Browse Source

raw files

pull/1/head
lidia pereira 2 years ago
parent
commit
6e1e862e55
  1. 101
      content/basics_port_forwarding.md
  2. 117
      content/beginners_guide_to_xmpp_speak.md
  3. 253
      content/configuring_an_xmpp_server_prosody_0.10.md
  4. 245
      content/configuring_an_xmpp_server_prosody_0.11.md
  5. 247
      content/configuring_an_xmpp_server_prosody_0.9.md
  6. 91
      content/downloads/prosody.0.11.cfg.lua
  7. 76
      content/downloads/prosody.0.9.cfg.lua
  8. 77
      content/downloads/prosody.10.cfg.lua
  9. 225
      content/es_configuring_an_xmpp_server_prosody_0.11.md
  10. BIN
      content/extra/favicon.ico
  11. BIN
      content/extra/featured_image_blue.png
  12. BIN
      content/extra/omemo.png
  13. 3
      content/extra/robots.txt
  14. BIN
      content/favicon.ico
  15. 115
      content/have_you_considered.md
  16. BIN
      content/images/chooser_by.png
  17. BIN
      content/images/chooser_cc.png
  18. BIN
      content/images/chooser_sa.png
  19. BIN
      content/images/conv_1.png
  20. BIN
      content/images/conv_2.png
  21. BIN
      content/images/conv_3.png
  22. BIN
      content/images/conv_4.png
  23. BIN
      content/images/conv_5.png
  24. BIN
      content/images/cs_1.png
  25. BIN
      content/images/cs_10.png
  26. BIN
      content/images/cs_11.png
  27. BIN
      content/images/cs_12.png
  28. BIN
      content/images/cs_13.png
  29. BIN
      content/images/cs_14.png
  30. BIN
      content/images/cs_15.png
  31. BIN
      content/images/cs_16.png
  32. BIN
      content/images/cs_17.png
  33. BIN
      content/images/cs_18.png
  34. BIN
      content/images/cs_19.png
  35. BIN
      content/images/cs_2.png
  36. BIN
      content/images/cs_20.png
  37. BIN
      content/images/cs_3.png
  38. BIN
      content/images/cs_4.png
  39. BIN
      content/images/cs_5.png
  40. BIN
      content/images/cs_6.png
  41. BIN
      content/images/cs_7.png
  42. BIN
      content/images/cs_8.png
  43. BIN
      content/images/cs_9.png
  44. BIN
      content/images/gajim_1.png
  45. BIN
      content/images/gajim_2.png
  46. BIN
      content/images/gajim_3.png
  47. BIN
      content/images/gajim_4.png
  48. BIN
      content/images/gajim_5.png
  49. BIN
      content/images/gajim_6.png
  50. BIN
      content/images/international-switchboard.jpg
  51. BIN
      content/images/international-switchboard11.png
  52. BIN
      content/images/international-switchboard3.png
  53. BIN
      content/images/international-switchboard6.png
  54. BIN
      content/images/lime2.png
  55. BIN
      content/images/myimage.png
  56. BIN
      content/images/nas_a10_olimex.JPG
  57. BIN
      content/images/nas_sata_cables.JPG
  58. BIN
      content/images/nas_storage_media.JPG
  59. BIN
      content/images/off-line-reading.png
  60. 3550
      content/images/port_forwarding.svg
  61. BIN
      content/images/seal_of_freedom.png
  62. BIN
      content/images/sps_close.png
  63. BIN
      content/images/sps_panel.png
  64. BIN
      content/images/sps_wide.png
  65. 230
      content/nas.md
  66. 20
      content/pages/about.md
  67. 60
      content/pages/links.md
  68. 303
      content/set_up_an_xmpp_messenger.md
  69. 478
      content/solar.lowtech.md

101
content/basics_port_forwarding.md

@ -0,0 +1,101 @@
Title: HBSC Basics: setting up Port Forwarding on your home router
Date: 2019-01-14
Category: self-hosting basics
Tags: port forwarding, router, introduction, lan, wan
Slug: basics-port-forwarding
Description: How to set up a spare computer as a server and make it reachable over the internet.
Author: hbsc & friends
Status: draft
# UNDER CONSTRUCTION
##Introduction
The whole premise of the homebrewserver.club is the simple - yet often overlooked - fact that your home internet subscription theoretically also allows you to host on-line services. Since the internet is in its essence a bi-directional medium, anyone with an internet connection can not only look up on-line content but also host it!
In times of *cloud providers* and *virtual private servers* it is an easy thing to forget. Internet service providers (ISP) don't make it easy on you either. However, a homebrew server can be as simple as an old laptop connected directly to your home router.
In this article you will learn how to change the settings of the router provided by your ISP in order to make your homebrew server accessible from the internet!
##Requirements
To begin serving from home you need the following:
- Make sure you have physical access to your home router.
- Get to know the password of the admin user (this is usually provided in the box or written on the label on the underside of the router).
- Have an available power socket next to your router.
- Have a home server running a web server and OpenSSH running on it.
- An ethernet cable to connect your server to the router.
## Port forwarding theory
![A schematic representation depicting network address translation between a LAN and WAN](/images/port_forwarding.svg) A schematic representation depicting network address translation between a local area network and a wide area network, where ports are being forwarded from the WAN to home server on the LAN. The IP-addresses indicated in this schematic are used throught the article as for reference but might differ from your own situation.
Most home routers are configured by default to make the devices behind your router inaccessible to the internet using their inbuilt firewall. This is to prevent your private network from being public.
Machines behind your router (called your local area network or `LAN`) can make connections to the wider internet (known as `WAN`) but not the other way around.
In the case of hosting a server at home though, we DO want that server to be reachable from the internet. In order to do that we need to open so-called *ports*.
Ports are logical 'gates' that are open or closed to connections. These ports have numbers and are [standardized](https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports) for specific protocols or applications.
For example, HTTP traffic from a website would default to port `80`. HTTPS defaults to `443` and SSH defaults to port `22`.
To make our server accessible we need to open and forward those ports on the router/firewall to our server in a process called port-forwarding.
The exact method of port-forwarding differs from router to router. However, it always follows a similar scheme where you designate inbound traffic on a certain port to be forwarded to the IP address your server has on the local area network.
The effect of this is that all traffic with your home connection's IP-adress as a destination and bound for those ports will not be rejected by the firewall but forwarded to your server instead.
For this you need to have access to the administrative panel of your router.
### Find your router
To access the administrative panel of your router you need to find it's IP-address. You can do this by connecting to that router via Ethernet or Wi-Fi and then finding out what your own IP-address is.
On Debian based systems this is done like so in the terminal:
`$ ifconfig`
If you get a command not found warning try this:
`$ ip address`
This will return information on your network connection. Look for the line saying `inet`
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:ab:00:00:ac:ab brd ff:ff:ff:ff:ff:ff
inet 192.168.1.11/24 brd 192.168.1.255 scope global wlp3s0
valid_lft forever preferred_lft forever
inet6 fe80::eab1:fcff:acab:374e/64 scope link
valid_lft forever preferred_lft forever
In this case the IP-address of the machine is `192.168.1.11`. As a rule of thumb you can then change the last digit of your IP-address to either `1` or `254` to find the router.
### Log in to your home router and get to know your LAN
Using a web browser, navigate to the IP-address you found above to reveal the router's admin panel. It should provide you with a log in field where you can enter the router's admin details to get access to the control panel.
There you will see a lot of possible settings. Look at the options "LAN", "DHCP Leases" or "Network" to get an overview of all the devices.
### Connect your homeserver
Use an ethernet cable to connect your homeserver to your router. In case that it has ethernet ports in different colors/markings make sure you take something that says either `LAN` or `INET`. Once you have connected your home server to the router powered it on if you haven't already.
Have a look at your router's interface again and look for the IP-address that your server was assigned. In this guide I'll assume it was 192.168.1.10 as displayed in the graph above.
Next try to find an option called "Static (DHCP) Lease" or "DHCP Binding" or something similar in your router interface's LAN view. Then make sure to assign your server a static DHCP lease. The IP-address it has now is probably fine for that! This will make sure that the server is always reachable under the same IP-addres.
## Forward the ports
Once you've set up a static lease to your homeserver you can start port forwarding. Depending on the make of the router it can be called Port Sharing or Traffic Forwarding and can usually be found in a section of the router admin interface dealing with 'security' or 'internet'.
## Additional Resources
* [https://portforward.com/](https://portforward.com/router.htm) has a large list of routers and visual instructions on how to set up port forwarding on them.

117
content/beginners_guide_to_xmpp_speak.md

@ -0,0 +1,117 @@
Title: Beginners guide to XMPP-speak
Date: 2017-2-28
Category: xmpp
Tags: xmpp, lexicon, terminology
Slug: beginners-guide-to-xmpp-speak
Description: XMPP terminology, translated to plain english. Did you know you can use OMEMO E2E with MAM in a MUC?
<a name='xmpp'></a>
##XMPP
[Extensible Messaging and Presence Protocol](https://xmpp.org/about). - A communications protocol based on XML that has been in development since 1999. Ever since the standard has been incrementally developed to add more functionality. It is the underlying technology that powers a lot of well known chat applications such as WhatsApp and Google Talk.
<a name='jabber'></a>
<span style="color:#fe4a49">Jabber</span> -
The original trademarked name of the Jabber service. [Jabber.org](https://en.wikipedia.org/wiki/Jabber.org) is the original instant messaging (IM) service based on XMPP. Afterwards many different servers and clients have emerged. "Jabber" is to "XMPP", what "email" is to "SMTP" and what "web" is to "HTTP"[^jabber].
<a name='muc'></a>
<span style="color:#fe4a49">MUC</span> -
"Multi-User Chat", the jargon for groupchat in XMPP world. This feature needs to be supported by both the clients and the servers. See [XEP-0045](#xep).
<a name='roster'></a>
<span style="color:#fe4a49">ROSTER</span> -
is your list of contacts.
<span style="color:#fe4a49">JID</span> - Jabber ID / XMPP address. JID is the identifier of a user account. It looks a lot like an email address: user@server.com, but it is not. Some users might use the same name for both their email and JID but most of the time these are completely different things. Following the same logic, chatrooms also have a similar address: roomname@muc.server.com.
<a name='xep'></a>
###XEP - XMPP Extension Protocol</span>
[XEP-0045 MUC](https://xmpp.org/extensions/xep-0045.html) - defines support for Multi-User Chats, in other words, group chats.
[XEP-0163: PEP](http://xmpp.org/extensions/xep-0163.html) - Personal Eventing Protocol allows amongst other things to automatically publish avatars and OMEMO public keys.
[XEP-0313: MAM](http://xmpp.org/extensions/xep-0313.html) - Message Archive Management is an extension that allows one to receive messages while offline.
<a name='federated'></a>
<span style="color:#fe4a49">federated server</span> -
A group of servers which agreed upon certain standards to communicate with each other. Such a group is a federation of servers. The federated XMPP protocol enables the user to select a client of preference and connect to their XMPP server of choice.
<a name='centralized'></a>
<span style="color:#fe4a49">centralized service</span> -
A vertically integrated service that includes both exclusive client and server software. In this scenario, most of the time, the user can only run one specific client and only interact with other users from the same service.
### Software: Clients
As featured in our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html):
<a name='conversations'></a>
[Conversations](https://conversations.im/) - Mobile client for Android.
<a name='gajim'></a>
[Gajim](https://gajim.org/) - Desktop client for Linux distributions, BSD, and Windows.
<a name='chatsecure'></a>
[ChatSecure](http://chatsecure.org/) - Mobile client for Apple iOS, 'experimental', but in active development.
Other popular clients not featured in our guide:
<a name='adium'></a>
[Adium](https://adium.im/) - Desktop client for Apple macOS. The OSX version of Pidgin
[Kaiwa](http://getkaiwa.com/) - A webclient, so it runs in the browser. Supports a lot of features and XEPs. Win/Lin/OSX
[Pidgin](https://www.pidgin.im/about/) A client which supports a number of messaging standards including XMPP. Recently implemented [support for OMEMO](https://developer.pidgin.im/ticket/16801).
[There are many more clients available](https://xmpp.org/software/clients.html). Check your local F-Droid/Google Play Store/AppStore.
### Software: Server
<a name='prosody'></a>
[Prosody](http://prosody.im/) - Open Source XMPP Server software written in [LUA](https://www.lua.org/about.html). It is actively being developed and is notable for the [large ammount of supported XEPs](http://prosody.im/doc/xeplist).
## Encryption
<a name='c2s'></a>
<span style="color:#fe4a49">C2S</span> - The connection between a client and the server.
<a name='s2s'></a>
<span style="color:#fe4a49">S2S</span> - The connection between servers.
### Transport Layer encryption
Encrypts communication while it is in transit between client and server (c2s) or from one server to another (s2s). The servers where the messages are relayed between can however still read their content. It is probably known to most people in the form of HTTPS, which indicates the communication is encrypted between your browser and the server that is hosting the website you visit.
Depending on your threat model, in case you and your contacts share the same trusted XMPP server, transport layer encryption might be enough to safeguard your privacy.
<a name='e2e'></a>
### End-To-End Encryption (e2e)
End-to-end ciphers is client side method for encrypting messages. Only the sender, and the receiver, at both ends of the communication chain, can read the message, but not the servers in between.
<a name='otr'></a>
<span style="color:#fe4a49">OTR</span> -
"Off-The-Record" is one of the older forms of e2e encryption available in some messaging clients. The big disadvantage of OTR is that both clients need to be online at the same time for the encrypted session to work. It is also not possible to synchronize OTR encrypted messages across mutliple clients.
<a name='omemo'></a>
<span style="color:#fe4a49">OMEMO</span> -
OMEMO Multi-End Message and Object Encryption, OMEMO is the XMPP implementation of the Double Ratchett encryption algorithm developed for Signal by Moxie Marlinspike at Open Whisper Systems. It is the most modern and convenient encryption mechanism that is practically invisible to the user. It also provides so-called forward secrecy, which means that every message is separatly encrypted. In the case that one cipher is intercepted by a third party, only one message can thus be decrypted.
<a name='tofu'></a>
<span style="color:#fe4a49">TOFU</span> -
Trust On First Use. A mechanism where the received fingerprint is assumed trusted immediately and is therefore checked as verified. Used in ChatSecure for OTR and OMEMO, called 'Blind Trust' in Conversations.
<a name='openpgp'></a>
<span style="color:#fe4a49">OpenPGP</span> -
Pretty good Privacy is the oldest generic method for end-to-end encryption. It requires quite some knowledge and maintenance frmo its users. OMEMO is designed to provide similar or better encryption with less hassle. To use OpenPGP in Conversation a third party app called OpenKeyChain is required.
<a name='threat'></a>
<span style="color:#fe4a49">Threat Model</span>. When thinking about security and privacy it is important to note that there is no such thing as a protection against every and any possible threats. By aiming too large and aimlessly at a universal form of privacy, there is a risk of missing obvious blind spots because of lack of resources, lack of time, and lack of knowledge to cover all possible situations. In that sense the concept of a *threat model* is very useful. In a threat model, an assessment of what has to be secured and who could be willing to acquire your information and at what cost, is established in a realistic fashion. What poses a credible threat to you and your situation? Who represents that threat? What kind of resources does this threat possesses? The answer to these questions should inform you on what kind of measures one should take and which ones have the highest priority.
Obviously this differs from situation to situation. Are you a political activists or dissident trying to organise for direct action and trying to avoid surveillance from governement agencies? Are you the user of a popular social network, trying to protect as much as possible your most confidential information from your private life? Are you an office worker trying to leak confidential information about unethical activities of your employer while remaining anonymous? Are you a user of public or private torrent trackers hoping to get away with mass downloading and uploading of whole seasons of The Great British Baking Show? Every situation is different, every situation needs a specific understanding of what is at stake and what would be the consequence if what you try to protect is exposed. Don't believe in magical solutions, do your homework.
This list is partly based [on this glossary](https://wiki.xmpp.org/web/Usability/Glossary)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [configuring the self-hosted XMPP server Prosody](http://homebrewserver.club/configuring-a-modern-xmpp-server.html), and our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
[^jabber]: <https://wiki.xmpp.org/web/Usability/Glossary>

253
content/configuring_an_xmpp_server_prosody_0.10.md

@ -0,0 +1,253 @@
Title: Configuring an XMPP server for secure, mobile instant messaging
Date: 2018-1-09
Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server-0.10
Description: Hands-on step-by-step guide that shows how to configure Prosody 0.10 for security, mobile messaging and ease of use.
status: draft
[TOC]
Attention!
---
This article describes how to set up Prosody 0.10 and kept online only for archival reasons! You are probably looking for the following article <https://homebrewserver.club/configuring-a-modern-xmpp-server.html>
Attention!
---
This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.
To make your server communicate make sure following ports are open in your firewall:
:::console
5222 (for client to server)
5269 (server to server)
5280 (default http port for prosody)
5281 (default https port for prosody)
Enabling HTTPS
---
First we acquire a signed HTTPS-certificate via Let's Encrypt:
This is among others required for Gajim plugins to work properly; self-generated certs will not work.
Install Certbot and get new certificates for your domain (replace myserver.org with your own):
:::console
sudo apt-get update && sudo apt-get install certbot
certbot certonly -d muc.myserver.org -d dump.myserver.org -d myserver.org
Should you succeed, you will be able to read something like:
:::console
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your cert will
expire on 2018-01-13. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
Take note of the path where the certificate is stored as we will use it later.
Installing and setting up MySQL as a storage back-end
---
First update your repositories and install MySQL
:::console
apt-get update && apt-get install mysql-server
Run mysql as the root user:
:::console
mysql -u root -p
In mysql:
:::console
mysql> create database prosody;
mysql> show databases;
Result should be something like:
:::console
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| prosody |
+--------------------+
4 rows in set (0.00 sec)
Create a database account for prosody
:::console
mysql> create user prosody;
Give the user prosody the rights to access the database, make sure to change the password and take note of it
:::console
mysql> grant all on prosody.* to 'prosody'@'localhost' identified by 'userPassword';
Exit mysql:
:::console
exit;
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
sudo apt get update && apt-get install prosody lua-dbi-mysql lua-zlib lua-sec
Add the Let's Encrypt Certificates to Prosody and make sure Prosody can use them
:::console
cp /etc/letsencrypt/live/myserver.org/*.pem /etc/prosody/certs/
Make sure the certificates are owned by prosody and legible only by root:
:::console
chown -R prosody:prosody /etc/prosody/
chmod -R 700 /etc/prosody/certs/
Install the newest prosody plugins:
:::console
apt-get install mercurial
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.10.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.0.10.cfg.lua -O prosody.cfg.lua
The homebrewserver.club prosody config:
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi"; -- XEP-0352: Client State Indication
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
"omemo_all_access"; -- Allow for OMEMO E2E between contacts that haven't added each other
"pep_vcard_avatar"; -- use XEP-0153: vCard-Based Avatars to see the avatars of clients that use XEP-0084: User Avatar and vice versa.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings.
ssl = {
certificate = "/etc/prosody/certs/fullchain.pem";
key = "/etc/prosody/certs/privkey.pem";
}
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
storage = "sql"
-- Make sure to change the password
sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "userPassword", host = "localhost" }
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.myserver.org" "http_upload"
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.myserver.org" "muc"
Replace all instances of the placeholder domain name and passwords in the config file with your own:
:::console
sed -i 's/myserver.org/yourdomain.net/g' prosody.cfg.lua && sed -i 's/userPassword/yourownpassword/g' prosody.cfg.lua
Alternatively you can change them by hand. They are on line 62, 70, 73, 76 of prosody.cfg.lua
Finishing up
---
After you've set up all of the above it is time to start the server:
:::console
/etc/init.d/prosody restart
Users can be added from the command line, you will also be prompted for a password:
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change "allow_registration = false;" to "allow_registration = true;" in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp://prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
**edit 9th of january 2018**
updated config for new debian stable and prosody 0.10
Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html)

245
content/configuring_an_xmpp_server_prosody_0.11.md

@ -0,0 +1,245 @@
Title: Configuring an XMPP server for secure, mobile instant messaging
Date: 2018-11-17
Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server
Summary: Hands-on step-by-step guide that shows how to set up a federated chat server based on Prosody 0.11 configured for security, mobile messaging, rich features and ease of use.
Status: Published
[TOC]
Introduction
---
This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.
Please note that if you've followed this guide in the past you might need to have a look at [the update considerations](#attention-upgrading-from-previous-versions)
Set up firewall and DNS
----
To make your server communicate make sure following ports are open in your firewall:
:::console
5000 (for proxying large file transfers between clients)
5222 (for client to server)
5269 (server to server)
5281 (default https port for prosody)
Additionally make sure you have set up a domain name and have A-records for the following subdomains:
:::console
groups.myserver.org (for the groupchats)
upload.myserver.org (for the HTTP-Upload component)
proxy.myserver.org (for the file transfer proxy)
This guide uses the ones above but feel free to come up with more creative subdomains :)
Enabling HTTPS
---
First we acquire a signed HTTPS-certificate via [Let's Encrypt](https://letsencrypt.org/):
This is among others required for Gajim plugins to work properly; self-generated certs will not work.
Install Certbot and get new certificates for your domain (replace myserver.org with your own):
:::console
sudo apt-get update && sudo apt-get install certbot
certbot certonly -d myserver.org
certbot certonly -d groups.myserver.org
certbot certonly -d upload.myserver.org
certbot certonly -d proxy.myserver.org
Pick an authentication method that [best fits your situation](https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins). If you don't have a webserver running, using the 'standalone' option works well.
Should you succeed, you will be able to read something like:
:::console
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your
cert will expire on 2019-02-15. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
sudo apt-get update && sudo apt-get install prosody lua-sec
Install the newest prosody plugins:
:::console
apt-get install mercurial
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.11.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.0.11.cfg.lua -O prosody.cfg.lua
The homebrewserver.club prosody config
---
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard4"; -- User Profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi_simple"; -- XEP-0352: Client State Indication
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
"bookmarks"; -- Synchronize currently joined groupchat between different clients.
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
"server_contact_info"; --add contact info in the case of issues with the server
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
certificates = "/etc/prosody/certs"
https_certificate = "certs/uploads.myserver.org.crt"
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
-- Archiving
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "1w" -- Remove archived messages after 1 week
disco_items = { -- allows clients to find the capabilities of your server
{"upload.myserver.org", "file uploads"};
{"groups.myserver.org", "group chats"};
}
log = { --disable for extra privacy
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "upload.myserver.org" "http_upload"
-- Enable groupchats on your server
Component "groups.myserver.org" "muc"
modules_enabled = { "muc_mam", "vcard_muc" } --enable archives and avatars for groupchats
-- Set up a file transfer proxy to facilitate clients sending larger files to each other
Component "proxy.myserver.org" "proxy65"
Replace all instances of the placeholder domain name with `yourdomain` in the config file with your own:
:::console
sed -i 's/myserver.org/yourdomain/g' prosody.cfg.lua
Alternatively you can change them by hand. They are on lines 70, 81, 84, 88, 91 of prosody.cfg.lua
Make Prosody import the LetsEncrypt certificates:
:::console
prosodyctl --root cert import /etc/letsencrypt/live
You might get the following output:
:::console
Imported certificate and key for hosts myserver.org, groups.myserver.org, uploads.myserver.org, proxy.myserver.org
However, no need to worry since the last certificate contains information for all the above subdomains.
Finishing up
---
Add an entry to cron to automatically renew LetsEncrypt certificates
:::console
sudo crontab -e
And add:
:::console
0 4 0 * 0 /usr/bin/certbot renew --renew-hook "prosodyctl --root cert import /etc/letsencrypt/live" --quiet
This will check and renew the certificates every week on sunday at 04:00.
After you've set up all of the above it is time to start the server:
:::console
/etc/init.d/prosody restart
Users can be added from the command line, you will also be prompted for a password:
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change `allow_registration = false;` to `allow_registration = true;` in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp:prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
Attention: Upgrading From Previous Versions
---
Previous versions of this guide[^1] included instructions how to set up a MySQL/MariaDB database back-end. That is because earlier versions of prosody had SQL as a dependency for message archiving. This is no longer the case. The new guide is lighter and leaves out MySQL/MariaDB in favor of the inbuilt file-based storage. This should be sufficient for hundreds of users.
When upgrading to prosody 0.11 on a server using sql make sure to run database upgrades with:
:::console
prosodyctl mod_storage_sql upgrade
[^1]: Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html) and [Prosody 0.10](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.10.html)

247
content/configuring_an_xmpp_server_prosody_0.9.md

@ -0,0 +1,247 @@
Title: Configuring an XMPP server for secure, mobile instant messaging
Date: 2017-3-07
Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server-0.9
Description: Hands-on step-by-step guide that shows how to configure Prosody for security, mobile messaging and ease of use.
Status: draft
Attention!
---
This article describes how to set up Prosody 0.9 and kept online only for archival reasons! You are probably looking for the following article <https://homebrewserver.club/configuring-a-modern-xmpp-server.html>
Attention!
---
This is a guide to set up a modern XMPP server focused on security and mobile messaging. The whole guide assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.
To make your server communicate make sure following ports are open in your firewall:
:::console
5222 (for client to server)
5269 (server to server)
5280 (default http port for prosody)
5281 (default https port for prosody)
Enabling HTTPS
---
First we acquire a signed HTTPS-certificate via Let's Encrypt:
This is among others required for Gajim plugins to work properly; self-generated certs will not work.
Install Certbot and get new certificates for your domain (replace myserver.org with your own):
:::console
sudo apt-get update && sudo apt-get install certbot
certbot certonly -d muc.myserver.org -d dump.myserver.org -d myserver.org
Should you succeed, you will be able to read something like:
:::console
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your cert will
expire on 2017-02-13. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
Take note of the path where the certificate is stored as we will use it later.
Installing and setting up MySQL as a storage back-end
---
First update your repositories and install MySQL
:::console
apt-get update && apt-get install mysql-server
Run mysql as the root user:
:::console
mysql -u root -p
In mysql:
:::console
mysql> create database prosody;
mysql> show databases;
Result should be something like:
:::console
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| prosody |
+--------------------+
4 rows in set (0.00 sec)
Create a database account for prosody
:::console
mysql> create user prosody;
Give the user prosody the rights to access the database, make sure to change the password and take note of it
:::console
mysql> grant all on prosody.* to 'prosody'@'localhost' identified by 'userPassword';
Exit mysql:
:::console
exit;
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
sudo apt get update && apt-get install prosody lua-dbi-mysql lua-zlib
Add the Let's Encrypt Certificates to Prosody and make sure Prosody can use them
:::console
cp /etc/letsencrypt/live/myserver.org/*.pem /etc/prosody/certs/
Make sure the certificates are owned by prosody and legible only by root:
:::console
chown -R prosody:prosody /etc/prosody/
chmod -R 700 /etc/prosody/certs/
Install the newest prosody plugins:
:::console
apt-get install mercurial
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Make a backup of the default prosody configuration and install [the one by the homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.9.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.0.9.cfg.lua -O prosody.cfg.lua
The homebrewserver.club prosody config:
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
"compression"; -- Stream compression (requires the lua-zlib package installed)
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi"; -- XEP-0352: Client State Indication
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocking"; -- XEP-0198 blocking of users
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings.
ssl = {
certificate = "/etc/prosody/certs/fullchain.pem";
key = "/etc/prosody/certs/privkey.pem";
}
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
storage = "sql"
-- Make sure to change the password
sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "userPassword", host = "localhost" }
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.myserver.org" "http_upload"
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.myserver.org" "muc"
compression_level = 9
Replace all instances of the placeholder domain name and passwords in the config file with your own:
:::console
sed -i 's/myserver.org/yourdomain.net/g' prosody.cfg.lua && sed -i 's/userPassword/yourownpassword/g' prosody.cfg.lua
Alternatively you can change them by hand. They are on line 61, 69, 72, 75 of prosody.cfg.lua
Finishing up
---
After you've set up all of the above it is time to start the server:
:::console
/etc/init.d/prosody restart
Users can be added from the command line, you will also be prompted for a password:
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change "allow_registration = false;" to "allow_registration = true;" in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp://prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
**edit 10th of december 2017**
updated instructions for new debian stable

91
content/downloads/prosody.0.11.cfg.lua

@ -0,0 +1,91 @@
-- a custom prosody 0.11 config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
-- https://homebrewserver.club/configuring-a-modern-xmpp-server.html
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard4"; -- User Profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi_simple"; -- XEP-0352: Client State Indication
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
"bookmarks"; -- Synchronize currently joined groupchat between different clients.
"server_contact_info"; --add contact info in the case of issues with the server
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
certificates = "/etc/prosody/certs" -- Path where prosody looks for the certificates see: https://prosody.im/doc/letsencrypt
https_certificate = "certs/groups.myserver.org.crt"
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
-- Archiving
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = { --disable for extra privacy
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
disco_items = { -- allows clients to find the capabilities of your server
{"upload.myserver.org", "file uploads"};
{"groups.myserver.org", "group chats"};
}
-- add contact information for other server admins to contact you about issues regarding your server
-- this is particularly important if you enable public registrations
-- contact_info = {
-- admin = { "mailto:username@myserver.org", "xmpp:username@myserver.org" };
--};
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "upload.myserver.org" "http_upload"
---Allow setting up groupchats on this subdomain:
Component "groups.myserver.org" "muc"
modules_enabled = { "muc_mam", "vcard_muc" } -- enable archives and avatars for group chats
-- Set up a file transfer proxy to facilitate clients sending larger files to each other
Component "proxy.myserver.org" "proxy65"

76
content/downloads/prosody.0.9.cfg.lua

@ -0,0 +1,76 @@
-- a custom 0.9 prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
"compression"; -- Stream compression (requires the lua-zlib package installed)
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi"; -- XEP-0352: Client State Indication
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocking"; -- XEP-0198 blocking of users
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings.
ssl = {
certificate = "/etc/prosody/certs/fullchain.pem";
key = "/etc/prosody/certs/privkey.pem";
}
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
storage = "sql"
-- Make sure to change the password
sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "userPassword", host = "localhost" }
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "placeholderdomain.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.placeholderdomain.org" "http_upload"
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.placeholderdomain.org" "muc"
compression_level = 9

77
content/downloads/prosody.10.cfg.lua

@ -0,0 +1,77 @@
-- a custom prosody 0.10 config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; --Allows clients to register an account on your server
"pep"; -- Enables users to publish their mood, activity, playing music and more
"carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
"smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
"mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
"csi"; -- XEP-0352: Client State Indication
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
"omemo_all_access"; -- Allow for OMEMO E2E between contacts that haven't added each other
"pep_vcard_avatar"; -- use XEP-0153: vCard-Based Avatars to see the avatars of clients that use XEP-0084: User Avatar and vice versa.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings.
ssl = {
certificate = "/etc/prosody/certs/fullchain.pem";
key = "/etc/prosody/certs/privkey.pem";
}
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
storage = "sql"
-- Make sure to change the password
sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "userPassword", host = "localhost" }
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "placeholderdomain.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.placeholderdomain.org" "http_upload"
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.placeholderdomain.org" "muc"

225
content/es_configuring_an_xmpp_server_prosody_0.11.md

@ -0,0 +1,225 @@
Title: Configurar un servidor de mensajería instantánea XMPP seguro, para mensajería móvil y fácil de usar
Date: 2018-11-17
Category: xmpp
Tags: xmpp, chat, guide, instant messaging, prosody
Slug: configuring-a-modern-xmpp-server
Description: Hands-on step-by-step guide that shows how to configure Prosody 0.11 aimed at security, mobile messaging, rich features and ease of use.
Lang: es
Status: Published
[TOC]
Introducción
---
Esta es una guía para configurar un servidor de mensajería instantánea basado en XMPP moderno, enfocado a la seguridad, mensajería móvil y fácil de usar. La guía asume que usas 'Debian Stable' en el servidor, que quieres alojar y administrar la mensajería instantánea para tu grupo de amigos y que tienes conocimiento básico de usar la línea de comandos en Linux.
Firewall y DNS
---
Abre los siguientes puertos en tu firewall para poder comunicarte con el servidor:
:::console
5000 (hacer de proxy para intercambiar archivos grandes entre clientes)
5222 (para comunicación entre cliente y servidor, C2S)
5269 (para comunicación entre servidores, S2S)
5281 (el puerto https por defecto de prosody)
También asegúrate de que tienes un dominio con DNS A-records para los siguientes subdominios
:::console
myserver.org (el dominio principal)
groups.myserver.org (para sala de grupos)
upload.myserver.org (para componente HTTP-Upload)
proxy.myserver.org (para el proxy de transferencia de archivos)
Esta guía usa los dominios escritos arriba, pero puedes ser más creativo :)
Habilitar HTTPS
---
Primero, conseguimos un certificado HTTPS firmado por [Let's Encrypt](https://letsencrypt.org/):
Se necesita para XMPP moderno, certificados auto-firmados no funcionaran.
Instala Certbot y consigue los certificados para tu dominio (reemplaza `myserver.org` por el tuyo):
:::console
sudo apt-get update && sudo apt-get install certbot
certbot certonly -d myserver.org
certbot certonly -d groups.myserver.org
certbot certonly -d upload.myserver.org
certbot certonly -d proxy.myserver.org
Si funciona, deberías poder ver algo así:
:::console
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your
cert will expire on 2019-02-15. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
Instalar y configurar Prosody, el servidor XMPP
---
Instala la version Prosody 0.11 y sus dependencias desde el repositorio oficial de Prosody:
:::console
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
sudo apt-get update && sudo apt-get install prosody lua-sec
Instala los plugins más recientes de Prosody:
:::console
apt-get install mercurial
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
Haz una copia de seguridad de la configuración de Prosody por defecto e instala [la de homebrewserver.club](https://homebrewserver.club/downloads/prosody.0.11.cfg.lua)
:::console
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.original
wget https://homebrewserver.club/downloads/prosody.0.11.cfg.lua -O prosody.cfg.lua
La configuración de homebrewserver.club
---
:::console
-- una configuración de prosody enfocado a la seguridad, mensajería móvil y fácil de usar.
-- proporcionada por homebrewserver.club
-- el archivo de la configuración original(prosody.cfg.lua.original) tendrá mas información
plugin_paths = { "/usr/src/prosody-modules" } -- el directorio de los plugin no estándar para mantenerlos al dia con mercurial
modules_enabled = {
"roster"; -- Permite a los usuarios tener una lista de contactos. Recomendado ;)
"saslauth"; -- Autenticación entre clientes y servidores. Recomendado si quieres iniciar sesión.
"tls"; -- Permite conexiones c2s/s2s seguras con TLS
"dialback"; -- Permite s2s dialback
"disco"; -- Descubrir servicios entre servidores y clientes
"private"; -- Almacenamiento XML privado (para guardar las salas a las que te has unido)
"vcard4"; -- Perfiles de usuarios (guardado en PEP)
"vcard_legacy"; -- Convierte entre legacy vCard y PEP Avatar, vcard
"version"; -- Contesta a las peticiones de la versión del servidor
"uptime"; -- Informa sobre cuánto tiempo ha estado funcionando el servidor
"time"; -- Permite conocer la hora en el servidor
"ping"; -- Contesta XMPP pings con pongs
"register"; --Permite registrar una cuenta en tu servidor desde un cliente
"pep"; -- Entre otras cosas, permite a usuarios publicar sus claves OMEMO publicas
"carbons"; -- XEP-0280: Message Carbons, sincroniza mensajes entre dispositivos
"smacks"; -- XEP-0198: Stream Management, mantiene conversaciones incluso cuando la red se cae
"mam"; -- XEP-0313: Message Archive Management, permite descargar el historial de conversasiones del servidor
"csi_simple"; -- XEP-0352: Client State Indication
"admin_adhoc"; -- Permite la administración del servidor desde un cliente XMPP (que soporte comandos ad-hoc)
"blocklist"; -- XEP-0191 bloquear usuarios
"bookmarks"; -- Sincroniza entre clientes diferentes las salas a las que te has unido
--"cloud_notify"; -- Soporta XEP-0357 Push Notifications para tener compatibilidad con ChatSecure/iOS.
-- iOS normalmente aborta la conexión cuando una aplicación funciona en segundo plano y requiere el uso de los servidores de Push de Apple para levantar la conexión y recibir un mensaje. Habilitar este módulo permite a tu servidor comunicarse con los servidores Push de Apple para ayudar a tus usuarios de iOS.
-- Sin embargo, lo dejamos comentado porque es un otro ejemplo de una plataforma cloud integrada verticalmente que choca con las ideas de federación y las redes libres. Descomentarlo tiene riesgo de vigilancia de los meta dados de tus usuarios por Apple.
"server_contact_info"; -- Añade información de contacto en caso de incidencias con el servidor
};
allow_registration = false; -- Permite registrar una cuenta en tu servidor desde un cliente, para más información visita http://prosody.im/doc/creating_accounts
certificates = "/etc/prosody/certs" -- Ruta donde Prosody busca los certificados: https://prosody.im/doc/letsencrypt
https_certificate = "certs/myserver.org.crt"
c2s_require_encryption = true -- Fuerza a los clientes a usar conexiones cifradas
s2s_secure_auth = true -- Fuerza la autenticación de certificados para conexiones entre servidores
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
-- Historial de conversaciones
-- Si mod_mam esta activo, Prosody guardara una copia de cada mensaje.
-- Se usa para sincronizar conversaciones entre múltiples clientes, incluso
-- si están desconectados. Esta configuración controla cuanto tiempo Prosody
-- guarda los mensajes en el historial antes de eliminarlos.
archive_expires_after = "1w" -- Eliminar el historial de mensajes en una semana
log = { -- descomenta para mayor privacidad
info = "/var/log/prosody/prosody.log"; -- Cambia 'info' por 'debug' para un registro más detallado
error = "/var/log/prosody/prosody.err";
"*syslog";
}
disco_items = { -- allows clients to find the capabilities of your server
{"upload.myserver.org", "file uploads"};
{"groups.myserver.org", "group chats"};
}
VirtualHost "myserver.org"
-- Habilita http_upload para permitir compartir imágenes entre diferentes dispositivos y diferentes clientes
Component "upload.myserver.org" "http_upload"
-- Permite crear salas
Component "groups.myserver.org" "muc"
modules_enabled = { "muc_mam", "vcard_muc" }
-- Inicia un proxy para intercambiar archivos grandes entre clientes
Component "proxy.myserver.org" "proxy65"
Reemplaza el dominio de ejemplo con `tu dominio` en el archivo de configuración:
:::console
sed -i 's/myserver.org/tu dominio/g' prosody.cfg.lua
De forma alternativa puedes reemplazarlos a mano. Estan en las lineas 70, 81, 84, 88, 91 de prosody.cfg.lua
Importa los certificados de LetsEncrypt con Prosody:
:::console
prosodyctl --root cert import /etc/letsencrypt/live
Es posible que recibas un resultado similar:
No certificate for host groups.myserver.org found :(
No certificate for host upload.myserver.org found :(
No certificate for host proxy.myserver.org found :(
Imported certificate and key for hosts myserver.org
Pero no te preocupes, el ultimo certificado contiene información de todos los subdominios.
Para acabar
---
Configura `cron` para renovar los certificados LetsEncrypt automáticamente
:::console
sudo crontab -e
Añade al final:
:::console
0 4 0 * 0 /usr/bin/certbot renew --renew-hook "prosodyctl --root cert import /etc/letsencrypt/live" --quiet
Esta configuración comprueba y renueva los certificados cada domingo a las 04:00.
Cuando hayas hecho todo esto es hora de arrancar el servidor:
:::console
/etc/init.d/prosody restart
Se pueden añadir usuarios desde la línea de comandos. Te pedirá una contraseña:
:::console
prosodyctl adduser me@myserver.org
De otra forma puedes cambiar `allow_registration = false;` a `allow_registration = true;` en la configuración (linea 35) para permitir a los usuarios registrarse en tu servidor desde sus propios clientes.
Ahora puedes intentar conectarte a tu servidor usando un cliente como Gajim o Conversations. Inicia sesión con tu nombre y contraseña.
Si tienes preguntas sobre Prosody, la [documentación](http://prosody.im/doc) del proyecto es bastante buena (pero en Ingles). Si eso no es suficiente, pregunta los mismos desarrolladores en [la sala XMPP de Prosody](xmpp://prosody.conference.prosody.im?join)
Esta guía es una traducción de la guía del [homebrewserver.club](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server.html).)

BIN
content/extra/favicon.ico

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
content/extra/featured_image_blue.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 576 KiB

BIN
content/extra/omemo.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.5 KiB

3
content/extra/robots.txt

@ -0,0 +1,3 @@
User-Agent: *
Disallow:
test

BIN
content/favicon.ico

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

115
content/have_you_considered.md

@ -0,0 +1,115 @@
Title: Have you considered the alternative?
Date: 2017-3-9
Category: xmpp
Tags: xmpp, conversations, instant messaging, ecosystem
Slug: have-you-considered-the-alternative
Summary: Signal is often considered an alternative to Whatsapp, but is it really? Why you should gather a group of friends and consider staring into the abyss of self-hosted, federated messaging services.
>"Remember, when advertising is involved you the user are the product. [...]
>When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
<small>Brian Acton and Jan Koum, June 2012[^1] </small>
>"Facebook today announced that it has reached a definitive agreement to acquire WhatsApp, a rapidly growing cross-platform mobile messaging company,
>for a total of approximately $16 billion, including $4 billion in cash and approximately $12 billion worth of Facebook shares."
<small> Facebook Newsroom, February 2014[^2]</small>
>"[B]y coordinating more with Facebook, we'll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp.
>And by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them."
<small> Brian Acton and Jan Koum, August 2016[^3]</small>
[TOC]
Pattern Recognition
===
WhatsApp started out full of dreams: "we want WhatsApp to be the product that keeps you awake...and that you reach for in the morning. No one jumps up from a nap and runs to see an advertisement"[^4]. When they thought of WhatsApp, Brian Acton and Jan Koum were very keen on *not* selling our user data for targeted advertisement purposes. So they charged a nominal rate for the use of their service, rightfully pointing out the hidden cost of using free services.
In the year of 2014 however, WhatsApp was bought by Facebook, thus joining the social network's happy and expanding family of venture capital investments, a family including Instagram, purchased in April 2012, and Oculus VR, purchased the month before. At the time, many, and with good reason, worried about the changes this acquisition could entail for WhatsApp. Eventually, in August 2016, WhatsApp users everywhere learned about what was in fact unavoidable. The company that built its reputation upon an ad-free ethic, would now be sharing private user information with Facebook, its parent company. So we, the users, are the product after all, and as expected, this is presented in the form of an *improvement* of the user experience. Thanks to the tighter coordination between WhatsApp and Facebook, we can now more easily find our friends or see more valuable messages from the companies that truly matter to us. Of course, small footnote, these 'benefits' comes at the price of sharing our phone number and other private data with Facebook—though, trusting their word, not the content of the messages themselves.
Facebook does this for the simple reason that it needs to increase its market share on mobile devices[^5]; the family of Whatsapp, Facebook and Instagram are all *different* channels leading to this same purpose. One of the consequences of this is that while Facebook's chat function can still be used on their mobile website, plans are that we will soon be forced to install Facebook Messenger should we wish to continue using it on our mobile phones[^6]. Once again, in a stroke of pure genius and creativity, this move is being marketed as a way to provide us with the best experience ever. And we can use it with just a phone number, we don't even need a Facebook account. That way, their user base expands along with their profits.
Every time there is a breach of user trust —read: a change in the Terms of Service— or news regarding network surveillance, people are on the lookout for an alternative, and rightfully so. In these moments there are many also willing to promote such *alternatives*, usually in the form of yet another disruptive app. After the purchase of Whatsapp, for example, Telegram was advertised as the alternative. After it became clear that Telegram had dreadful security, people promoted Viber. Then Snapchat, then Threema, then Allo and now Signal. There is a reason why we’re falling into this pattern of needing alternatives to the alternatives. And that is because...
There are no alternatives.
===
There's a tendency to oversimplify the issues related to the use of these apps as merely a privacy matter, and not even that is sufficiently addressed. While each of the aforementioned apps are alternative companies and brands, what these alternatives all have in common is that they share the same model. A model that revolves around centralized services, vendor lock-in and marketing related surveillance, and all of that within a neoliberal context of the free market. These alternatives therefore promote themselves as more than just an alternative, but also as competing products, usually highlighting a particular feature lacking in rivals' products. Remember that ill-fated, super cool, nice looking alternative to Facebook, Ello? It gained a lot of traction out of legitimate concerns with Facebook's modus operandi, promoting itself as an alternative for its nice features and its promise not to use advertising. But as Aral Balkan was quick to point out, allowing investments by venture capital firms meant the project was dead before it really began[^7]. Taking these investments, which allowed them to scale as a platform, also meant that they would, at some point, *have* to make a lot of money for their investors. How? By selling ad space or information about their users. The reason the pattern keeps repeating itself is not because the makers of these apps always secretly intended to sell your data while saying they wouldn’t. The reason is that they have no choice within the economic system they choose to operate in.
Cryptography matters, but then it also doesn’t
===
The latest competitive feature—one might even say, marketing trick—to make concerned users switch from one alternative to another is cryptography, the act of coding messages during communication. This strategy works well because the vast majority of people are not really informed when it comes down to the technicalities of cryptography, so this discourse mostly serves to throw bedazzling sparkles in our eyes. To be sure, cryptography is fundamental for privacy. However, the main privacy threat in the context of using these apps isn't the potential of a government eavesdropping on our communications. The privacy threat is the wholesale and increasing dependence on centralized services which revolve around the surveillance and monetization of user information. In 2016, both WhatsApp and Facebook Messenger enabled end-to-end encryption[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#e2e) to address increasing privacy concerns. Adding *crypto* to a communication app in this case merely obfuscates a concern about the hegemony of these platforms. In essence, the issue of privacy is much larger than just the lack of cryptography; the conditions that threaten privacy are structural and economic and not resolved by a *patch* or a new feature.
This issue is further stressed when looking at the question of metadata, that is to say, data about data, which in the case of communication applications is everything but the communication data itself. When WhatsApp started sharing, among other things, its users' phone numbers with its parent company, Facebook, it went to great lengths to guarantee us that the content of our messages was still perfectly secure, impossible to be read by both WhatsApp and Facebook. The argument stating that "It's only metadata, don't worry" has been however debunked numerous times. Even though these platforms would love us to believe otherwise, metadata is neither a trivial disposable by-product, nor it is anonymous. And assuming that the crypto is sound and that the app running this crypto is not flawed, cross-referencing several databases containing metadata will always produce an array of very personal information, that in itself is much more valuable than encrypted naked selfies. Thus it should be no surprise that former NSA director Michael Hayden infamously said in 2012 "we kill based on metadata"[^8] and later argued in 2015 that metadata should be the main area of focus of surveillance activities, and not the creation of backdoors within crypto, or the banning of the latter[^9].
In short, both Whatsapp and FacebookMessenger can afford to deploy end-to-end encryption for your messages because it won’t hurt their bottom line, which is making money based on the surveillance of your behavior and your social graph. Adding crypto thus merely patches your privacy worries, but not the threat to it.
The Wrong Signal[^10]
===
The end-to-end encryption enabled in WhatsApp and Facebook Messenger has been developed by Open Whisper Systems, a non-profit run by crypto-celebrity Moxie Marlinspike. OWS also developed the algorithm for their own instant messaging application, Signal, and then open-sourced it. Signal itself is now the latest app being promoted as an alternative to WhatsApp and is hailed as the panacea of both security and usability. It even has the backing of members of the dissident elite such as Edward Snowden.
While OWS provides thorough expertise in the field of cryptography, Marlinspike is currently advocating centralisation as the only answer towards user-friendly, fast and secure messaging apps. Decentralisation, according to him, has no place in the modern world and apparently hampers innovation. However, some of his arguments have not remained unchallenged. In particular, where Marlinspike accuses federation of stalling evolution[^11], Daniel Gultsch[^12] provides a counter argument by using the Web as an example of successfully federated system[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#federated). Furthermore, Gultsch states that the problem is not that federation doesn't adapt, but rather that there are problems with its implementation for a very significant reason: software developers working on federated systems mostly work for free in their spare time or with little means, given the difficulty to monetise a system which design can only succeed if it is open and can be appropriated easily beyond its original scope, and thus making its capitalisation particularly challenging. In that sense, the most interesting aspect of this debate is that while Marlinspike seems to defend his product from a technological perspective, Gultsch's counter argument moves back the discussion to the context of political economy.
Daniel Gultsch is an important counter-voice because he is the main developer behind Conversations[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#conversations). This open-source instant messaging app tries to be both accessible for new users as well as provide enough flexibility for more advanced users. In that regard, Conversations itself does not manage to escape the logic of competition and the discourse around *alternative* superior apps discussed previously. However, its approach is significantly different because unlike any other apps, Conversations is not a complete solution, nor does it present itself as such. It is a client that relies on federation, which means that it allows for people to chat with each other regardless of what provider they are using. In concrete terms, there is no central server directly connected to Conversations, but Conversations can connect to different chat servers. This is possible because Conversations is built upon a long-lived messaging protocol called XMPP[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#xmpp).
XMPP, the federated messaging protocol
===
Up to a few years ago XMPP and its implementations were lagging behind in terms of mobile features, usability and interface design[^13]. That was the so-called lack of evolution Moxie pointed out. But recently Gultsch and the other contributors to Conversations have managed to bring XMPP up to speed with the functionality of well known mobile messenger applications. Not only did this demonstrate that bridging the gap could be done technically, but it also had the effect of breathing new life into the XMPP community. An example of this new energy was the initiative to create and implement OMEMO[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#omemo), an XMPP Extension Protocol[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#xep) that provides multi-user end-to-end encryption and which is based on Signal's own encryption algorithm. Ever since a growing number of clients have started implementing OMEMO, including Gajim[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#gajim) for desktops and ChatSecure[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#chatsecure) for iPhones[^14].
Gultsch succeeded[^15] so far precisely because of understanding the technical underpinnings of centralized services[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#centralized) such as WhatsApp or Signal. It is however a bitter-sweet victory, because as Gultsch articulated in his defense of decentralisation, the main difference between centralised and decentralised implementations is not only technical, but also a matter of economic sustainability. In other words, if his ongoing efforts show that it is possible to have a satisfying and safe user experience *while* using federated alternatives, this is only possible because, unlike any other XMPP client developers, he is in the position of working on this project full time. The problem has not been solved but shifted.
If economically sustainable XMPP federation were to scale to the point of being as successful as the centralised solution offered by Signal, it would have to face the consequences of doing so in the context of a free market driven by competition. In that situation, each XMMP client's economic viability would depend heavily on its capacity to capture enough users that can provide income for their developers. The problem therefore is not so much a problem of the technical or economical sustainability of federation, but more a problem of the economic sustainability of open standards and protocols in a world saturated with solutionist business models. After all, many years ago, Google and Facebook did provide XMPP support in their chat applications before deciding to close its interoperability.
Approaches not Apps
===
Given the different problems mapped in this text, it becomes difficult to blindly recommend Conversations as the superior alternative, that is to say, a near drop-in replacement to Signal or any other competing secure communication software.
The reason is not technical but is linked to the fact that, as discussed earlier, Conversations' own success relies on an economic model that is quite fragile, and the success of which—and it's a paradox—could potentially undermine the cultural diversity of the XMPP ecosystem.
With that said, there are however two essential points that the Conversations case brings up. These points are not always articulated clearly in discussions on federation: scale and trust.
Rather than having to swap one app for the other in an attempt to mitigate a large and confusing privacy problem, the XMPP federation approach allows to collectively tackle the problem based on its various discrete parts. Such an approach, rather than suggesting a singular and proprietary solution, allows for the existence of different free and open source software servers which can be combined with different free and open source software clients. That makes it possible for you and a group of friends to run your own infrastructure, whether on a rented server or on a very small home server.
The federated nature of the protocol allows you to try, play and experiment with different network infrastructures with different clients. These clients can range from custom XMMP bots to general instant messengers that you would be able recommend your friends and family to replace Whatsapp, without making a fool of yourself. As these open-source technologies continue to evolve you can make incremental changes to your server or switch clients as newer versions arrive.
Hosting your own infrastructure allows you to scale your communication in a way that is the most meaningful for the group or community you belong to. It is also a way to make sure your system matches your own threat model[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#threat), while simultaneously allowing you to deal with trust that is not mediated by an app. It also allows you to experiment with economic models other than those linked to large-scale infrastructure involving surveillance and capturing of your social graph for financial gain. Maybe you want to share the cost of the server or the responsibilities of administrating it, maybe you want to collectively learn how to run all this stuff, or maybe you want to start meetings to exchange tips, etc. However, this does not mean that you need to cut yourself off from the rest of the world and this form of localism should not be misunderstood for a hipsterist and reactionary form of escapism. Instead, such an approach is quite the opposite as it provides a possibility to actively engage with societal issues. It allows groups to collectively think, in the sense of defining questions and hypotheses themselves, acquire skills and knowledge and respond to issues that are both relevant to their own situation but that can also resonate globally, enabling others to start a similar process.
The goal of this article was to provide some tools and insights which not only allow for contextualisation of the technology we are using and supporting, but also help making sure that the instant-messaging you and your friends use happens in a trusted and secure environment, as much as possible outside the economies of surveillance. For this reason our motivation for writing this article was two-fold. On the one hand we wanted to show that the issue of privacy is more insidious than institutional eavesdropping and not merely solved with the use of end-to-end encryption. On the other hand, and as a consequence, we wanted to suggest not a different app, but a different approach altogether on the basis of XMPP federation and collective action. Therefore we've written two guides. [One on how to configure a server](http://homebrewserver.club/configuring-a-modern-xmpp-server.html) and [one on how to choose and use clients](http://homebrewserver.club/picking-modern-xmpp-clients.html) that can go along with it. These allow you to put a self-hosted approach, an approach that brings aspects of trust, scale and implementation to the forefront and into practice. Once again, such guides should not be perceived as definitive answers but more as tools to keep us, and hopefully you too, busy formulating the right questions and building networks of mutual help.
So while we are unable to recommend you the next big app that will solve all user surveillance and financialisation once and for all—as we are pretty sure no such app will ever even exist—we hope to at least help shed a light on the confused and confusing discourses that surround crypto-sound alternatives which may obfuscate less obvious problems.
[^1]: <https://blog.whatsapp.com/245/Why-we-dont-sell-ads>
[^2]: <http://newsroom.fb.com/news/2014/02/facebook-to-acquire-whatsapp/>
[^3]: <https://blog.whatsapp.com/10000627/Looking-ahead-for-WhatsApp>
[^4]: <https://blog.whatsapp.com/245/Why-we-dont-sell-ads>
[^5]: <https://www.theguardian.com/technology/2016/aug/25/whatsapp-to-give-users-phone-number-facebook-for-targeted-ads>
[^6]: <https://www.theguardian.com/technology/2016/jun/06/facebook-forcing-messenger-app-explainer>
[^7]: <https://ar.al/notes/ello-goodbye/>
[^8]: <https://www.youtube.com/watch?v=UdQiz0Vavmc>
[^9]: <https://www.c-span.org/video/?402284-1/discussion-immigration-policy-national-security>
[^10]: <https://it-kollektiv.com/wrong-signal-das-falsche-signal-engl/>
[^11]: <https://whispersystems.org/blog/the-ecosystem-is-moving>
[^12]: <https://gultsch.de/objection.html](https://gultsch.de/objection.html>
[^13]: <https://op-co.de/blog/posts/mobile_xmpp_in_2014/>
[^14]: <https://omemo.top/>
[^15]: His XMPP client Conversations has been installed between [10 and 50 thousand times](https://play.google.com/store/apps/details?id=eu.siacs.conversations&hl=en) and he is able to live off and work full-time on the project

BIN
content/images/chooser_by.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
content/images/chooser_cc.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.2 KiB

BIN
content/images/chooser_sa.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.2 KiB

BIN
content/images/conv_1.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

BIN
content/images/conv_2.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

BIN
content/images/conv_3.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
content/images/conv_4.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
content/images/conv_5.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 25 KiB

BIN
content/images/cs_1.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

BIN
content/images/cs_10.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

BIN
content/images/cs_11.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 34 KiB

BIN
content/images/cs_12.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
content/images/cs_13.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

BIN
content/images/cs_14.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 34 KiB

BIN
content/images/cs_15.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 23 KiB

BIN
content/images/cs_16.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
content/images/cs_17.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 34 KiB

BIN
content/images/cs_18.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 33 KiB

BIN
content/images/cs_19.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 32 KiB

BIN
content/images/cs_2.png

Binary file not shown.