Add extensive end-to-end integration tests powered by podman
This commit is contained in:
parent
cb5553fb4f
commit
14baf94efb
30
contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
Normal file
30
contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
local st = require"util.stanza";
|
||||||
|
local new_ip = require"util.ip".new_ip;
|
||||||
|
local new_outgoing = require"core.s2smanager".new_outgoing;
|
||||||
|
local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq;
|
||||||
|
local s2sout = module:depends"s2s".route_to_new_session.s2sout;
|
||||||
|
|
||||||
|
local s2s_outgoing_proxy = module:get_option("s2s_outgoing_proxy");
|
||||||
|
|
||||||
|
module:hook("route/remote", function(event)
|
||||||
|
local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza;
|
||||||
|
log("debug", "opening a new outgoing connection for this stanza");
|
||||||
|
local host_session = new_outgoing(from_host, to_host);
|
||||||
|
host_session.version = 1;
|
||||||
|
|
||||||
|
-- Store in buffer
|
||||||
|
host_session.bounce_sendq = bounce_sendq;
|
||||||
|
host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} };
|
||||||
|
log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name));
|
||||||
|
|
||||||
|
local ip_hosts = {};
|
||||||
|
|
||||||
|
local host, port = s2s_outgoing_proxy[1] or s2s_outgoing_proxy, tonumber(s2s_outgoing_proxy[2]) or 15270;
|
||||||
|
ip_hosts[#ip_hosts+1] = { ip = new_ip(host), port = port }
|
||||||
|
|
||||||
|
host_session.ip_hosts = ip_hosts;
|
||||||
|
host_session.ip_choice = 0; -- Incremented by try_next_ip
|
||||||
|
s2sout.try_next_ip(host_session);
|
||||||
|
return true;
|
||||||
|
end, -2);
|
||||||
|
|
27
contrib/prosody-modules/mod_secure_interfaces.lua
Normal file
27
contrib/prosody-modules/mod_secure_interfaces.lua
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
local secure_interfaces = module:get_option_set("secure_interfaces", { "127.0.0.1", "::1" });
|
||||||
|
|
||||||
|
local function mark_secure(event, expected_type)
|
||||||
|
local session = event.origin;
|
||||||
|
if session.type ~= expected_type then return; end
|
||||||
|
local socket = session.conn:socket();
|
||||||
|
if not socket.getsockname then
|
||||||
|
module:log("debug", "Unable to determine local address of incoming connection");
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
local localip = socket:getsockname();
|
||||||
|
if secure_interfaces:contains(localip) then
|
||||||
|
module:log("debug", "Marking session from %s to %s as secure", session.ip or "[?]", localip);
|
||||||
|
session.secure = true;
|
||||||
|
session.conn.starttls = false;
|
||||||
|
else
|
||||||
|
module:log("debug", "Not marking session from %s to %s as secure", session.ip or "[?]", localip);
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
module:hook("stream-features", function (event)
|
||||||
|
mark_secure(event, "c2s_unauthed");
|
||||||
|
end, 2500);
|
||||||
|
|
||||||
|
module:hook("s2s-stream-features", function (event)
|
||||||
|
mark_secure(event, "s2sin_unauthed");
|
||||||
|
end, 2500);
|
15
integration/00-no-tls/example.org.zone
Normal file
15
integration/00-no-tls/example.org.zone
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
|
||||||
|
scansion.one IN CNAME server1
|
||||||
|
scansion.two IN CNAME server1
|
228
integration/00-no-tls/prosody1.cfg.lua
Normal file
228
integration/00-no-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
-- "tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = false
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certsno"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
15
integration/01-starttls/example.org.zone
Normal file
15
integration/01-starttls/example.org.zone
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
|
||||||
|
scansion.one IN CNAME server1
|
||||||
|
scansion.two IN CNAME server1
|
225
integration/01-starttls/prosody1.cfg.lua
Normal file
225
integration/01-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
20
integration/02-client-a-record-starttls/example.org.zone
Normal file
20
integration/02-client-a-record-starttls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
one IN CNAME server1
|
||||||
|
two IN CNAME server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
225
integration/02-client-a-record-starttls/prosody1.cfg.lua
Normal file
225
integration/02-client-a-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/02-client-a-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/02-client-a-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
20
integration/03-client-srv-record-starttls/example.org.zone
Normal file
20
integration/03-client-srv-record-starttls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
_xmpp-client._tcp.one IN SRV 5 1 5555 server1
|
||||||
|
_xmpp-client._tcp.two IN SRV 5 1 5555 server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
227
integration/03-client-srv-record-starttls/prosody1.cfg.lua
Normal file
227
integration/03-client-srv-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
c2s_ports = { 5555 };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/03-client-srv-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/03-client-srv-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
20
integration/04-client-a-record-tls/example.org.zone
Normal file
20
integration/04-client-a-record-tls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
one IN CNAME server1
|
||||||
|
two IN CNAME server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
225
integration/04-client-a-record-tls/prosody1.cfg.lua
Normal file
225
integration/04-client-a-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
legacy_ssl_ports = { 443 };
|
||||||
|
c2s_ports = { };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/04-client-a-record-tls/xmpp-proxy1.toml
Normal file
44
integration/04-client-a-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
20
integration/05-client-srv-record-tls/example.org.zone
Normal file
20
integration/05-client-srv-record-tls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
_xmpps-client._tcp.one IN SRV 5 1 5443 server1
|
||||||
|
_xmpps-client._tcp.two IN SRV 5 1 5443 server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
228
integration/05-client-srv-record-tls/prosody1.cfg.lua
Normal file
228
integration/05-client-srv-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
legacy_ssl_ports = { 5443 };
|
||||||
|
c2s_ports = { };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
https_certificate = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/05-client-srv-record-tls/xmpp-proxy1.toml
Normal file
44
integration/05-client-srv-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
22
integration/06-client-websocket/example.org.zone
Normal file
22
integration/06-client-websocket/example.org.zone
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
one IN CNAME server1
|
||||||
|
two IN CNAME server1
|
||||||
|
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||||
|
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
228
integration/06-client-websocket/prosody1.cfg.lua
Normal file
228
integration/06-client-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
legacy_ssl_ports = { };
|
||||||
|
c2s_ports = { };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/06-client-websocket/xmpp-proxy1.toml
Normal file
44
integration/06-client-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/07-c2s-starttls/example.org.zone
Normal file
21
integration/07-c2s-starttls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/07-c2s-starttls/prosody1.cfg.lua
Normal file
253
integration/07-c2s-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/07-c2s-starttls/xmpp-proxy1.toml
Normal file
44
integration/07-c2s-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/07-c2s-starttls/xmpp-proxy3.toml
Normal file
44
integration/07-c2s-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/08-c2s-tls/example.org.zone
Normal file
21
integration/08-c2s-tls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/08-c2s-tls/prosody1.cfg.lua
Normal file
253
integration/08-c2s-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/08-c2s-tls/xmpp-proxy1.toml
Normal file
44
integration/08-c2s-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/08-c2s-tls/xmpp-proxy3.toml
Normal file
44
integration/08-c2s-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/09-c2s-a-record-quic/example.org.zone
Normal file
21
integration/09-c2s-a-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/09-c2s-a-record-quic/prosody1.cfg.lua
Normal file
253
integration/09-c2s-a-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/09-c2s-a-record-quic/xmpp-proxy1.toml
Normal file
44
integration/09-c2s-a-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/09-c2s-a-record-quic/xmpp-proxy3.toml
Normal file
44
integration/09-c2s-a-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/10-client-srv-record-quic/example.org.zone
Normal file
21
integration/10-client-srv-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
_xmppq-client._udp.one IN SRV 5 1 5443 xp1
|
||||||
|
_xmppq-client._udp.two IN SRV 5 1 5443 xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/10-client-srv-record-quic/prosody1.cfg.lua
Normal file
253
integration/10-client-srv-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/10-client-srv-record-quic/xmpp-proxy1.toml
Normal file
44
integration/10-client-srv-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:5443" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/10-client-srv-record-quic/xmpp-proxy3.toml
Normal file
44
integration/10-client-srv-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/11-c2s-websocket/example.org.zone
Normal file
23
integration/11-c2s-websocket/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||||
|
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/11-c2s-websocket/prosody1.cfg.lua
Normal file
253
integration/11-c2s-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/11-c2s-websocket/xmpp-proxy1.toml
Normal file
44
integration/11-c2s-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ "0.0.0.0:5281" ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/11-c2s-websocket/xmpp-proxy3.toml
Normal file
44
integration/11-c2s-websocket/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/12-s2s-a-record-starttls/example.org.zone
Normal file
21
integration/12-s2s-a-record-starttls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/12-s2s-a-record-starttls/prosody1.cfg.lua
Normal file
251
integration/12-s2s-a-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/12-s2s-a-record-starttls/prosody2.cfg.lua
Normal file
251
integration/12-s2s-a-record-starttls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy2.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy3.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/13-s2s-srv-record-starttls/example.org.zone
Normal file
23
integration/13-s2s-srv-record-starttls/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
_xmpp-server._tcp.one IN SRV 5 1 52269 xp1
|
||||||
|
_xmpp-server._tcp.two IN SRV 5 1 52269 xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/13-s2s-srv-record-starttls/prosody1.cfg.lua
Normal file
251
integration/13-s2s-srv-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/13-s2s-srv-record-starttls/prosody2.cfg.lua
Normal file
251
integration/13-s2s-srv-record-starttls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/14-s2s-a-record-tls/example.org.zone
Normal file
21
integration/14-s2s-a-record-tls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/14-s2s-a-record-tls/prosody1.cfg.lua
Normal file
251
integration/14-s2s-a-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/14-s2s-a-record-tls/prosody2.cfg.lua
Normal file
251
integration/14-s2s-a-record-tls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy1.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy2.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy3.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/15-s2s-srv-record-tls/example.org.zone
Normal file
23
integration/15-s2s-srv-record-tls/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
_xmpps-server._tcp.one IN SRV 5 1 52269 xp1
|
||||||
|
_xmpps-server._tcp.two IN SRV 5 1 52269 xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/15-s2s-srv-record-tls/prosody1.cfg.lua
Normal file
251
integration/15-s2s-srv-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/15-s2s-srv-record-tls/prosody2.cfg.lua
Normal file
251
integration/15-s2s-srv-record-tls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy1.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy2.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy3.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/16-s2s-a-record-quic/example.org.zone
Normal file
21
integration/16-s2s-a-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/16-s2s-a-record-quic/prosody1.cfg.lua
Normal file
251
integration/16-s2s-a-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/16-s2s-a-record-quic/prosody2.cfg.lua
Normal file
251
integration/16-s2s-a-record-quic/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/16-s2s-a-record-quic/xmpp-proxy1.toml
Normal file
44
integration/16-s2s-a-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/16-s2s-a-record-quic/xmpp-proxy2.toml
Normal file
44
integration/16-s2s-a-record-quic/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/16-s2s-a-record-quic/xmpp-proxy3.toml
Normal file
44
integration/16-s2s-a-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/17-s2s-srv-record-quic/example.org.zone
Normal file
23
integration/17-s2s-srv-record-quic/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
_xmppq-server._udp.one IN SRV 5 1 52269 xp1
|
||||||
|
_xmppq-server._udp.two IN SRV 5 1 52269 xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/17-s2s-srv-record-quic/prosody1.cfg.lua
Normal file
251
integration/17-s2s-srv-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/17-s2s-srv-record-quic/prosody2.cfg.lua
Normal file
251
integration/17-s2s-srv-record-quic/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/17-s2s-srv-record-quic/xmpp-proxy1.toml
Normal file
44
integration/17-s2s-srv-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/17-s2s-srv-record-quic/xmpp-proxy2.toml
Normal file
44
integration/17-s2s-srv-record-quic/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/17-s2s-srv-record-quic/xmpp-proxy3.toml
Normal file
44
integration/17-s2s-srv-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/18-s2s-websocket/example.org.zone
Normal file
23
integration/18-s2s-websocket/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
_xmppconnect-server.one IN TXT "_xmpp-server-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||||
|
_xmppconnect-server.two IN TXT "_xmpp-server-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/18-s2s-websocket/prosody1.cfg.lua
Normal file
251
integration/18-s2s-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/18-s2s-websocket/prosody2.cfg.lua
Normal file
251
integration/18-s2s-websocket/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/18-s2s-websocket/xmpp-proxy1.toml
Normal file
44
integration/18-s2s-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ "0.0.0.0:5281" ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/18-s2s-websocket/xmpp-proxy2.toml
Normal file
44
integration/18-s2s-websocket/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ "0.0.0.0:5281" ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/18-s2s-websocket/xmpp-proxy3.toml
Normal file
44
integration/18-s2s-websocket/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
67
integration/Dockerfile
Normal file
67
integration/Dockerfile
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
|
||||||
|
# base image
|
||||||
|
FROM docker.io/library/archlinux AS base
|
||||||
|
|
||||||
|
ENV PACMAN_MIRROR https://burtrum.org/archlinux
|
||||||
|
ENV TZ=America/New_York
|
||||||
|
|
||||||
|
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
|
||||||
|
echo -e "Server = $PACMAN_MIRROR/\$repo/os/\$arch" > /etc/pacman.d/mirrorlist && \
|
||||||
|
pacman -Syu --noconfirm --disable-download-timeout
|
||||||
|
|
||||||
|
# build some things
|
||||||
|
FROM base AS build
|
||||||
|
|
||||||
|
RUN pacman -S --noconfirm --disable-download-timeout --needed rust cargo git mercurial base-devel \
|
||||||
|
lua52 lua52-expat lua52-filesystem lua52-sec lua52-socket && \
|
||||||
|
mkdir -p /build/{src,target}/ && \
|
||||||
|
hg clone 'https://hg.prosody.im/prosody-modules/' /build/prosody-modules && rm -rf /build/prosody-modules/.hg && \
|
||||||
|
git clone https://aur.archlinux.org/scansion-hg.git /build/scansion-hg && \
|
||||||
|
git clone https://aur.archlinux.org/lua52-cjson.git /build/lua52-cjson && \
|
||||||
|
chown -R git: /build/ && ls -lah /build/ && \
|
||||||
|
cd /build/lua52-cjson && su -m -s /bin/bash git makepkg && pacman -U --noconfirm --needed lua52-cjson-*.pkg.tar* && \
|
||||||
|
cd /build/scansion-hg && su -m -s /bin/bash git makepkg
|
||||||
|
|
||||||
|
COPY ./Cargo.* /build/
|
||||||
|
COPY ./src/ /build/src/
|
||||||
|
#COPY ./target/ /build/target/
|
||||||
|
|
||||||
|
ARG BUILD=0
|
||||||
|
|
||||||
|
RUN if [ $BUILD -eq 0 ]; then cd /build && cargo build --release; fi
|
||||||
|
|
||||||
|
# final image
|
||||||
|
FROM base
|
||||||
|
|
||||||
|
COPY --from=build /build/*/*.pkg.tar* /tmp/
|
||||||
|
|
||||||
|
RUN pacman -S --noconfirm --disable-download-timeout --needed bind prosody lua52-sec nss mkcert curl && \
|
||||||
|
pacman -U --noconfirm --needed /tmp/*.pkg.tar* && rm -f /tmp/*.pkg.tar* && \
|
||||||
|
mkdir -p /opt/xmpp-proxy/prosody-modules/ /opt/prosody-modules/ /scansion && mkcert -install && \
|
||||||
|
mkdir -p /etc/certs/ecdsa && cd /etc/certs/ecdsa && \
|
||||||
|
mkcert -ecdsa -cert-file one.example.org.crt -key-file one.example.org.key one.example.org && \
|
||||||
|
mkcert -ecdsa -cert-file two.example.org.crt -key-file two.example.org.key two.example.org && \
|
||||||
|
mkcert -ecdsa -cert-file wildcard.crt -key-file wildcard.key '*.example.org' && \
|
||||||
|
cp wildcard.crt legacy_ssl.crt && cp wildcard.key legacy_ssl.key && \
|
||||||
|
cp wildcard.crt https.crt && cp wildcard.key https.key && \
|
||||||
|
mkdir -p /etc/certs/rsa && cd /etc/certs/rsa && \
|
||||||
|
mkcert -cert-file one.example.org.crt -key-file one.example.org.key one.example.org && \
|
||||||
|
mkcert -cert-file two.example.org.crt -key-file two.example.org.key two.example.org && \
|
||||||
|
mkcert -cert-file wildcard.crt -key-file wildcard.key '*.example.org' && \
|
||||||
|
cp wildcard.crt legacy_ssl.crt && cp wildcard.key legacy_ssl.key && \
|
||||||
|
cp wildcard.crt https.crt && cp wildcard.key https.key && \
|
||||||
|
chmod -R 777 /etc/certs/ && rm -rf /etc/prosody/certs && ln -sf /etc/certs/rsa /etc/prosody/certs
|
||||||
|
|
||||||
|
COPY --from=build /build/prosody-modules /opt/prosody-modules
|
||||||
|
|
||||||
|
COPY --from=build /usr/bin/true /build/target/release/xmpp-prox[y] /usr/bin/
|
||||||
|
|
||||||
|
COPY ./integration/named.conf /etc/
|
||||||
|
COPY ./integration/00-no-tls/example.org.zone /var/named/
|
||||||
|
COPY ./integration/00-no-tls/prosody1.cfg.lua /etc/prosody/prosody.cfg.lua
|
||||||
|
COPY ./contrib/prosody-modules /usr/lib/prosody/modules
|
||||||
|
COPY ./integration/*.scs /scansion/
|
||||||
|
|
||||||
|
ARG ECDSA=0
|
||||||
|
|
||||||
|
RUN if [ $ECDSA -ne 0 ]; then rm -rf /etc/prosody/certs && ln -sf /etc/certs/ecdsa /etc/prosody/certs; fi
|
33
integration/juliet_messages_romeo.scs
Normal file
33
integration/juliet_messages_romeo.scs
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
# Juliet messages Romeo
|
||||||
|
|
||||||
|
[Client] Romeo
|
||||||
|
jid: romeo@one.example.org
|
||||||
|
password: pass
|
||||||
|
connect_host: scansion.one.example.org
|
||||||
|
connect_port: 5222
|
||||||
|
|
||||||
|
[Client] Juliet
|
||||||
|
jid: juliet@two.example.org
|
||||||
|
password: pass
|
||||||
|
connect_host: scansion.two.example.org
|
||||||
|
connect_port: 5222
|
||||||
|
|
||||||
|
---------
|
||||||
|
|
||||||
|
Juliet connects
|
||||||
|
|
||||||
|
Romeo connects
|
||||||
|
|
||||||
|
Juliet sends:
|
||||||
|
<message to="${Romeo's full JID}" type="chat">
|
||||||
|
<body>Hello Romeo!</body>
|
||||||
|
</message>
|
||||||
|
|
||||||
|
Romeo receives:
|
||||||
|
<message to="${Romeo's full JID}" from="${Juliet's full JID}" type="chat">
|
||||||
|
<body>Hello Romeo!</body>
|
||||||
|
</message>
|
||||||
|
|
||||||
|
Juliet disconnects
|
||||||
|
|
||||||
|
Romeo disconnects
|
20
integration/juliet_presence.scs
Normal file
20
integration/juliet_presence.scs
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# Juliet login and initial presence
|
||||||
|
|
||||||
|
[Client] Juliet
|
||||||
|
jid: juliet@two.example.org
|
||||||
|
password: pass
|
||||||
|
connect_host: scansion.two.example.org
|
||||||
|
connect_port: 5222
|
||||||
|
|
||||||
|
---------
|
||||||
|
|
||||||
|
Juliet connects
|
||||||
|
|
||||||
|
Juliet sends:
|
||||||
|
<presence/>
|
||||||
|
|
||||||
|
Juliet receives:
|
||||||
|
<presence/>
|
||||||
|
|
||||||
|
Juliet disconnects
|
||||||
|
|
65
integration/named.conf
Normal file
65
integration/named.conf
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
// vim:set ts=4 sw=4 et:
|
||||||
|
|
||||||
|
options {
|
||||||
|
directory "/var/named";
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
|
||||||
|
// Uncomment these to enable IPv6 connections support
|
||||||
|
// IPv4 will still work:
|
||||||
|
// listen-on-v6 { any; };
|
||||||
|
// Add this for no IPv4:
|
||||||
|
// listen-on { none; };
|
||||||
|
|
||||||
|
//allow-recursion { 127.0.0.1; };
|
||||||
|
allow-recursion { none; };
|
||||||
|
allow-transfer { none; };
|
||||||
|
allow-update { none; };
|
||||||
|
|
||||||
|
version none;
|
||||||
|
hostname none;
|
||||||
|
server-id none;
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "localhost" IN {
|
||||||
|
type master;
|
||||||
|
file "localhost.zone";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "0.0.127.in-addr.arpa" IN {
|
||||||
|
type master;
|
||||||
|
file "127.0.0.zone";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
|
||||||
|
type master;
|
||||||
|
file "localhost.ip6.zone";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "example.org" IN {
|
||||||
|
type master;
|
||||||
|
file "example.org.zone";
|
||||||
|
allow-update { none; };
|
||||||
|
notify no;
|
||||||
|
};
|
||||||
|
|
||||||
|
//zone "example.org" IN {
|
||||||
|
// type slave;
|
||||||
|
// file "example.zone";
|
||||||
|
// masters {
|
||||||
|
// 192.168.1.100;
|
||||||
|
// };
|
||||||
|
// allow-query { any; };
|
||||||
|
// allow-transfer { any; };
|
||||||
|
//};
|
||||||
|
|
||||||
|
//logging {
|
||||||
|
// channel xfer-log {
|
||||||
|
// file "/var/log/named.log";
|
||||||
|
// print-category yes;
|
||||||
|
// print-severity yes;
|
||||||
|
// severity info;
|
||||||
|
// };
|
||||||
|
// category xfer-in { xfer-log; };
|
||||||
|
// category xfer-out { xfer-log; };
|
||||||
|
// category notify { xfer-log; };
|
||||||
|
//};
|
34
integration/romeo_messages_juliet.scs
Normal file
34
integration/romeo_messages_juliet.scs
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# Romeo messages Juliet
|
||||||
|
|
||||||
|
[Client] Romeo
|
||||||
|
jid: romeo@one.example.org
|
||||||
|
password: pass
|
||||||
|
connect_host: scansion.one.example.org
|
||||||
|
connect_port: 5222
|
||||||
|
|
||||||
|
[Client] Juliet
|
||||||
|
jid: juliet@two.example.org
|
||||||
|
password: pass
|
||||||
|
connect_host: scansion.two.example.org
|
||||||
|
connect_port: 5222
|
||||||
|
|
||||||
|
|
||||||
|
---------
|
||||||
|
|
||||||
|
Romeo connects
|
||||||
|
|
||||||
|
Juliet connects
|
||||||
|
|
||||||
|
Romeo sends:
|
||||||
|
<message to="${Juliet's full JID}" type="chat">
|
||||||
|
<body>Hello Juliet!</body>
|
||||||
|
</message>
|
||||||
|
|
||||||
|
Juliet receives:
|
||||||
|
<message to="${Juliet's full JID}" from="${Romeo's full JID}" type="chat">
|
||||||
|
<body>Hello Juliet!</body>
|
||||||
|
</message>
|
||||||
|
|
||||||
|
Romeo disconnects
|
||||||
|
|
||||||
|
Juliet disconnects
|
20
integration/romeo_presence.scs
Normal file
20
integration/romeo_presence.scs
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# Romeo login and initial presence
|
||||||
|
|
||||||
|
[Client] Romeo
|
||||||
|
jid: romeo@one.example.org
|
||||||
|
password: pass
|
||||||
|
connect_host: scansion.one.example.org
|
||||||
|
connect_port: 5222
|
||||||
|
|
||||||
|
---------
|
||||||
|
|
||||||
|
Romeo connects
|
||||||
|
|
||||||
|
Romeo sends:
|
||||||
|
<presence/>
|
||||||
|
|
||||||
|
Romeo receives:
|
||||||
|
<presence/>
|
||||||
|
|
||||||
|
Romeo disconnects
|
||||||
|
|
184
integration/test.sh
Executable file
184
integration/test.sh
Executable file
@ -0,0 +1,184 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -euxo pipefail
|
||||||
|
|
||||||
|
ipv4='192.5.0'
|
||||||
|
|
||||||
|
# change to this directory
|
||||||
|
cd -P -- "$(dirname -- "${BASH_SOURCE[0]}")"
|
||||||
|
|
||||||
|
usage() { echo "Usage: $0 [-i 192.5.0] [-d] [-r] [-b]" 1>&2; exit 1; }
|
||||||
|
|
||||||
|
build=0
|
||||||
|
build_args=''
|
||||||
|
img='xmpp-proxy-test'
|
||||||
|
xmpp_proxy_bind=''
|
||||||
|
run_blocked=0
|
||||||
|
ecdsa=0
|
||||||
|
while getopts ":i:drbe" o; do
|
||||||
|
case "${o}" in
|
||||||
|
i)
|
||||||
|
ipv4=${OPTARG}
|
||||||
|
echo "you must change the IP in all the containers for this to work, broken for now, exiting..."
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
d)
|
||||||
|
build=1
|
||||||
|
xmpp_proxy_bind='-v ../../target/debug/xmpp-proxy:/usr/bin/xmpp-proxy:ro'
|
||||||
|
;;
|
||||||
|
r)
|
||||||
|
build=1
|
||||||
|
build_args='--release'
|
||||||
|
xmpp_proxy_bind='-v ../../target/release/xmpp-proxy:/usr/bin/xmpp-proxy:ro'
|
||||||
|
;;
|
||||||
|
e)
|
||||||
|
ecdsa=1
|
||||||
|
;;
|
||||||
|
b)
|
||||||
|
run_blocked=1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift $((OPTIND-1))
|
||||||
|
|
||||||
|
[ $build -eq 1 ] && img="$img-dev"
|
||||||
|
[ $ecdsa -eq 1 ] && img="$img-ecdsa"
|
||||||
|
|
||||||
|
rm -rf /tmp/xp-logs/
|
||||||
|
mkdir -p /tmp/xp-logs/
|
||||||
|
|
||||||
|
run_container() {
|
||||||
|
set +x
|
||||||
|
args=()
|
||||||
|
if [ "$1" == "-d" ]
|
||||||
|
then
|
||||||
|
args+=("-d")
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
while [ "$1" == "-v" ]
|
||||||
|
do
|
||||||
|
args+=("-v")
|
||||||
|
shift
|
||||||
|
args+=("$1")
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
ip="$1"
|
||||||
|
shift
|
||||||
|
name="$1"
|
||||||
|
shift
|
||||||
|
|
||||||
|
set -x
|
||||||
|
podman run "${args[@]}" --rm --log-driver=k8s-file "--log-opt=path=/tmp/xp-logs/$dir-$name.log" --network xmpp-proxy-net4 --dns-search example.org --dns "$ipv4.10" --hostname "$name" --name "$name" --ip "$ipv4.$ip" "$img" "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
set +e
|
||||||
|
podman stop -i -t 0 dns server1 server2 xp1 xp2 xp3 scansion
|
||||||
|
podman rm -f dns server1 server2 xp1 xp2 xp3 scansion
|
||||||
|
# this shuts down all containers first too, handy!
|
||||||
|
podman network rm -f xmpp-proxy-net4
|
||||||
|
set -e
|
||||||
|
}
|
||||||
|
|
||||||
|
run_test() {
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
podman network exists xmpp-proxy-net4 && cleanup
|
||||||
|
# create the network
|
||||||
|
podman network create --disable-dns --internal --subnet $ipv4.0/24 xmpp-proxy-net4
|
||||||
|
#podman network create --disable-dns --internal --ipv6 --subnet 2001:db8::/64 xmpp-proxy-net6
|
||||||
|
|
||||||
|
# start the dns server
|
||||||
|
run_container -d -v ./example.org.zone:/var/named/example.org.zone:ro 10 dns named -g -u named -d 99
|
||||||
|
|
||||||
|
# start the prosody servers if required
|
||||||
|
[ -f ./prosody1.cfg.lua ] && run_container -d -v ./prosody1.cfg.lua:/etc/prosody/prosody.cfg.lua:ro 20 server1 prosody
|
||||||
|
[ -f ./prosody2.cfg.lua ] && run_container -d -v ./prosody2.cfg.lua:/etc/prosody/prosody.cfg.lua:ro 30 server2 prosody
|
||||||
|
|
||||||
|
[ -f ./xmpp-proxy1.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy1.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 40 xp1 xmpp-proxy
|
||||||
|
[ -f ./xmpp-proxy2.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy2.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 50 xp2 xmpp-proxy
|
||||||
|
[ -f ./xmpp-proxy3.toml ] && run_container -d $xmpp_proxy_bind -v ./xmpp-proxy3.toml:/etc/xmpp-proxy/xmpp-proxy.toml:ro 60 xp3 xmpp-proxy
|
||||||
|
|
||||||
|
# we don't care if these fail
|
||||||
|
set +e
|
||||||
|
podman exec server1 prosodyctl register romeo one.example.org pass
|
||||||
|
podman exec server1 prosodyctl register juliet two.example.org pass
|
||||||
|
podman exec server2 prosodyctl register romeo one.example.org pass
|
||||||
|
podman exec server2 prosodyctl register juliet two.example.org pass
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# run the actual tests
|
||||||
|
run_container 99 scansion scansion -d /scansion/
|
||||||
|
# juliet_messages_romeo.scs juliet_presence.scs romeo_messages_juliet.scs romeo_presence.scs
|
||||||
|
#run_container 99 scansion scansion /scansion/juliet_presence.scs /scansion/romeo_presence.scs
|
||||||
|
|
||||||
|
cleanup
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
(
|
||||||
|
set -euxo pipefail
|
||||||
|
|
||||||
|
podman network exists xmpp-proxy-net4 && cleanup
|
||||||
|
|
||||||
|
podman image exists "$img" || podman build -f Dockerfile --build-arg="ECDSA=$ecdsa" --build-arg="BUILD=$build" -t "$img" ..
|
||||||
|
#podman run --rm "$img" openssl pkey -in /etc/prosody/certs/one.example.org.key -text
|
||||||
|
|
||||||
|
if [ $build -eq 1 ]
|
||||||
|
then
|
||||||
|
cd ..
|
||||||
|
cargo build $build_args
|
||||||
|
cd integration
|
||||||
|
fi
|
||||||
|
|
||||||
|
dir_pattern="$(echo "$@" | tr -d '/' | sed -r 's/ +/|/g')"
|
||||||
|
[ -z "$dir_pattern" ] && dir_pattern='.'
|
||||||
|
|
||||||
|
success=()
|
||||||
|
error=()
|
||||||
|
skipped=()
|
||||||
|
|
||||||
|
for dir in */
|
||||||
|
do
|
||||||
|
|
||||||
|
export dir="$(echo "$dir" | tr -d '/')"
|
||||||
|
|
||||||
|
set +e
|
||||||
|
echo "$dir" | grep -E "$dir_pattern" &>/dev/null
|
||||||
|
[ $? -ne 0 ] && skipped+=("$dir") && continue
|
||||||
|
set -e
|
||||||
|
|
||||||
|
cd "$dir"
|
||||||
|
|
||||||
|
[ $run_blocked -eq 0 ] && [ -e blocked ] && skipped+=("$dir") && cd .. && continue
|
||||||
|
|
||||||
|
set +e
|
||||||
|
run_test
|
||||||
|
if [ $? -eq 0 ]
|
||||||
|
then
|
||||||
|
success+=("$dir")
|
||||||
|
else
|
||||||
|
error+=("$dir")
|
||||||
|
cleanup
|
||||||
|
fi
|
||||||
|
set -e
|
||||||
|
|
||||||
|
cd ..
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
set +x
|
||||||
|
cat <<EOF
|
||||||
|
|
||||||
|
skipped: ${skipped[@]}
|
||||||
|
|
||||||
|
successful: ${success[@]}
|
||||||
|
|
||||||
|
failed: ${error[@]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
exit ${#error[@]}
|
||||||
|
)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user