draft config prosody 0.11, added links to older configs in older articles

This commit is contained in:
rscmbbng 2018-11-18 13:00:45 +01:00
parent 2742e0bf6b
commit 3832fe0579
6 changed files with 340 additions and 7 deletions

View File

@ -4,9 +4,16 @@ Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server
Description: Hands-on step-by-step guide that shows how to configure Prosody 0.10 for security, mobile messaging and ease of use.
status: draft
[TOC]
<!-- Attention
---
This article describes how to set up Prosody 0.10 and kept online only for archival reasons! You are probably looking for the following article <https://homebrewserver.club/configuring-a-modern-xmpp-server.html>
-->
This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.
To make your server communicate make sure following ports are open in your firewall:
@ -120,12 +127,12 @@ Install the newest prosody plugins:
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.cfg.lua)
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.10.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.cfg.lua
wget https://homebrewserver.club/downloads/prosody.0.10.cfg.lua -O prosody.cfg.lua
The homebrewserver.club prosody config:
@ -240,3 +247,4 @@ This guide is a companion to our article [Have You Considered The Alternative?](
**edit 9th of january 2018**
updated config for new debian stable and prosody 0.10
Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html)

View File

@ -0,0 +1,232 @@
Title: Configuring an XMPP server for secure, mobile instant messaging
Date: 2018-11-17
Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server-0.11
Description: Hands-on step-by-step guide that shows how to configure Prosody 0.11 aimed at security, mobile messaging, rich features and ease of use.
Status: draft
[TOC]
This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.
To make your server communicate make sure following ports are open in your firewall:
:::console
5000 (for proxying large file transfers between clients)
5222 (for client to server)
5269 (server to server)
5280 (default http port for prosody)
5281 (default https port for prosody)
Additionally make sure you have set up a domain name and have A-records for the following subdomains:
:::console
muc.myserver.org (for the groupchats)
dump.myserver.org (for the HTTP-Upload component)
proxy.myserver.org (for the file transfer proxy)
This guide uses the ones above but feel free to come up with more creative subdomains :)
Enabling HTTPS
---
First we acquire a signed HTTPS-certificate via [Let's Encrypt](https://letsencrypt.org/):
This is among others required for Gajim plugins to work properly; self-generated certs will not work.
Install Certbot and get new certificates for your domain (replace myserver.org with your own):
:::console
sudo apt-get update && sudo apt-get install certbot
certbot certonly -d myserver.org -d muc.myserver.org -d dump.myserver.org -d proxy.myserver.org
Should you succeed, you will be able to read something like:
:::console
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your
cert will expire on 2019-02-15. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
Take note of the path where the certificate is stored as we will use it later.
TODO: Upgrading MySQL
---
Previous versions of this guide included instructions how to set up a MySQL database backend. This was done because some message archived features had that as a dependency in older versions of prosody. It is however overkill for small etc etc
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
sudo apt-get update && sudo apt-get install prosody-0.11
Install the newest prosody plugins:
:::console
apt-get install mercurial
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.11.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.0.11.cfg.lua -O prosody.cfg.lua
The homebrewserver.club prosody config:
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard4"; -- User Profiles (stored in PEP)
"vcard_legacy" -- Conversion between legacy vCard and PEP Avatar, vcard
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi_simple"; -- XEP-0352: Client State Indication
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
"proxy"; --XEP-065 Allows the server to negotiate a bytestream between clients for large file transfers
"bookmarks"; -- Synchronize currently joined groupchat between different clients.
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
"server_contact_info"; --add contact info in the case of issues with the server
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
certificates = "/etc/prosody/certs"
https_certificate = "certs/myserver.org"
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
-- Archiving
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = { --disable for extra privacy
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.myserver.org" "http_upload"
-- Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.myserver.org" "muc"
modules_enabled = { "muc_mam", "vcard_muc" }
-- Set up a file transfer proxy to facilitate clients sending larger files to each other
Component "proxy.myserver.org" "proxy65"
Replace all instances of the placeholder domain name and passwords in the config file with your own:
:::console
sed -i 's/myserver.org/yourdomain.net/g' prosody.cfg.lua
Alternatively you can change them by hand. They are on line 62, 70, 73, 76 of prosody.cfg.lua
Make Prosody import the LetsEncrypt certificates:
:::console
prosodyctl --root cert import /etc/letsencrypt/live
You might get the following output:
No certificate for host muc.myserver.org found :(
No certificate for host dump.myserver.org found :(
No certificate for host proxy.myserver.org found :(
Imported certificate and key for hosts myserver.org
However, no need to worry since the last certificate contains information for all the above subdomains.
Finishing up
---
Add an entry to cron to automatically renew LetsEncrypt certificates
:::console
sudo crontab -e
And add:
:::console
0 4 * * * /usr/bin/certbot renew && prosodyctl --root cert import /etc/letsencrypt/live
This will check and renew the certificates every day at 04:00.
After you've set up all of the above it is time to start the server:
:::console
/etc/init.d/prosody restart
Users can be added from the command line, you will also be prompted for a password:
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change "allow_registration = false;" to "allow_registration = true;" in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp://prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html) and [Prosody 0.10](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.10.html)

View File

@ -2,10 +2,15 @@ Title: Configuring an XMPP server for secure, mobile instant messaging
Date: 2017-3-07
Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server
Slug: configuring-a-modern-xmpp-server-0.9
Description: Hands-on step-by-step guide that shows how to configure Prosody for security, mobile messaging and ease of use.
Status: draft
Attention!
---
This article describes how to set up Prosody 0.9 and kept online only for archival reasons! You are probably looking for the following article <https://homebrewserver.club/configuring-a-modern-xmpp-server.html>
This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.
To make your server communicate make sure following ports are open in your firewall:
@ -119,12 +124,12 @@ Install the newest prosody plugins:
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.cfg.lua)
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.9.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.cfg.lua
wget https://homebrewserver.club/downloads/prosody.0.9.cfg.lua -O prosody.cfg.lua
The homebrewserver.club prosody config:

View File

@ -0,0 +1,88 @@
-- a custom prosody 0.11 config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard4"; -- User Profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi_simple"; -- XEP-0352: Client State Indication
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
"proxy"; ---XEP-065 Allows the server to negotiate a bytestream between clients for large file transfers
"bookmarks"; -- Synchronize currently joined groupchat between different clients.
"server_contact_info"; --add contact info in the case of issues with the server
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
certificates = "/etc/prosody/certs" -- Path where prosody looks for the certificates see: https://prosody.im/doc/letsencrypt
https_certificate = "certs/myserver.org.crt"
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
-- Archiving
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = { --disable for extra privacy
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
-- add contact information for other server admins to contact you about issues regarding your server
-- this is particularly important if you enable public registrations
-- contact_info = {
-- admin = { "mailto:username@myserver.org", "xmpp:username@myserver.org" };
--};
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.myserver.org" "http_upload"
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.myserver.org" "muc"
modules_enabled = { "muc_mam", "vcard_muc" }
-- Set up a file transfer proxy to facilitate clients sending larger files to each other
Component "proxy.myserver.org" "proxy65"

View File

@ -1,4 +1,4 @@
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- a custom 0.9 prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information

View File

@ -1,4 +1,4 @@
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- a custom prosody 0.10 config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information