Add extensive end-to-end integration tests powered by podman

contrib/prosody-modules/mod_s2s_outgoing_proxy.lua

@@ -0,0 +1,30 @@
+local st = require"util.stanza";
+local new_ip = require"util.ip".new_ip;
+local new_outgoing = require"core.s2smanager".new_outgoing;
+local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq;
+local s2sout = module:depends"s2s".route_to_new_session.s2sout;
+
+local s2s_outgoing_proxy = module:get_option("s2s_outgoing_proxy");
+
+module:hook("route/remote", function(event)
+	local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza;
+	log("debug", "opening a new outgoing connection for this stanza");
+	local host_session = new_outgoing(from_host, to_host);
+	host_session.version = 1;
+
+	-- Store in buffer
+	host_session.bounce_sendq = bounce_sendq;
+	host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} };
+	log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name));
+
+	local ip_hosts = {};
+
+    local host, port = s2s_outgoing_proxy[1] or s2s_outgoing_proxy, tonumber(s2s_outgoing_proxy[2]) or 15270;
+	ip_hosts[#ip_hosts+1] = { ip = new_ip(host), port = port }
+
+	host_session.ip_hosts = ip_hosts;
+	host_session.ip_choice = 0; -- Incremented by try_next_ip
+	s2sout.try_next_ip(host_session);
+	return true;
+end, -2);
+

contrib/prosody-modules/mod_secure_interfaces.lua

@@ -0,0 +1,27 @@
+local secure_interfaces = module:get_option_set("secure_interfaces", { "127.0.0.1", "::1" });
+
+local function mark_secure(event, expected_type)
+	local session = event.origin;
+	if session.type ~= expected_type then return; end
+	local socket = session.conn:socket();
+	if not socket.getsockname then
+		module:log("debug", "Unable to determine local address of incoming connection");
+		return;
+	end
+	local localip = socket:getsockname();
+	if secure_interfaces:contains(localip) then
+		module:log("debug", "Marking session from %s to %s as secure", session.ip or "[?]", localip);
+		session.secure = true;
+		session.conn.starttls = false;
+	else
+		module:log("debug", "Not marking session from %s to %s as secure", session.ip or "[?]", localip);
+	end
+end
+
+module:hook("stream-features", function (event)
+	mark_secure(event, "c2s_unauthed");
+end, 2500);
+
+module:hook("s2s-stream-features", function (event)
+	mark_secure(event, "s2sin_unauthed");
+end, 2500);

integration/00-no-tls/example.org.zone

@@ -0,0 +1,15 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+
+scansion.one    IN      CNAME   server1
+scansion.two    IN      CNAME   server1

integration/00-no-tls/prosody1.cfg.lua

@@ -0,0 +1,228 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+--		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = false
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certsno"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/01-starttls/example.org.zone

@@ -0,0 +1,15 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+
+scansion.one    IN      CNAME   server1
+scansion.two    IN      CNAME   server1

integration/01-starttls/prosody1.cfg.lua

@@ -0,0 +1,225 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/02-client-a-record-starttls/example.org.zone

@@ -0,0 +1,20 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+
+one    IN      CNAME   server1
+two    IN      CNAME   server1
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/02-client-a-record-starttls/prosody1.cfg.lua

@@ -0,0 +1,225 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/02-client-a-record-starttls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/03-client-srv-record-starttls/example.org.zone

@@ -0,0 +1,20 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+
+_xmpp-client._tcp.one  IN      SRV     5   1       5555     server1
+_xmpp-client._tcp.two  IN      SRV     5   1       5555     server1
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/03-client-srv-record-starttls/prosody1.cfg.lua

@@ -0,0 +1,227 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+c2s_ports = { 5555 };
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/03-client-srv-record-starttls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/04-client-a-record-tls/example.org.zone

@@ -0,0 +1,20 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+
+one    IN      CNAME   server1
+two    IN      CNAME   server1
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/04-client-a-record-tls/prosody1.cfg.lua

@@ -0,0 +1,225 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+legacy_ssl_ports = { 443 };
+c2s_ports = { };
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/04-client-a-record-tls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/05-client-srv-record-tls/example.org.zone

@@ -0,0 +1,20 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+
+_xmpps-client._tcp.one  IN      SRV     5   1       5443     server1
+_xmpps-client._tcp.two  IN      SRV     5   1       5443     server1
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/05-client-srv-record-tls/prosody1.cfg.lua

@@ -0,0 +1,228 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+legacy_ssl_ports = { 5443 };
+c2s_ports = { };
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+https_certificate = "/etc/prosody/certs/wildcard.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/05-client-srv-record-tls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/06-client-websocket/example.org.zone

@@ -0,0 +1,22 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+
+one    IN      CNAME   server1
+two    IN      CNAME   server1
+_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
+_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp1
+scansion.two    IN      CNAME   xp1

integration/06-client-websocket/prosody1.cfg.lua

@@ -0,0 +1,228 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+legacy_ssl_ports = { };
+c2s_ports = { };
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+
+s2s_require_encryption = true
+
+-- Force certificate authentication for server-to-server connections?
+
+s2s_secure_auth = false
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/wildcard.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/06-client-websocket/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/07-c2s-starttls/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp1
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/07-c2s-starttls/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/07-c2s-starttls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/wildcard.key"
+tls_cert = "/etc/prosody/certs/wildcard.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/07-c2s-starttls/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/08-c2s-tls/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp1
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/08-c2s-tls/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/08-c2s-tls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:443" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/wildcard.key"
+tls_cert = "/etc/prosody/certs/wildcard.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/08-c2s-tls/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/09-c2s-a-record-quic/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp1
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/09-c2s-a-record-quic/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/09-c2s-a-record-quic/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ "0.0.0.0:443" ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/wildcard.key"
+tls_cert = "/etc/prosody/certs/wildcard.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/09-c2s-a-record-quic/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/10-client-srv-record-quic/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+_xmppq-client._udp.one  IN      SRV     5   1       5443     xp1
+_xmppq-client._udp.two  IN      SRV     5   1       5443     xp1
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/10-client-srv-record-quic/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/10-client-srv-record-quic/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ "0.0.0.0:5443" ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/wildcard.key"
+tls_cert = "/etc/prosody/certs/wildcard.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/10-client-srv-record-quic/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/11-c2s-websocket/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp1
+_xmppconnect.one     IN      TXT     "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
+_xmppconnect.two     IN      TXT     "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/11-c2s-websocket/prosody1.cfg.lua

@@ -0,0 +1,253 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "xp1.example.org", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/11-c2s-websocket/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/wildcard.key"
+tls_cert = "/etc/prosody/certs/wildcard.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/11-c2s-websocket/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/12-s2s-a-record-starttls/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/12-s2s-a-record-starttls/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/12-s2s-a-record-starttls/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/12-s2s-a-record-starttls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/12-s2s-a-record-starttls/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/12-s2s-a-record-starttls/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/13-s2s-srv-record-starttls/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+_xmpp-server._tcp.one  IN      SRV     5   1       52269     xp1
+_xmpp-server._tcp.two  IN      SRV     5   1       52269     xp2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/13-s2s-srv-record-starttls/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/13-s2s-srv-record-starttls/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/14-s2s-a-record-tls/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/14-s2s-a-record-tls/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/14-s2s-a-record-tls/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/14-s2s-a-record-tls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/14-s2s-a-record-tls/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/14-s2s-a-record-tls/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/15-s2s-srv-record-tls/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+_xmpps-server._tcp.one  IN      SRV     5   1       52269     xp1
+_xmpps-server._tcp.two  IN      SRV     5   1       52269     xp2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/15-s2s-srv-record-tls/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/15-s2s-srv-record-tls/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/15-s2s-srv-record-tls/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/15-s2s-srv-record-tls/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/15-s2s-srv-record-tls/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/16-s2s-a-record-quic/example.org.zone

@@ -0,0 +1,21 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/16-s2s-a-record-quic/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/16-s2s-a-record-quic/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/16-s2s-a-record-quic/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ "0.0.0.0:443" ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/16-s2s-a-record-quic/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ "0.0.0.0:443" ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/16-s2s-a-record-quic/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/17-s2s-srv-record-quic/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+_xmppq-server._udp.one  IN      SRV     5   1       52269     xp1
+_xmppq-server._udp.two  IN      SRV     5   1       52269     xp2
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/17-s2s-srv-record-quic/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/17-s2s-srv-record-quic/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/17-s2s-srv-record-quic/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ "0.0.0.0:52269" ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/17-s2s-srv-record-quic/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ "0.0.0.0:52269" ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/17-s2s-srv-record-quic/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/18-s2s-websocket/example.org.zone

@@ -0,0 +1,23 @@
+$TTL 300
+; example.org
+@       IN      SOA     ns1.example.org. postmaster.example.org. (
+                                        2018111111 ; Serial
+                                        28800      ; Refresh
+                                        1800       ; Retry
+                                        604800     ; Expire - 1 week
+                                        86400 )    ; Negative Cache TTL
+                IN      NS      ns1
+ns1             IN      A       192.5.0.10
+server1         IN      A       192.5.0.20
+server2         IN      A       192.5.0.30
+xp1         IN      A       192.5.0.40
+xp2         IN      A       192.5.0.50
+xp3         IN      A       192.5.0.60
+
+one    IN      CNAME   xp1
+two    IN      CNAME   xp2
+_xmppconnect-server.one     IN      TXT     "_xmpp-server-websocket=wss://one.example.org:5281/xmpp-websocket"
+_xmppconnect-server.two     IN      TXT     "_xmpp-server-websocket=wss://two.example.org:5281/xmpp-websocket"
+
+scansion.one    IN      CNAME   xp3
+scansion.two    IN      CNAME   xp3

integration/18-s2s-websocket/prosody1.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.40", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.40"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "one.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/18-s2s-websocket/prosody2.cfg.lua

@@ -0,0 +1,251 @@
+--Important for systemd
+-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
+daemonize = false
+run_as_root = true
+
+pidfile = "/run/prosody/prosody.pid"
+
+plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		--"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
+		"vcard4"; -- User profiles (stored in PEP)
+		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
+		--"csi_simple"; -- Simple Mobile optimizations
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websocket"; -- XMPP over WebSockets
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+		"net_proxy";
+		"s2s_outgoing_proxy";
+}
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	-- "s2s"; -- Handle server-to-server connections
+	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+allow_registration = false
+
+-- we don't need prosody doing any encryption, xmpp-proxy does this now
+-- these are likely set to true somewhere in your file, find them, make them false
+-- you can also remove all certificates from your config
+s2s_require_encryption = false
+s2s_secure_auth = false
+
+-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
+s2s_outgoing_proxy = { "192.5.0.50", 15270 }
+
+-- handle PROXY protocol on these ports
+proxy_port_mappings = {
+    [15222] = "c2s",
+    [15269] = "s2s"
+}
+
+--[[
+  Specifies a list of trusted hosts or networks which may use the PROXY protocol
+  If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
+  An empty table ({}) can be configured to allow connections from any source.
+  Please read the module documentation about potential security impact.
+]]-- 
+proxy_trusted_proxies = {
+    "192.5.0.50"
+}
+
+-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
+-- you might need to comment these out further down in your config file if you set them
+c2s_ports = {}
+legacy_ssl_ports = {}
+-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask.. 
+s2s_ports = {15268}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+allow_unencrypted_plain_auth = true
+
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+
+--s2s_insecure_domains = { "insecure.example" }
+
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Enable rate limits for incoming client and server connections
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+	-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+	-- error = "prosody.err";
+	--info = "*syslog"; -- Uncomment this for logging to syslog
+	debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/etc/prosody/certs/localhost.crt"
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+VirtualHost "two.example.org"
+
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"

integration/18-s2s-websocket/xmpp-proxy1.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.20:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.20:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/one.example.org.key"
+tls_cert = "/etc/prosody/certs/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/18-s2s-websocket/xmpp-proxy2.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ "0.0.0.0:5222" ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ "0.0.0.0:5281" ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:15270" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "192.5.0.30:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "192.5.0.30:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/prosody/certs/two.example.org.key"
+tls_cert = "/etc/prosody/certs/two.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/18-s2s-websocket/xmpp-proxy3.toml

@@ -0,0 +1,44 @@
+
+# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
+incoming_listen = [ ]
+# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
+quic_listen = [ ]
+# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
+websocket_listen = [ ]
+# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
+outgoing_listen = [ "0.0.0.0:5222" ]
+
+# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
+# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
+
+# c2s port backend XMPP server listens on
+c2s_target = "127.0.0.1:15222"
+
+# s2s port backend XMPP server listens on
+s2s_target = "127.0.0.1:15269"
+
+# send PROXYv1 header to backend XMPP server
+# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+# prosody module: https://modules.prosody.im/mod_net_proxy.html
+# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
+proxy = true
+
+# limit incoming stanzas to this many bytes, default to ejabberd's default
+# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
+# xmpp-proxy will use this many bytes + 16k per connection
+max_stanza_size_bytes = 262_144
+
+# TLS key/certificate valid for all your XMPP domains, PEM format
+# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
+tls_key = "/etc/certs/rsa/one.example.org.key"
+tls_cert = "/etc/certs/rsa/one.example.org.crt"
+
+# configure logging, defaults are commented
+# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
+# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
+#log_level = "info"
+# for development/debugging:
+log_level = "info,xmpp_proxy=trace"
+
+# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
+#log_style = "never"

integration/Dockerfile

@@ -0,0 +1,67 @@
+
+# base image
+FROM docker.io/library/archlinux AS base
+
+ENV PACMAN_MIRROR https://burtrum.org/archlinux
+ENV TZ=America/New_York
+
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
+    echo -e "Server = $PACMAN_MIRROR/\$repo/os/\$arch" > /etc/pacman.d/mirrorlist && \
+    pacman -Syu --noconfirm --disable-download-timeout
+
+# build some things
+FROM base AS build
+
+RUN pacman -S --noconfirm --disable-download-timeout --needed rust cargo git mercurial base-devel \
+    lua52 lua52-expat lua52-filesystem lua52-sec lua52-socket && \
+    mkdir -p /build/{src,target}/ && \
+    hg clone 'https://hg.prosody.im/prosody-modules/' /build/prosody-modules && rm -rf /build/prosody-modules/.hg && \
+    git clone https://aur.archlinux.org/scansion-hg.git /build/scansion-hg && \
+    git clone https://aur.archlinux.org/lua52-cjson.git /build/lua52-cjson && \
+    chown -R git: /build/ && ls -lah /build/ && \
+    cd /build/lua52-cjson && su -m -s /bin/bash git makepkg && pacman -U --noconfirm --needed lua52-cjson-*.pkg.tar* && \
+    cd /build/scansion-hg && su -m -s /bin/bash git makepkg
+
+COPY ./Cargo.* /build/
+COPY ./src/ /build/src/
+#COPY ./target/ /build/target/
+
+ARG BUILD=0
+
+RUN if [ $BUILD -eq 0 ]; then cd /build && cargo build --release; fi
+
+# final image
+FROM base
+
+COPY --from=build /build/*/*.pkg.tar* /tmp/
+
+RUN pacman -S --noconfirm --disable-download-timeout --needed bind prosody lua52-sec nss mkcert curl && \
+    pacman -U --noconfirm --needed /tmp/*.pkg.tar* && rm -f /tmp/*.pkg.tar* && \
+    mkdir -p /opt/xmpp-proxy/prosody-modules/ /opt/prosody-modules/ /scansion && mkcert -install && \
+    mkdir -p /etc/certs/ecdsa && cd /etc/certs/ecdsa && \
+    mkcert -ecdsa -cert-file one.example.org.crt -key-file one.example.org.key one.example.org && \
+    mkcert -ecdsa -cert-file two.example.org.crt -key-file two.example.org.key two.example.org && \
+    mkcert -ecdsa -cert-file wildcard.crt        -key-file wildcard.key        '*.example.org' && \
+    cp wildcard.crt legacy_ssl.crt && cp wildcard.key legacy_ssl.key && \
+    cp wildcard.crt https.crt      && cp wildcard.key https.key && \
+    mkdir -p /etc/certs/rsa && cd /etc/certs/rsa && \
+    mkcert        -cert-file one.example.org.crt -key-file one.example.org.key one.example.org && \
+    mkcert        -cert-file two.example.org.crt -key-file two.example.org.key two.example.org && \
+    mkcert        -cert-file wildcard.crt        -key-file wildcard.key        '*.example.org' && \
+    cp wildcard.crt legacy_ssl.crt && cp wildcard.key legacy_ssl.key && \
+    cp wildcard.crt https.crt      && cp wildcard.key https.key && \
+    chmod -R 777 /etc/certs/ && rm -rf /etc/prosody/certs && ln -sf /etc/certs/rsa /etc/prosody/certs
+
+COPY --from=build /build/prosody-modules /opt/prosody-modules
+
+COPY --from=build /usr/bin/true /build/target/release/xmpp-prox[y] /usr/bin/
+
+COPY ./integration/named.conf /etc/
+COPY ./integration/00-no-tls/example.org.zone /var/named/
+COPY ./integration/00-no-tls/prosody1.cfg.lua /etc/prosody/prosody.cfg.lua
+COPY ./contrib/prosody-modules /usr/lib/prosody/modules
+COPY ./integration/*.scs /scansion/
+
+ARG ECDSA=0
+
+RUN if [ $ECDSA -ne 0 ]; then rm -rf /etc/prosody/certs && ln -sf /etc/certs/ecdsa /etc/prosody/certs; fi

integration/juliet_messages_romeo.scs

@@ -0,0 +1,33 @@
+# Juliet messages Romeo
+
+[Client] Romeo
+	jid: romeo@one.example.org
+	password: pass
+	connect_host: scansion.one.example.org
+	connect_port: 5222
+
+[Client] Juliet
+	jid: juliet@two.example.org
+	password: pass
+	connect_host: scansion.two.example.org
+	connect_port: 5222
+
+---------
+
+Juliet connects
+
+Romeo connects
+
+Juliet sends:
+	<message to="${Romeo's full JID}" type="chat">
+		<body>Hello Romeo!</body>
+	</message>
+
+Romeo receives:
+	<message to="${Romeo's full JID}" from="${Juliet's full JID}" type="chat">
+		<body>Hello Romeo!</body>
+	</message>
+
+Juliet disconnects
+
+Romeo disconnects

integration/juliet_presence.scs

@@ -0,0 +1,20 @@
+# Juliet login and initial presence
+
+[Client] Juliet
+	jid: juliet@two.example.org
+	password: pass
+	connect_host: scansion.two.example.org
+	connect_port: 5222
+
+---------
+
+Juliet connects
+
+Juliet sends:
+	<presence/>
+
+Juliet receives:
+	<presence/>
+
+Juliet disconnects
+

integration/named.conf

@@ -0,0 +1,65 @@
+// vim:set ts=4 sw=4 et:
+
+options {
+    directory "/var/named";
+    pid-file "/run/named/named.pid";
+
+    // Uncomment these to enable IPv6 connections support
+    // IPv4 will still work:
+    //  listen-on-v6 { any; };
+    // Add this for no IPv4:
+    //  listen-on { none; };
+
+    //allow-recursion { 127.0.0.1; };
+    allow-recursion { none; };
+    allow-transfer { none; };
+    allow-update { none; };
+
+    version none;
+    hostname none;
+    server-id none;
+};
+
+zone "localhost" IN {
+    type master;
+    file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" IN {
+    type master;
+    file "127.0.0.zone";
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+    type master;
+    file "localhost.ip6.zone";
+};
+
+zone "example.org" IN {
+    type master;
+    file "example.org.zone";
+    allow-update { none; };
+    notify no;
+};
+
+//zone "example.org" IN {
+//    type slave;
+//    file "example.zone";
+//    masters {
+//        192.168.1.100;
+//    };
+//    allow-query { any; };
+//    allow-transfer { any; };
+//};
+
+//logging {
+//    channel xfer-log {
+//        file "/var/log/named.log";
+//            print-category yes;
+//            print-severity yes;
+//            severity info;
+//        };
+//        category xfer-in { xfer-log; };
+//        category xfer-out { xfer-log; };
+//        category notify { xfer-log; };
+//};

integration/romeo_messages_juliet.scs

@@ -0,0 +1,34 @@
+# Romeo messages Juliet
+
+[Client] Romeo
+	jid: romeo@one.example.org
+	password: pass
+	connect_host: scansion.one.example.org
+	connect_port: 5222
+
+[Client] Juliet
+	jid: juliet@two.example.org
+	password: pass
+	connect_host: scansion.two.example.org
+	connect_port: 5222
+
+
+---------
+
+Romeo connects
+
+Juliet connects
+
+Romeo sends:
+	<message to="${Juliet's full JID}" type="chat">
+		<body>Hello Juliet!</body>
+	</message>
+
+Juliet receives:
+	<message to="${Juliet's full JID}" from="${Romeo's full JID}" type="chat">
+		<body>Hello Juliet!</body>
+	</message>
+
+Romeo disconnects
+
+Juliet disconnects

integration/romeo_presence.scs

@@ -0,0 +1,20 @@
+# Romeo login and initial presence
+
+[Client] Romeo
+	jid: romeo@one.example.org
+	password: pass
+	connect_host: scansion.one.example.org
+	connect_port: 5222
+
+---------
+
+Romeo connects
+
+Romeo sends:
+	<presence/>
+
+Romeo receives:
+	<presence/>
+
+Romeo disconnects
+

integration/test.sh

@@ -0,0 +1,184 @@
+#!/bin/sh
+set -euxo pipefail
+
+ipv4='192.5.0'
+
+# change to this directory
+cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")"
+
+usage() { echo "Usage: $0 [-i 192.5.0] [-d] [-r] [-b]" 1>&2; exit 1; }
+
+build=0
+build_args=''
+img='xmpp-proxy-test'
+xmpp_proxy_bind=''
+run_blocked=0
+ecdsa=0
+while getopts ":i:drbe" o; do
+    case "${o}" in
+        i)
+            ipv4=${OPTARG}
+            echo "you must change the IP in all the containers for this to work, broken for now, exiting..."
+            exit 1
+            ;;
+        d)
+            build=1
+            xmpp_proxy_bind='-v ../../target/debug/xmpp-proxy:/usr/bin/xmpp-proxy:ro'
+            ;;
+        r)
+            build=1
+            build_args='--release'
+            xmpp_proxy_bind='-v ../../target/release/xmpp-proxy:/usr/bin/xmpp-proxy:ro'
+            ;;
+        e)
+            ecdsa=1
+            ;;
+        b)
+            run_blocked=1
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+[ $build -eq 1 ] && img="$img-dev"
+[ $ecdsa -eq 1 ] && img="$img-ecdsa"
+
+rm -rf /tmp/xp-logs/
+mkdir -p /tmp/xp-logs/
+
+run_container() {
+    set +x
+    args=()
+    if [ "$1" == "-d" ]
+    then
+        args+=("-d")
+        shift
+    fi
+    while [ "$1" == "-v" ]
+    do
+        args+=("-v")
+        shift
+        args+=("$1")
+        shift
+    done
+    ip="$1"
+    shift
+    name="$1"
+    shift
+    
+    set -x
+    podman run "${args[@]}" --rm --log-driver=k8s-file "--log-opt=path=/tmp/xp-logs/$dir-$name.log" --network xmpp-proxy-net4 --dns-search example.org --dns "$ipv4.10" --hostname "$name" --name "$name" --ip "$ipv4.$ip" "$img" "$@"
+}
+
+cleanup() {
+    set +e
+    podman stop -i -t 0 dns server1 server2 xp1 xp2 xp3 scansion
+    podman rm -f dns server1 server2 xp1 xp2 xp3 scansion
+    # this shuts down all containers first too, handy!
+    podman network rm -f xmpp-proxy-net4
+    set -e
+}
+
+run_test() {
+    (
+    set -e
+    podman network exists xmpp-proxy-net4 && cleanup
+    # create the network
+    podman network create --disable-dns --internal --subnet $ipv4.0/24 xmpp-proxy-net4
+    #podman network create --disable-dns --internal --ipv6 --subnet 2001:db8::/64 xmpp-proxy-net6
+
+    # start the dns server
+    run_container -d -v ./example.org.zone:/var/named/example.org.zone:ro 10 dns named -g -u named -d 99
+
+    # start the prosody servers if required
+    [ -f ./prosody1.cfg.lua ] && run_container -d -v ./prosody1.cfg.lua:/etc/prosody/prosody.cfg.lua:ro 20 server1 prosody
+    [ -f ./prosody2.cfg.lua ] && run_container -d -v ./prosody2.cfg.lua:/etc/prosody/prosody.cfg.lua:ro 30 server2 prosody
+
+    [ -f ./xmpp-proxy1.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy1.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 40 xp1 xmpp-proxy
+    [ -f ./xmpp-proxy2.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy2.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 50 xp2 xmpp-proxy
+    [ -f ./xmpp-proxy3.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy3.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 60 xp3 xmpp-proxy
+
+    # we don't care if these fail
+    set +e
+    podman exec server1 prosodyctl register romeo  one.example.org pass
+    podman exec server1 prosodyctl register juliet two.example.org pass
+    podman exec server2 prosodyctl register romeo  one.example.org pass
+    podman exec server2 prosodyctl register juliet two.example.org pass
+    set -e
+
+    # run the actual tests
+    run_container 99 scansion scansion -d /scansion/
+    # juliet_messages_romeo.scs  juliet_presence.scs  romeo_messages_juliet.scs  romeo_presence.scs
+    #run_container 99 scansion scansion /scansion/juliet_presence.scs /scansion/romeo_presence.scs
+
+    cleanup
+    )
+}
+
+(
+set -euxo pipefail
+
+podman network exists xmpp-proxy-net4 && cleanup
+
+podman image exists "$img" || podman build -f Dockerfile --build-arg="ECDSA=$ecdsa" --build-arg="BUILD=$build" -t "$img" ..
+#podman run --rm "$img" openssl pkey -in /etc/prosody/certs/one.example.org.key -text
+
+if [ $build -eq 1 ]
+then
+    cd ..
+    cargo build $build_args
+    cd integration
+fi
+
+dir_pattern="$(echo "$@" | tr -d '/' | sed -r 's/ +/|/g')"
+[ -z "$dir_pattern" ] && dir_pattern='.'
+
+success=()
+error=()
+skipped=()
+
+for dir in */
+do
+
+    export dir="$(echo "$dir" | tr -d '/')"
+
+    set +e
+    echo "$dir" | grep -E "$dir_pattern" &>/dev/null
+    [ $? -ne 0 ] && skipped+=("$dir") && continue
+    set -e
+
+    cd "$dir"
+
+    [ $run_blocked -eq 0 ] && [ -e blocked ] && skipped+=("$dir") && cd .. && continue
+
+    set +e
+    run_test
+    if [ $? -eq 0 ]
+    then
+        success+=("$dir")
+    else
+        error+=("$dir")
+        cleanup
+    fi
+    set -e
+
+    cd ..
+
+done
+
+set +x
+cat <<EOF
+
+skipped:    ${skipped[@]}
+
+successful: ${success[@]}
+
+failed:     ${error[@]}
+EOF
+
+exit ${#error[@]}
+)
+