_certificate = "certs/myserver.org.crt" + +c2s_require_encryption = true -- Force clients to use encrypted connections + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see http://prosody.im/doc/s2s#security + +s2s_secure_auth = true + +pidfile = "/var/run/prosody/prosody.pid" + +authentication = "internal_hashed" + +-- Archiving +-- If mod_mam is enabled, Prosody will store a copy of every message. This +-- is used to synchronize conversations between multiple clients, even if +-- they are offline. This setting controls how long Prosody will keep +-- messages in the archive before removing them. + +archive_expires_after = "1w" -- Remove archived messages after 1 week + +log = { --disable for extra privacy + info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging + error = "/var/log/prosody/prosody.err"; + "*syslog"; +} + +-- add contact information for other server admins to contact you about issues regarding your server +-- this is particularly important if you enable public registrations +-- contact_info = { +-- admin = { "mailto:username@myserver.org", "xmpp:username@myserver.org" }; +--}; + +VirtualHost "myserver.org" + +-- Enable http_upload to allow image sharing across multiple devices and clients +Component "dump.myserver.org" "http_upload" + +---Set up a MUC (multi-user chat) room server on conference.example.com: +Component "muc.myserver.org" "muc" +modules_enabled = { "muc_mam", "vcard_muc" } + +-- Set up a file transfer proxy to facilitate clients sending larger files to each other +Component "proxy.myserver.org" "proxy65" diff --git a/raw/downloads/prosody0.9.cfg.lua b/raw/downloads/prosody.0.9.cfg.lua similarity index 97% rename from raw/downloads/prosody0.9.cfg.lua rename to raw/downloads/prosody.0.9.cfg.lua index e13307a..cb8503e 100644 --- a/raw/downloads/prosody0.9.cfg.lua +++ b/raw/downloads/prosody.0.9.cfg.lua @@ -1,4 +1,4 @@ --- a custom prosody config focused on high security and ease of use across (mobile) clients +-- a custom 0.9 prosody config focused on high security and ease of use across (mobile) clients -- provided to you by the homebrewserver.club -- the original config file (prosody.cfg.lua.original) will have more information diff --git a/raw/downloads/prosody.cfg.lua b/raw/downloads/prosody.10.cfg.lua similarity index 97% rename from raw/downloads/prosody.cfg.lua rename to raw/downloads/prosody.10.cfg.lua index 000a821..9905f72 100644 --- a/raw/downloads/prosody.cfg.lua +++ b/raw/downloads/prosody.10.cfg.lua @@ -1,4 +1,4 @@ --- a custom prosody config focused on high security and ease of use across (mobile) clients +-- a custom prosody 0.10 config focused on high security and ease of use across (mobile) clients -- provided to you by the homebrewserver.club -- the original config file (prosody.cfg.lua.original) will have more information