Compare commits
No commits in common. "beta" and "master" have entirely different histories.
5
.ci/Jenkinsfile
vendored
5
.ci/Jenkinsfile
vendored
@ -28,9 +28,14 @@ node('linux && docker') {
|
||||
|
||||
stage('Build + Deploy') {
|
||||
sh '''
|
||||
./check-all-features.sh || exit 1
|
||||
cargo clean
|
||||
mkdir -p release
|
||||
cp xmpp-proxy.toml release
|
||||
curl --compressed -sL https://code.moparisthebest.com/moparisthebest/self-ci/raw/branch/master/build-ci.sh | bash
|
||||
ret=$?
|
||||
docker system prune -af
|
||||
exit $ret
|
||||
'''
|
||||
}
|
||||
|
||||
|
@ -11,6 +11,10 @@ echo "$TARGET" | grep -E '^x86_64-pc-windows-gnu$' >/dev/null && SUFFIX=".exe"
|
||||
|
||||
# ring fails to compile here
|
||||
echo "$TARGET" | grep -E '^(s390x|powerpc|mips|riscv64gc|.*solaris$)' >/dev/null && echo "$TARGET not supported in rustls" && exit 0
|
||||
|
||||
# running `docker system prune -af` after these because they are roughly every 25% through and my hard drive space is limited
|
||||
echo "$TARGET" | grep -E '^(armv7-unknown-linux-gnueabihf|x86_64-linux-android|mips-unknown-linux-gnu)$' >/dev/null && docker system prune -af
|
||||
|
||||
# mio fails to link here
|
||||
echo "$TARGET" | grep -E '^x86_64-unknown-netbsd$' >/dev/null && echo "$TARGET not supported in mio" && exit 0
|
||||
|
||||
|
1
.gitattributes
vendored
Normal file
1
.gitattributes
vendored
Normal file
@ -0,0 +1 @@
|
||||
integration/** linguist-documentation
|
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,7 +1,11 @@
|
||||
/target/
|
||||
/target
|
||||
**/*.rs.bk
|
||||
.idea
|
||||
**/*.kate-swp
|
||||
**/out/
|
||||
**/core.*
|
||||
fuzz/target/
|
||||
*.txt
|
||||
conflict/
|
||||
*.test.toml
|
||||
|
1531
Cargo.lock
generated
1531
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
96
Cargo.toml
96
Cargo.toml
@ -1,3 +1,9 @@
|
||||
[workspace]
|
||||
members = [
|
||||
"fuzz",
|
||||
"."
|
||||
]
|
||||
|
||||
[package]
|
||||
name = "xmpp-proxy"
|
||||
version = "1.0.0"
|
||||
@ -20,44 +26,92 @@ include = [
|
||||
]
|
||||
|
||||
[dependencies]
|
||||
toml = "0.5"
|
||||
toml = "0.8"
|
||||
serde_derive = "1.0"
|
||||
serde = { version = "1.0", features = ["derive"] }
|
||||
futures = "0.3"
|
||||
die = "0.2"
|
||||
anyhow = "1.0"
|
||||
tokio = { version = "1.9", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
||||
tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util", "signal", "time"] }
|
||||
ring = "0.17"
|
||||
data-encoding = "2.5"
|
||||
async-trait = "0.1"
|
||||
|
||||
|
||||
# logging deps
|
||||
log = "0.4"
|
||||
rand = { version = "0.8", optional = true, features = [] }
|
||||
env_logger = { version = "0.9", optional = true, features = [] }
|
||||
env_logger = { version = "0.10", optional = true, features = [] }
|
||||
|
||||
# incoming deps
|
||||
tokio-rustls = { version = "0.22", optional = true }
|
||||
tokio-rustls = { version = "0.24", optional = true }
|
||||
webpki = { package = "rustls-webpki", version = "0.101", optional = true }
|
||||
|
||||
# outgoing deps
|
||||
lazy_static = { version = "1.4", optional = true }
|
||||
webpki-roots = { version = "0.21", optional = true }
|
||||
trust-dns-resolver = { version = "0.20", optional = true }
|
||||
#trust-dns-resolver = { version = "0.20", features = ["dns-over-rustls"], optional = true }
|
||||
lazy_static = "1.4"
|
||||
trust-dns-resolver = { version = "0.23", optional = true }
|
||||
# todo: feature+code for dns-over-rustls
|
||||
#trust-dns-resolver = { version = "0.21", features = ["dns-over-rustls"], optional = true }
|
||||
webpki-roots = { version = "0.25", optional = true }
|
||||
rustls-native-certs = { version = "0.6", optional = true }
|
||||
# todo: feed reqwest the roots we already have
|
||||
reqwest = { version = "0.11", optional = true, default-features = false, features = ["rustls-tls-native-roots", "json", "gzip", "trust-dns"] }
|
||||
|
||||
# quic deps
|
||||
quinn = { version = "0.7", optional = true }
|
||||
quinn = { version = "0.10", optional = true }
|
||||
|
||||
# shared deps needed by quic and incoming
|
||||
rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
|
||||
rustls-pemfile = { version = "1.0", optional = true }
|
||||
|
||||
# websocket deps
|
||||
tokio-tungstenite = { version = "0.14", optional = true }
|
||||
tokio-tungstenite = { version = "0.21", optional = true, default-features = false, features = ["handshake"] }
|
||||
futures-util = { version = "0.3", default-features = false, features = ["async-await", "sink", "std"], optional = true }
|
||||
|
||||
# webtransport deps
|
||||
webtransport-quinn = { version = "0.6", optional = true }
|
||||
|
||||
# systemd dep
|
||||
nix = { version = "0.27", optional = true, default-features = false, features = ["socket"]}
|
||||
|
||||
[features]
|
||||
default = ["incoming", "outgoing", "quic", "websocket", "logging"]
|
||||
#default = ["incoming", "outgoing"]
|
||||
#default = ["incoming", "quic"]
|
||||
#default = ["outgoing", "quic"]
|
||||
#default = ["quic"]
|
||||
#default = ["outgoing"]
|
||||
#default = ["incoming"]
|
||||
incoming = ["tokio-rustls"]
|
||||
outgoing = ["tokio-rustls", "trust-dns-resolver", "webpki-roots", "lazy_static"]
|
||||
quic = ["quinn"]
|
||||
websocket = ["tokio-tungstenite"]
|
||||
default = ["c2s-incoming", "c2s-outgoing", "s2s-incoming", "s2s-outgoing", "tls", "quic", "websocket", "webtransport", "logging", "tls-ca-roots-native", "systemd"]
|
||||
|
||||
# you must pick one of these or the other, not both: todo: enable picking both and choosing at runtime
|
||||
# don't need either of these if only doing c2s-incoming
|
||||
tls-ca-roots-native = ["rustls-native-certs", "tokio-rustls", "webpki"] # this loads CA certs from your OS
|
||||
tls-ca-roots-bundled = ["webpki-roots", "webpki"] # this bundles CA certs in the binary
|
||||
|
||||
# internal use only, ignore
|
||||
srv = ["tokio-rustls", "webpki", "trust-dns-resolver", "reqwest"]
|
||||
incoming = ["rustls-pemfile"]
|
||||
outgoing = ["srv"]
|
||||
c2s = []
|
||||
s2s = ["srv", "rustls-pemfile"]
|
||||
|
||||
# you must pick one or more of these, you may pick them all
|
||||
c2s-incoming = ["incoming", "c2s",]
|
||||
c2s-outgoing = ["outgoing", "c2s"]
|
||||
|
||||
s2s-incoming = ["incoming", "s2s"]
|
||||
s2s-outgoing = ["outgoing", "s2s"]
|
||||
|
||||
# protocols you want to support todo: split out tls vs starttls ?
|
||||
tls = ["tokio-rustls", "webpki", "rustls"]
|
||||
quic = ["quinn", "rustls"]
|
||||
websocket = ["tokio-tungstenite", "futures-util", "tls"] # websocket+incoming also enables incoming TLS support as it's free
|
||||
webtransport = ["webtransport-quinn", "quic"] # webtransport requires quic
|
||||
|
||||
logging = ["rand", "env_logger"]
|
||||
systemd = ["nix"]
|
||||
|
||||
# enables unit tests that need network and therefore may be flaky
|
||||
net-test = []
|
||||
|
||||
[dev-dependencies]
|
||||
serde_json = "1.0"
|
||||
|
||||
# need this until a release is made with this commit in it
|
||||
[patch.crates-io]
|
||||
webtransport-quinn = { git = "https://github.com/kixelated/webtransport-rs", rev = "ba1a372a7a89e4ba9f9bc027733f82f87aa9a4fd" }
|
||||
|
||||
|
103
README.md
103
README.md
@ -1,26 +1,32 @@
|
||||
# xmpp-proxy
|
||||
|
||||
<h1 align="center">
|
||||
<br>
|
||||
<img src="https://raw.githubusercontent.com/moparisthebest/xmpp-proxy/master/contrib/logo/xmpp_proxy_color.png" alt="logo" width="200">
|
||||
<br>
|
||||
xmpp-proxy
|
||||
<br>
|
||||
<br>
|
||||
</h1>
|
||||
|
||||
[![Build Status](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/badge/icon%3Fstyle=plastic)](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/)
|
||||
|
||||
xmpp-proxy is a reverse proxy and outgoing proxy for XMPP servers and clients, providing STARTTLS,
|
||||
[Direct TLS](https://xmpp.org/extensions/xep-0368.html), [QUIC](https://datatracker.ietf.org/doc/html/draft-ietf-quic-transport),
|
||||
and [WebSocket](https://datatracker.ietf.org/doc/html/rfc7395) connectivity to plain-text XMPP servers and clients and
|
||||
limiting stanza sizes without an XML parser.
|
||||
xmpp-proxy is a reverse proxy and outgoing proxy for XMPP servers and clients, providing [STARTTLS], [Direct TLS], [QUIC],
|
||||
[WebSocket C2S], [WebSocket S2S], and [WebTransport] connectivity to plain-text XMPP servers and clients and limiting stanza sizes without an XML parser.
|
||||
|
||||
xmpp-proxy in reverse proxy (incoming) mode will:
|
||||
1. listen on any number of interfaces/ports
|
||||
2. accept any STARTTLS, Direct TLS, QUIC, or WebSocket c2s or s2s connections from the internet
|
||||
2. accept any STARTTLS, Direct TLS, QUIC, WebSocket, or WebTransport c2s or s2s connections from the internet
|
||||
3. terminate TLS
|
||||
4. connect them to a local real XMPP server over plain-text TCP
|
||||
5. send the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) v1 header if configured, so the
|
||||
XMPP server knows the real client IP
|
||||
6. limit incoming stanza sizes as configured
|
||||
4. for s2s require a client cert and validate it correctly (using CAs, host-meta, host-meta2, and POSH) for SASL EXTERNAL auth
|
||||
5. connect them to a local real XMPP server over plain-text TCP
|
||||
6. send the [PROXY protocol] v1 header if configured, so the XMPP server knows the real client IP
|
||||
7. limit incoming stanza sizes as configured
|
||||
|
||||
xmpp-proxy in outgoing mode will:
|
||||
1. listen on any number of interfaces/ports
|
||||
2. accept any plain-text TCP connection from a local XMPP server or client
|
||||
3. look up the required SRV records
|
||||
4. connect to a real XMPP server across the internet over STARTTLS, Direct TLS, or QUIC
|
||||
2. accept any plain-text TCP or WebSocket connection from a local XMPP server or client
|
||||
3. look up the required SRV, [host-meta], [host-meta2], and [POSH] records
|
||||
4. connect to a real XMPP server across the internet over STARTTLS, Direct TLS, QUIC, WebSocket, or WebTransport
|
||||
5. fallback to next SRV target or defaults as required to fully connect
|
||||
6. perform all the proper required certificate validation logic
|
||||
7. limit incoming stanza sizes as configured
|
||||
@ -34,8 +40,7 @@ xmpp-proxy in outgoing mode will:
|
||||
#### Configuration
|
||||
* `mkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy/`
|
||||
* edit `/etc/xmpp-proxy/xmpp-proxy.toml` as needed, file is annotated clearly with comments
|
||||
* put your TLS key/cert in `/etc/xmpp-proxy/`, if your key has "RSA PRIVATE KEY" in it, change that to "PRIVATE KEY":
|
||||
`sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' /etc/xmpp-proxy/le.key`
|
||||
* put your TLS key/cert in `/etc/xmpp-proxy/`
|
||||
* Example systemd unit is provided in xmpp-proxy.service and locks it down with bare minimum permissions. Need to
|
||||
set the permissions correctly: `chown -Rv 'systemd-network:' /etc/xmpp-proxy/`
|
||||
* start xmpp-proxy: `Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]`
|
||||
@ -53,7 +58,6 @@ use the provided `xmpp-proxy.toml` configuration as-is.
|
||||
Edit `/etc/prosody/prosody.cfg.lua`, Add these to modules_enabled:
|
||||
```
|
||||
"net_proxy";
|
||||
"secure_interfaces";
|
||||
"s2s_outgoing_proxy";
|
||||
```
|
||||
Until prosody-modules is updated, use my new module [mod_s2s_outgoing_proxy.lua](https://www.moparisthebest.com/mod_s2s_outgoing_proxy.lua).
|
||||
@ -68,13 +72,12 @@ interfaces = { "127.0.0.1" }
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "127.0.0.1", 15270 }
|
||||
|
||||
-- trust connections coming from these IPs
|
||||
secure_interfaces = { "127.0.0.1", "::1" }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
@ -104,7 +107,7 @@ which also works for s2s.
|
||||
|
||||
Add this config:
|
||||
```
|
||||
-- trust connections coming from these IPs
|
||||
-- trust connections coming to these IPs
|
||||
secure_interfaces = { "127.0.0.1", "::1" }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
@ -126,22 +129,58 @@ s2s_ports = {15268}
|
||||
If you are a grumpy power user who wants to build xmpp-proxy with exactly the features you want, nothing less, nothing
|
||||
more, this section is for you!
|
||||
|
||||
xmpp-proxy has 5 compile-time features:
|
||||
1. `incoming` - enables `incoming_listen` config option for reverse proxy STARTTLS/TLS
|
||||
2. `outgoing` - enables `outgoing_listen` config option for outgoing proxy STARTTLS/TLS
|
||||
3. `quic` - enables `quic_listen` config option for reverse proxy QUIC, and QUIC support for `outgoing` if it is enabled
|
||||
4. `websocket` - enables `websocket_listen` config option for reverse proxy WebSocket
|
||||
5. `logging` - enables configurable logging
|
||||
xmpp-proxy has multiple compile-time features, some of which are required, they are grouped as such:
|
||||
|
||||
So to build only supporting reverse proxy STARTTLS/TLS, no QUIC, run: `cargo build --release --no-default-features --features incoming`
|
||||
To build a reverse proxy only, but supporting all of STARTTLS/TLS/QUIC, run: `cargo build --release --no-default-features --features incoming,quic`
|
||||
choose between 1-4 directions:
|
||||
1. `c2s-incoming` - enables a server to accept incoming c2s connections
|
||||
2. `c2s-outgoing` - enables a client to make outgoing c2s connections
|
||||
3. `s2s-incoming` - enables a server to accept incoming s2s connections
|
||||
4. `s2s-outgoing` - enables a server to make outgoing s2s connections
|
||||
|
||||
choose between 1-4 transport protocols:
|
||||
1. `tls` - enables STARTTLS/TLS support
|
||||
2. `quic` - enables QUIC support
|
||||
3. `websocket` - enables WebSocket support, also enables TLS incoming support if the appropriate directions are enabled
|
||||
4. `webtransport` - enables WebTransport support, also enables QUIC
|
||||
|
||||
choose exactly 1 of these methods to get trusted CA roots, not needed if only `c2s-incoming` is enabled:
|
||||
1. `tls-ca-roots-native` - reads CA roots from operating system
|
||||
2. `tls-ca-roots-bundled` - bundles CA roots into the binary from the `webpki-roots` project
|
||||
|
||||
choose any of these optional features:
|
||||
1. `logging` - enables configurable logging
|
||||
|
||||
So to build only supporting reverse proxy STARTTLS/TLS, no QUIC, run: `cargo build --release --no-default-features --features c2s-incoming,s2s-incoming,tls`
|
||||
To build a reverse proxy only, but supporting all of STARTTLS/TLS/QUIC, run: `cargo build --release --no-default-features --features c2s-incoming,s2s-incoming,tls,quic`
|
||||
|
||||
#### Development
|
||||
|
||||
1. `check-all-features.sh` is used to check compilation with all supported feature permutations
|
||||
2. `integration/test.sh` uses [Rootless podman](https://wiki.archlinux.org/title/Podman#Rootless_Podman) to run many tests
|
||||
through xmpp-proxy on a real network with real dns, web, and xmpp servers, all of these should pass before pushing commits,
|
||||
and write new tests to cover new functionality.
|
||||
3. To submit code changes submit a PR on [github](https://github.com/moparisthebest/xmpp-proxy) or
|
||||
[code.moparisthebest.com](https://code.moparisthebest.com/moparisthebest/xmpp-proxy) or send me a patch via email,
|
||||
XMPP, fediverse, or carrier pigeon.
|
||||
|
||||
#### License
|
||||
GNU/AGPLv3 - Check LICENSE.md for details
|
||||
|
||||
Thanks [rxml](https://github.com/horazont/rxml) for afl-fuzz seeds
|
||||
|
||||
#### todo
|
||||
1. sasl external for s2s, initiating and receiving
|
||||
2. websocket outgoing
|
||||
3. XEP for XMPP-over-QUIC and XMPP-S2S-over-WebSocket
|
||||
#### Todo
|
||||
1. seamless Tor integration, connecting to and from .onion domains
|
||||
2. Write WebTransport XEP
|
||||
3. Document systemd activation support
|
||||
4. Document use-as-a-library support
|
||||
|
||||
[STARTTLS]: https://datatracker.ietf.org/doc/html/rfc6120#section-5
|
||||
[Direct TLS]: https://xmpp.org/extensions/xep-0368.html
|
||||
[QUIC]: https://xmpp.org/extensions/xep-0467.html
|
||||
[WebSocket C2S]: https://datatracker.ietf.org/doc/html/rfc7395
|
||||
[WebSocket S2S]: https://xmpp.org/extensions/xep-0468.html
|
||||
[WebTransport]: https://www.w3.org/TR/webtransport/
|
||||
[POSH]: https://datatracker.ietf.org/doc/html/rfc7711
|
||||
[host-meta]: https://xmpp.org/extensions/xep-0156.html
|
||||
[host-meta2]: https://xmpp.org/extensions/inbox/host-meta-2.html
|
||||
[PROXY protocol]: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
|
86
build.rs
Normal file
86
build.rs
Normal file
@ -0,0 +1,86 @@
|
||||
use std::{env, fs::File, io::Write, path::Path};
|
||||
|
||||
fn main() {
|
||||
println!("cargo:rerun-if-changed=build.rs");
|
||||
|
||||
let out_dir = env::var_os("OUT_DIR").unwrap();
|
||||
let dest_path = Path::new(&out_dir).join("version.rs");
|
||||
|
||||
let mut w = File::create(dest_path).unwrap();
|
||||
|
||||
let allowed_features = [
|
||||
"c2s-incoming",
|
||||
"c2s-outgoing",
|
||||
"s2s-incoming",
|
||||
"s2s-outgoing",
|
||||
"tls",
|
||||
"quic",
|
||||
"websocket",
|
||||
"tls-ca-roots-native",
|
||||
"tls-ca-roots-bundled",
|
||||
"logging",
|
||||
"systemd",
|
||||
];
|
||||
let optional_deps = [
|
||||
"rustls",
|
||||
"tokio-rustls",
|
||||
"rustls-pemfile",
|
||||
"quinn",
|
||||
"tokio-tungstenite",
|
||||
"futures-util",
|
||||
"trust-dns-resolver",
|
||||
"reqwest",
|
||||
"lazy-static",
|
||||
"rustls-native-certs",
|
||||
"webpki-roots",
|
||||
"env-logger",
|
||||
"rand",
|
||||
"nix",
|
||||
];
|
||||
let mut features = Vec::new();
|
||||
let mut optional = Vec::new();
|
||||
for (mut key, value) in env::vars() {
|
||||
//writeln!(&mut w, "{key}: {value}", ).unwrap();
|
||||
if value == "1" && key.starts_with("CARGO_FEATURE_") {
|
||||
let mut key = key.split_off(14).replace('_', "-");
|
||||
key.make_ascii_lowercase();
|
||||
if allowed_features.contains(&key.as_str()) {
|
||||
features.push(key);
|
||||
} else if optional_deps.contains(&key.as_str()) {
|
||||
optional.push(key);
|
||||
}
|
||||
}
|
||||
}
|
||||
features.sort_by(|a, b| {
|
||||
allowed_features
|
||||
.iter()
|
||||
.position(|&r| r == a)
|
||||
.unwrap()
|
||||
.partial_cmp(&allowed_features.iter().position(|&r| r == b).unwrap())
|
||||
.unwrap()
|
||||
});
|
||||
optional.sort_by(|a, b| {
|
||||
optional_deps
|
||||
.iter()
|
||||
.position(|&r| r == a)
|
||||
.unwrap()
|
||||
.partial_cmp(&optional_deps.iter().position(|&r| r == b).unwrap())
|
||||
.unwrap()
|
||||
});
|
||||
let features = features.join(",");
|
||||
let optional = optional.join(",");
|
||||
|
||||
let name = env!("CARGO_PKG_NAME");
|
||||
let version = env!("CARGO_PKG_VERSION");
|
||||
|
||||
let target = env::var("TARGET").unwrap();
|
||||
|
||||
writeln!(
|
||||
&mut w,
|
||||
"{{println!(
|
||||
\"{name} {version} ({target})
|
||||
Features: {features}
|
||||
Optional crates: {optional}\");}}"
|
||||
)
|
||||
.unwrap();
|
||||
}
|
111
check-all-features.sh
Executable file
111
check-all-features.sh
Executable file
@ -0,0 +1,111 @@
|
||||
#!/bin/bash
|
||||
threads="$1"
|
||||
shift
|
||||
clean_after_num_builds="$1"
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# if we have access to nproc, divide that by 2, otherwise use 1 thread by default
|
||||
[ "$threads" == "" ] && threads=$(($(nproc || echo 2) / 2))
|
||||
|
||||
# 50 is about 1.5gb, ymmv
|
||||
[ "$clean_after_num_builds" == "" ] && clean_after_num_builds=50
|
||||
|
||||
export clean_after_num_builds
|
||||
|
||||
echo "threads: $threads"
|
||||
echo "clean_after_num_builds: $clean_after_num_builds"
|
||||
|
||||
export RUSTFLAGS=-Awarnings
|
||||
|
||||
show() {
|
||||
local -a results=()
|
||||
let idx=$2
|
||||
for (( j = 0; j < $1; j++ )); do
|
||||
if (( idx % 2 )); then results=("${results[@]}" "${list[$j]}"); fi
|
||||
let idx\>\>=1
|
||||
done
|
||||
echo "${results[@]}"
|
||||
}
|
||||
|
||||
perm_lines() {
|
||||
list=($@)
|
||||
let n=${#list[@]}
|
||||
for (( i = 1; i < 2**n; i++ )); do
|
||||
show $n $i
|
||||
done
|
||||
}
|
||||
|
||||
perms() {
|
||||
perm_lines "$@" | tr ' ' ',' | sort -u
|
||||
}
|
||||
|
||||
perms_optional() {
|
||||
perm_lines "$@" | tr ' ' ',' | sort -u | sed 's/^/,/'
|
||||
}
|
||||
|
||||
all_features() {
|
||||
for optional in "" $(perms_optional logging systemd)
|
||||
do
|
||||
for proto in $(perms tls quic websocket webtransport)
|
||||
do
|
||||
for direction in $(perms c2s-incoming c2s-outgoing s2s-incoming s2s-outgoing)
|
||||
do
|
||||
for ca_roots in tls-ca-roots-native tls-ca-roots-bundled
|
||||
do
|
||||
echo $direction,$proto,$ca_roots$optional
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
for optional in "" $(perms_optional logging systemd)
|
||||
do
|
||||
for proto in $(perms tls quic websocket webtransport)
|
||||
do
|
||||
echo c2s-incoming,$proto$optional
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
echo_cargo() {
|
||||
set -euo pipefail
|
||||
#echo cargo run "$@" -- -v
|
||||
#cargo run "$@" -- -v
|
||||
echo cargo check "$@"
|
||||
flock -s /tmp/xmpp-proxy-check-all-features.lock cargo check "$@"
|
||||
ret=$?
|
||||
if [ $ret -ne 0 ]
|
||||
then
|
||||
echo "command failed: cargo check $@"
|
||||
fi
|
||||
(
|
||||
flock -x 200
|
||||
# now we are under an exclusive lock
|
||||
count=$(cat /tmp/xmpp-proxy-check-all-features.count)
|
||||
count=$(( count + 1 ))
|
||||
if [ $count -ge $clean_after_num_builds ]
|
||||
then
|
||||
echo cargo clean
|
||||
cargo clean
|
||||
count=0
|
||||
fi
|
||||
echo $count > /tmp/xmpp-proxy-check-all-features.count
|
||||
|
||||
) 200>/tmp/xmpp-proxy-check-all-features.lock
|
||||
return $ret
|
||||
}
|
||||
|
||||
#all_features | sort -u | wc -l; exit 0
|
||||
|
||||
export -f echo_cargo
|
||||
|
||||
echo 0 > /tmp/xmpp-proxy-check-all-features.count
|
||||
|
||||
echo_cargo
|
||||
|
||||
all_features | sort | xargs -n1 --max-procs=$threads bash -c 'echo_cargo --no-default-features --features "$@" || exit 255' _
|
||||
|
||||
echo good!
|
||||
|
||||
|
29
contrib/host-meta/rfc6415.but-valid.xml
Normal file
29
contrib/host-meta/rfc6415.but-valid.xml
Normal file
@ -0,0 +1,29 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
||||
|
||||
<Expires>2010-01-30T09:30:00Z</Expires>
|
||||
<Subject>http://blog.example.com/article/id/314</Subject>
|
||||
|
||||
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
||||
<Alias>http://blog.example.com/steve/article/7</Alias>
|
||||
|
||||
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
||||
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
||||
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
||||
|
||||
<Link rel='author' type='text/html'
|
||||
href='http://blog.example.com/author/steve'>
|
||||
<Title>About the Author</Title>
|
||||
<Title xml:lang='en-us'>Author Information</Title>
|
||||
<Property type='http://example.com/role'>editor</Property>
|
||||
</Link>
|
||||
|
||||
<Link rel='author' href='http://example.com/author/john'>
|
||||
<Title>The other guy</Title>
|
||||
<Title>The other author</Title>
|
||||
</Link>
|
||||
|
||||
<Link rel='copyright'
|
||||
template='http://example.com/copyright?id={uri}'/>
|
||||
</XRD>
|
37
contrib/host-meta/rfc6415.json
Normal file
37
contrib/host-meta/rfc6415.json
Normal file
@ -0,0 +1,37 @@
|
||||
{
|
||||
"subject": "http://blog.example.com/article/id/314",
|
||||
"expires": "2010-01-30T09:30:00Z",
|
||||
"aliases": [
|
||||
"http://blog.example.com/cool_new_thing",
|
||||
"http://blog.example.com/steve/article/7"
|
||||
],
|
||||
"properties": {
|
||||
"http://blgx.example.net/ns/version": "1.3",
|
||||
"http://blgx.example.net/ns/ext": null
|
||||
},
|
||||
"links": [
|
||||
{
|
||||
"rel": "author",
|
||||
"type": "text/html",
|
||||
"href": "http://blog.example.com/author/steve",
|
||||
"titles": {
|
||||
"default": "About the Author",
|
||||
"en-us": "Author Information"
|
||||
},
|
||||
"properties": {
|
||||
"http://example.com/role": "editor"
|
||||
}
|
||||
},
|
||||
{
|
||||
"rel": "author",
|
||||
"href": "http://example.com/author/john",
|
||||
"titles": {
|
||||
"default": "The other author"
|
||||
}
|
||||
},
|
||||
{
|
||||
"rel": "copyright",
|
||||
"template": "http://example.com/copyright?id={uri}"
|
||||
}
|
||||
]
|
||||
}
|
29
contrib/host-meta/rfc6415.xml
Normal file
29
contrib/host-meta/rfc6415.xml
Normal file
@ -0,0 +1,29 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
||||
|
||||
<Subject>http://blog.example.com/article/id/314</Subject>
|
||||
<Expires>2010-01-30T09:30:00Z</Expires>
|
||||
|
||||
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
||||
<Alias>http://blog.example.com/steve/article/7</Alias>
|
||||
|
||||
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
||||
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
||||
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
||||
|
||||
<Link rel='author' type='text/html'
|
||||
href='http://blog.example.com/author/steve'>
|
||||
<Title>About the Author</Title>
|
||||
<Title xml:lang='en-us'>Author Information</Title>
|
||||
<Property type='http://example.com/role'>editor</Property>
|
||||
</Link>
|
||||
|
||||
<Link rel='author' href='http://example.com/author/john'>
|
||||
<Title>The other guy</Title>
|
||||
<Title>The other author</Title>
|
||||
</Link>
|
||||
|
||||
<Link rel='copyright'
|
||||
template='http://example.com/copyright?id={uri}'/>
|
||||
</XRD>
|
45
contrib/host-meta/xep-0156-current.json
Normal file
45
contrib/host-meta/xep-0156-current.json
Normal file
@ -0,0 +1,45 @@
|
||||
{
|
||||
"subject": "http://blog.example.com/article/id/314",
|
||||
"expires": "2010-01-30T09:30:00Z",
|
||||
"aliases": [
|
||||
"http://blog.example.com/cool_new_thing",
|
||||
"http://blog.example.com/steve/article/7"
|
||||
],
|
||||
"properties": {
|
||||
"http://blgx.example.net/ns/version": "1.3",
|
||||
"http://blgx.example.net/ns/ext": null
|
||||
},
|
||||
"links": [
|
||||
{
|
||||
"rel": "author",
|
||||
"type": "text/html",
|
||||
"href": "http://blog.example.com/author/steve",
|
||||
"titles": {
|
||||
"default": "About the Author",
|
||||
"en-us": "Author Information"
|
||||
},
|
||||
"properties": {
|
||||
"http://example.com/role": "editor"
|
||||
}
|
||||
},
|
||||
{
|
||||
"rel": "author",
|
||||
"href": "http://example.com/author/john",
|
||||
"titles": {
|
||||
"default": "The other author"
|
||||
}
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:xbosh",
|
||||
"href": "https://example.org/http-bind"
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:websocket",
|
||||
"href": "wss://example.org/xmpp-websocket"
|
||||
},
|
||||
{
|
||||
"rel": "copyright",
|
||||
"template": "http://example.com/copyright?id={uri}"
|
||||
}
|
||||
]
|
||||
}
|
33
contrib/host-meta/xep-0156-current.xml
Normal file
33
contrib/host-meta/xep-0156-current.xml
Normal file
@ -0,0 +1,33 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
||||
|
||||
<Expires>2010-01-30T09:30:00Z</Expires>
|
||||
<Subject>http://blog.example.com/article/id/314</Subject>
|
||||
|
||||
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
||||
<Alias>http://blog.example.com/steve/article/7</Alias>
|
||||
|
||||
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
||||
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
||||
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
||||
|
||||
<Link rel='author' type='text/html'
|
||||
href='http://blog.example.com/author/steve'>
|
||||
<Title>About the Author</Title>
|
||||
<Title xml:lang='en-us'>Author Information</Title>
|
||||
<Property type='http://example.com/role'>editor</Property>
|
||||
</Link>
|
||||
|
||||
<Link rel='author' href='http://example.com/author/john'>
|
||||
<Title>The other guy</Title>
|
||||
<Title>The other author</Title>
|
||||
</Link>
|
||||
|
||||
<Link rel='urn:xmpp:alt-connections:xbosh' href='https://example.org/http-bind'/>
|
||||
|
||||
<Link rel='urn:xmpp:alt-connections:websocket' href='wss://example.org/xmpp-websocket'/>
|
||||
|
||||
<Link rel='copyright'
|
||||
template='http://example.com/copyright?id={uri}'/>
|
||||
</XRD>
|
1
contrib/host-meta/xep-0156-minimal.json
Normal file
1
contrib/host-meta/xep-0156-minimal.json
Normal file
@ -0,0 +1 @@
|
||||
{"links":[{"rel":"urn:xmpp:alt-connections:xbosh","href":"https://example.org/http-bind"},{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://example.org/xmpp-websocket"}]}
|
87
contrib/host-meta/xep-0156-proposed-minimal.json
Normal file
87
contrib/host-meta/xep-0156-proposed-minimal.json
Normal file
@ -0,0 +1,87 @@
|
||||
{
|
||||
"xmpp": {
|
||||
"ttl": 3000,
|
||||
"public-key-pins-sha-256": [
|
||||
"4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
|
||||
]
|
||||
},
|
||||
"links": [
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:websocket",
|
||||
"href": "wss://other.example.org/xmpp-websocket",
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 15,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"alpn": [
|
||||
"h2",
|
||||
"http/1.1",
|
||||
"h3"
|
||||
],
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:tls",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 10,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:quic",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 5,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:s2s-websocket",
|
||||
"href": "wss://other.example.org/s2s-xmpp-websocket",
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 15,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:s2s-tls",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 10,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:s2s-quic",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 5,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
}
|
||||
]
|
||||
}
|
133
contrib/host-meta/xep-0156-proposed.json
Normal file
133
contrib/host-meta/xep-0156-proposed.json
Normal file
@ -0,0 +1,133 @@
|
||||
{
|
||||
"subject": "http://blog.example.com/article/id/314",
|
||||
"expires": "2010-01-30T09:30:00Z",
|
||||
"aliases": [
|
||||
"http://blog.example.com/cool_new_thing",
|
||||
"http://blog.example.com/steve/article/7"
|
||||
],
|
||||
"properties": {
|
||||
"http://blgx.example.net/ns/version": "1.3",
|
||||
"http://blgx.example.net/ns/ext": null
|
||||
},
|
||||
"xmpp": {
|
||||
"ttl": 3000,
|
||||
"public-key-pins-sha-256": [
|
||||
"4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
|
||||
]
|
||||
},
|
||||
"links": [
|
||||
{
|
||||
"rel": "author",
|
||||
"type": "text/html",
|
||||
"href": "http://blog.example.com/author/steve",
|
||||
"titles": {
|
||||
"default": "About the Author",
|
||||
"en-us": "Author Information"
|
||||
},
|
||||
"properties": {
|
||||
"http://example.com/role": "editor"
|
||||
}
|
||||
},
|
||||
{
|
||||
"rel": "author",
|
||||
"href": "http://example.com/author/john",
|
||||
"titles": {
|
||||
"default": "The other author"
|
||||
}
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:xbosh",
|
||||
"href": "https://example.org/http-bind"
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:websocket",
|
||||
"href": "wss://example.org/xmpp-websocket"
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:websocket",
|
||||
"href": "wss://other.example.org/xmpp-websocket",
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 15,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"alpn": [
|
||||
"h2",
|
||||
"http/1.1",
|
||||
"h3"
|
||||
],
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:tls",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 10,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:quic",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 5,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:s2s-websocket",
|
||||
"href": "wss://other.example.org/s2s-xmpp-websocket",
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 15,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"alpn": [
|
||||
"h2",
|
||||
"http/1.1",
|
||||
"h3"
|
||||
],
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:s2s-tls",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 10,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "urn:xmpp:alt-connections:s2s-quic",
|
||||
"port": 443,
|
||||
"ips": [
|
||||
"1.2.3.4",
|
||||
"fd00:feed:dad:beef::1"
|
||||
],
|
||||
"priority": 5,
|
||||
"weight": 50,
|
||||
"sni": "example.org",
|
||||
"ech": "eG1wcC1jbGllbnQ="
|
||||
},
|
||||
{
|
||||
"rel": "copyright",
|
||||
"template": "http://example.com/copyright?id={uri}"
|
||||
}
|
||||
]
|
||||
}
|
2
contrib/host-meta/xml-validate.sh
Executable file
2
contrib/host-meta/xml-validate.sh
Executable file
@ -0,0 +1,2 @@
|
||||
#!/bin/sh
|
||||
exec xmllint --noout --schema xrd-1.0-os.xsd "$1"
|
105
contrib/host-meta/xrd-1.0-os.xsd
Normal file
105
contrib/host-meta/xrd-1.0-os.xsd
Normal file
@ -0,0 +1,105 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<schema
|
||||
targetNamespace="http://docs.oasis-open.org/ns/xri/xrd-1.0"
|
||||
xmlns="http://www.w3.org/2001/XMLSchema"
|
||||
xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0"
|
||||
elementFormDefault="unqualified"
|
||||
attributeFormDefault="unqualified"
|
||||
blockDefault="substitution"
|
||||
version="1.0">
|
||||
|
||||
<import namespace="http://www.w3.org/XML/1998/namespace"
|
||||
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
|
||||
|
||||
<annotation>
|
||||
<documentation>
|
||||
Document identifier: xrd-schema-1.0
|
||||
Location: http://docs.oasis-open.org/xri/xrd/v1.0/
|
||||
</documentation>
|
||||
</annotation>
|
||||
|
||||
<complexType name="anyURI">
|
||||
<simpleContent>
|
||||
<extension base="anyURI">
|
||||
<anyAttribute namespace="##other" processContents="lax"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
|
||||
<complexType name="string">
|
||||
<simpleContent>
|
||||
<extension base="string">
|
||||
<anyAttribute namespace="##other" processContents="lax"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
|
||||
<element name="XRDS" type="xrd:XRDSType"/>
|
||||
<complexType name="XRDSType">
|
||||
<sequence>
|
||||
<element ref="xrd:XRD" minOccurs="0" maxOccurs="unbounded"/>
|
||||
</sequence>
|
||||
<attribute name="ref" type="anyURI" use="optional"/>
|
||||
</complexType>
|
||||
|
||||
<element name="XRD" type="xrd:XRDType"/>
|
||||
<complexType name="XRDType">
|
||||
<sequence>
|
||||
<element ref="xrd:Expires" minOccurs="0"/>
|
||||
<element ref="xrd:Subject" minOccurs="0"/>
|
||||
<choice minOccurs="0" maxOccurs="unbounded">
|
||||
<element ref="xrd:Alias"/>
|
||||
<element ref="xrd:Property"/>
|
||||
<element ref="xrd:Link"/>
|
||||
<any namespace="##other" processContents="lax"/>
|
||||
</choice>
|
||||
</sequence>
|
||||
<attribute ref="xml:id" use="optional"/>
|
||||
<anyAttribute namespace="##other" processContents="lax"/>
|
||||
</complexType>
|
||||
|
||||
<element name="Expires" type="xrd:ExpiresType"/>
|
||||
<complexType name="ExpiresType">
|
||||
<simpleContent>
|
||||
<extension base="dateTime">
|
||||
<anyAttribute namespace="##other" processContents="lax"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
|
||||
<element name="Subject" type="xrd:anyURI"/>
|
||||
<element name="Alias" type="xrd:anyURI"/>
|
||||
|
||||
<element name="Property" type="xrd:PropertyType" nillable="true"/>
|
||||
<complexType name="PropertyType">
|
||||
<simpleContent>
|
||||
<extension base="xrd:string">
|
||||
<attribute name="type" type="anyURI" use="required"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
|
||||
<element name="Link" type="xrd:LinkType"/>
|
||||
<complexType name="LinkType">
|
||||
<choice minOccurs="0" maxOccurs="unbounded">
|
||||
<element ref="xrd:Title"/>
|
||||
<element ref="xrd:Property"/>
|
||||
<any namespace="##other" processContents="lax"/>
|
||||
</choice>
|
||||
<attribute name="rel" type="anyURI" use="optional"/>
|
||||
<attribute name="type" type="string" use="optional"/>
|
||||
<attribute name="href" type="anyURI" use="optional"/>
|
||||
<attribute name="template" type="string" use="optional"/>
|
||||
<anyAttribute namespace="##other" processContents="lax"/>
|
||||
</complexType>
|
||||
|
||||
<element name="Title" type="xrd:TitleType"/>
|
||||
<complexType name="TitleType">
|
||||
<simpleContent>
|
||||
<extension base="xrd:string">
|
||||
<attribute ref="xml:lang" use="optional"/>
|
||||
</extension>
|
||||
</simpleContent>
|
||||
</complexType>
|
||||
|
||||
</schema>
|
321
contrib/logo/xmpp_proxy_bw.svg
Normal file
321
contrib/logo/xmpp_proxy_bw.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 98 KiB |
BIN
contrib/logo/xmpp_proxy_color.png
Normal file
BIN
contrib/logo/xmpp_proxy_color.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 23 KiB |
189
contrib/logo/xmpp_proxy_color.svg
Normal file
189
contrib/logo/xmpp_proxy_color.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 21 KiB |
24
contrib/posh.sh
Executable file
24
contrib/posh.sh
Executable file
@ -0,0 +1,24 @@
|
||||
#!/bin/sh
|
||||
|
||||
# these are just examples for how to grab and hash certificates for POSH
|
||||
# adapted from https://curl.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
|
||||
|
||||
# this is for any direct TLS port like xmpps or https
|
||||
openssl s_client -servername posh.badxmpp.eu -connect posh.badxmpp.eu:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.pem
|
||||
openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.pem -out posh.badxmpp.eu.der
|
||||
openssl dgst -sha256 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha256
|
||||
openssl dgst -sha512 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha512
|
||||
|
||||
openssl base64 < posh.badxmpp.eu.der | tr -d '\n' > posh.badxmpp.eu.der.base64
|
||||
|
||||
# this is for any starttls xmpp port
|
||||
openssl s_client -starttls xmpp -name posh.badxmpp.eu -servername posh.badxmpp.eu -connect snikket2.prosody.im:5222 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.5222.pem
|
||||
openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.5222.pem -out posh.badxmpp.eu.5222.der
|
||||
openssl dgst -sha256 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha256
|
||||
openssl dgst -sha512 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha512
|
||||
|
||||
openssl base64 < posh.badxmpp.eu.5222.der | tr -d '\n' > posh.badxmpp.eu.5222.der.base64
|
||||
|
||||
wget https://posh.badxmpp.eu/.well-known/posh/xmpp-server.json https://posh.badxmpp.eu/.well-known/posh/xmpp-client.json
|
||||
|
||||
grep . *.sha*
|
467
contrib/prosody-modules/mod_net_proxy.lua
Normal file
467
contrib/prosody-modules/mod_net_proxy.lua
Normal file
@ -0,0 +1,467 @@
|
||||
-- mod_net_proxy.lua
|
||||
-- Copyright (C) 2018 Pascal Mathis <mail@pascalmathis.com>
|
||||
--
|
||||
-- Implementation of PROXY protocol versions 1 and 2
|
||||
-- Specifications: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
|
||||
module:set_global();
|
||||
|
||||
-- Imports
|
||||
local softreq = require "util.dependencies".softreq;
|
||||
local bit = assert(softreq "bit" or softreq "bit32" or softreq "util.bitcompat", "No bit module found. See https://prosody.im/doc/depends#bitop");
|
||||
local hex = require "util.hex";
|
||||
local ip = require "util.ip";
|
||||
local net = require "util.net";
|
||||
local set = require "util.set";
|
||||
local portmanager = require "core.portmanager";
|
||||
|
||||
-- Backwards Compatibility
|
||||
local function net_ntop_bc(input)
|
||||
if input:len() == 4 then
|
||||
return string.format("%d.%d.%d.%d", input:byte(1, 4));
|
||||
elseif input:len() == 16 then
|
||||
local octets = { nil, nil, nil, nil, nil, nil, nil, nil };
|
||||
|
||||
-- Convert received bytes into IPv6 address and skip leading zeroes for each group
|
||||
for index = 1, 8 do
|
||||
local high, low = input:byte(index * 2 - 1, index * 2);
|
||||
octets[index] = string.format("%x", high * 256 + low);
|
||||
end
|
||||
local address = table.concat(octets, ":", 1, 8);
|
||||
|
||||
-- Search for the longest sequence of zeroes
|
||||
local token;
|
||||
local length = (address:match("^0:[0:]+()") or 1) - 1;
|
||||
for s in address:gmatch(":0:[0:]+") do
|
||||
if length < #s then
|
||||
length, token = #s, s;
|
||||
end
|
||||
end
|
||||
|
||||
-- Return the shortened IPv6 address
|
||||
return address:gsub(token or "^0:[0:]+", "::", 1);
|
||||
end
|
||||
end
|
||||
|
||||
local net_ntop = net.ntop or net_ntop_bc
|
||||
|
||||
-- Utility Functions
|
||||
local function _table_invert(input)
|
||||
local output = {};
|
||||
for key, value in pairs(input) do
|
||||
output[value] = key;
|
||||
end
|
||||
return output;
|
||||
end
|
||||
|
||||
-- Constants
|
||||
local ADDR_FAMILY = { UNSPEC = 0x0, INET = 0x1, INET6 = 0x2, UNIX = 0x3 };
|
||||
local ADDR_FAMILY_STR = _table_invert(ADDR_FAMILY);
|
||||
local TRANSPORT = { UNSPEC = 0x0, STREAM = 0x1, DGRAM = 0x2 };
|
||||
local TRANSPORT_STR = _table_invert(TRANSPORT);
|
||||
|
||||
local PROTO_MAX_HEADER_LENGTH = 256;
|
||||
local PROTO_HANDLERS = {
|
||||
PROXYv1 = { signature = hex.from("50524F5859"), callback = nil },
|
||||
PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil }
|
||||
};
|
||||
local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 };
|
||||
|
||||
-- Configuration Variables
|
||||
local config_mappings = module:get_option("proxy_port_mappings", {});
|
||||
local config_ports = module:get_option_set("proxy_ports", {});
|
||||
local config_trusted_proxies = module:get_option_set("proxy_trusted_proxies", {"127.0.0.1", "::1"});
|
||||
|
||||
-- Persistent In-Memory Storage
|
||||
local sessions = {};
|
||||
local mappings = {};
|
||||
local trusted_networks = set.new();
|
||||
|
||||
-- Proxy Data Methods
|
||||
local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt;
|
||||
|
||||
function proxy_data_mt:describe()
|
||||
return string.format("proto=%s/%s src=%s:%d dst=%s:%d",
|
||||
self:addr_family_str(), self:transport_str(), self:src_addr(), self:src_port(), self:dst_addr(), self:dst_port());
|
||||
end
|
||||
|
||||
function proxy_data_mt:addr_family_str()
|
||||
return ADDR_FAMILY_STR[self._addr_family] or ADDR_FAMILY_STR[ADDR_FAMILY.UNSPEC];
|
||||
end
|
||||
|
||||
function proxy_data_mt:transport_str()
|
||||
return TRANSPORT_STR[self._transport] or TRANSPORT_STR[TRANSPORT.UNSPEC];
|
||||
end
|
||||
|
||||
function proxy_data_mt:version()
|
||||
return self._version;
|
||||
end
|
||||
|
||||
function proxy_data_mt:addr_family()
|
||||
return self._addr_family;
|
||||
end
|
||||
|
||||
function proxy_data_mt:transport()
|
||||
return self._transport;
|
||||
end
|
||||
|
||||
function proxy_data_mt:src_addr()
|
||||
return self._src_addr;
|
||||
end
|
||||
|
||||
function proxy_data_mt:src_port()
|
||||
return self._src_port;
|
||||
end
|
||||
|
||||
function proxy_data_mt:dst_addr()
|
||||
return self._dst_addr;
|
||||
end
|
||||
|
||||
function proxy_data_mt:dst_port()
|
||||
return self._dst_port;
|
||||
end
|
||||
|
||||
-- Protocol Handler Functions
|
||||
PROTO_HANDLERS["PROXYv1"].callback = function(conn, session)
|
||||
local addr_family_mappings = { TCP4 = ADDR_FAMILY.INET, TCP6 = ADDR_FAMILY.INET6 };
|
||||
|
||||
-- Postpone processing if CRLF (PROXYv1 header terminator) does not exist within buffer
|
||||
if session.buffer:find("\r\n") == nil then
|
||||
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
||||
end
|
||||
|
||||
-- Declare header pattern and match current buffer against pattern
|
||||
local header_pattern = "^PROXY (%S+) (%S+) (%S+) (%d+) (%d+)\r\n";
|
||||
local addr_family, src_addr, dst_addr, src_port, dst_port = session.buffer:match(header_pattern);
|
||||
src_port, dst_port = tonumber(src_port), tonumber(dst_port);
|
||||
|
||||
-- Ensure that header was successfully parsed and contains a valid address family
|
||||
if addr_family == nil or src_addr == nil or dst_addr == nil or src_port == nil or dst_port == nil then
|
||||
module:log("warn", "Received unparseable PROXYv1 header from %s", conn:ip());
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
if addr_family_mappings[addr_family] == nil then
|
||||
module:log("warn", "Received invalid PROXYv1 address family from %s: %s", conn:ip(), addr_family);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
|
||||
-- Ensure that received source and destination ports are within 1 and 65535 (0xFFFF)
|
||||
if src_port <= 0 or src_port >= 0xFFFF then
|
||||
module:log("warn", "Received invalid PROXYv1 source port from %s: %d", conn:ip(), src_port);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
if dst_port <= 0 or dst_port >= 0xFFFF then
|
||||
module:log("warn", "Received invalid PROXYv1 destination port from %s: %d", conn:ip(), dst_port);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
|
||||
-- Ensure that received source and destination address can be parsed
|
||||
local _, err = ip.new_ip(src_addr);
|
||||
if err ~= nil then
|
||||
module:log("warn", "Received unparseable PROXYv1 source address from %s: %s", conn:ip(), src_addr);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
_, err = ip.new_ip(dst_addr);
|
||||
if err ~= nil then
|
||||
module:log("warn", "Received unparseable PROXYv1 destination address from %s: %s", conn:ip(), dst_addr);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
|
||||
-- Strip parsed header from session buffer and build proxy data
|
||||
session.buffer = session.buffer:gsub(header_pattern, "");
|
||||
|
||||
local proxy_data = {
|
||||
_version = 1,
|
||||
_addr_family = addr_family, _transport = TRANSPORT.STREAM,
|
||||
_src_addr = src_addr, _src_port = src_port,
|
||||
_dst_addr = dst_addr, _dst_port = dst_port
|
||||
};
|
||||
setmetatable(proxy_data, proxy_data_mt);
|
||||
|
||||
-- Return successful response with gathered proxy data
|
||||
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
||||
end
|
||||
|
||||
PROTO_HANDLERS["PROXYv2"].callback = function(conn, session)
|
||||
-- Postpone processing if less than 16 bytes are available
|
||||
if #session.buffer < 16 then
|
||||
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
||||
end
|
||||
|
||||
-- Parse first 16 bytes of protocol header
|
||||
local version = bit.rshift(bit.band(session.buffer:byte(13), 0xF0), 4);
|
||||
local command = bit.band(session.buffer:byte(13), 0x0F);
|
||||
local addr_family = bit.rshift(bit.band(session.buffer:byte(14), 0xF0), 4);
|
||||
local transport = bit.band(session.buffer:byte(14), 0x0F);
|
||||
local length = bit.bor(session.buffer:byte(16), bit.lshift(session.buffer:byte(15), 8));
|
||||
|
||||
-- Postpone processing if less than 16+<length> bytes are available
|
||||
if #session.buffer < 16 + length then
|
||||
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
||||
end
|
||||
|
||||
-- Ensure that version number is correct
|
||||
if version ~= 0x2 then
|
||||
module:log("warn", "Received unsupported PROXYv2 version from %s: %d", conn:ip(), version);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
|
||||
local payload = session.buffer:sub(17);
|
||||
if command == 0x0 then
|
||||
-- Gather source/destination addresses and ports from local socket
|
||||
local src_addr, src_port = conn:socket():getpeername();
|
||||
local dst_addr, dst_port = conn:socket():getsockname();
|
||||
|
||||
-- Build proxy data based on real connection information
|
||||
local proxy_data = {
|
||||
_version = version,
|
||||
_addr_family = addr_family, _transport = transport,
|
||||
_src_addr = src_addr, _src_port = src_port,
|
||||
_dst_addr = dst_addr, _dst_port = dst_port
|
||||
};
|
||||
setmetatable(proxy_data, proxy_data_mt);
|
||||
|
||||
-- Return successful response with gathered proxy data
|
||||
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
||||
elseif command == 0x1 then
|
||||
local offset = 1;
|
||||
local src_addr, src_port, dst_addr, dst_port;
|
||||
|
||||
-- Verify transport protocol is either STREAM or DGRAM
|
||||
if transport ~= TRANSPORT.STREAM and transport ~= TRANSPORT.DGRAM then
|
||||
module:log("warn", "Received unsupported PROXYv2 transport from %s: 0x%02X", conn:ip(), transport);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
|
||||
-- Parse source and destination addresses
|
||||
if addr_family == ADDR_FAMILY.INET then
|
||||
src_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
|
||||
dst_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
|
||||
elseif addr_family == ADDR_FAMILY.INET6 then
|
||||
src_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
|
||||
dst_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
|
||||
elseif addr_family == ADDR_FAMILY.UNIX then
|
||||
src_addr = payload:sub(offset, offset + 107); offset = offset + 108;
|
||||
dst_addr = payload:sub(offset, offset + 107); offset = offset + 108;
|
||||
end
|
||||
|
||||
-- Parse source and destination ports
|
||||
if addr_family == ADDR_FAMILY.INET or addr_family == ADDR_FAMILY.INET6 then
|
||||
src_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
|
||||
-- luacheck: ignore 311
|
||||
dst_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
|
||||
end
|
||||
|
||||
-- Strip parsed header from session buffer and build proxy data
|
||||
session.buffer = session.buffer:sub(17 + length);
|
||||
|
||||
local proxy_data = {
|
||||
_version = version,
|
||||
_addr_family = addr_family, _transport = transport,
|
||||
_src_addr = src_addr, _src_port = src_port,
|
||||
_dst_addr = dst_addr, _dst_port = dst_port
|
||||
};
|
||||
setmetatable(proxy_data, proxy_data_mt);
|
||||
|
||||
-- Return successful response with gathered proxy data
|
||||
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
||||
else
|
||||
module:log("warn", "Received unsupported PROXYv2 command from %s: 0x%02X", conn:ip(), command);
|
||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||
end
|
||||
end
|
||||
|
||||
-- Wrap an existing connection with the provided proxy data. This will override several methods of the 'conn' object to
|
||||
-- return the proxied source instead of the source which initiated the TCP connection. Afterwards, the listener of the
|
||||
-- connection gets set according to the globally defined port<>service mappings and the methods 'onconnect' and
|
||||
-- 'onincoming' are being called manually with the current session buffer.
|
||||
local function wrap_proxy_connection(conn, session, proxy_data)
|
||||
-- Override and add functions of 'conn' object when source information has been collected
|
||||
conn.proxyip, conn.proxyport = conn.ip, conn.port;
|
||||
if proxy_data:src_addr() ~= nil and proxy_data:src_port() ~= nil then
|
||||
conn.ip = function()
|
||||
return proxy_data:src_addr();
|
||||
end
|
||||
conn.port = function()
|
||||
return proxy_data:src_port();
|
||||
end
|
||||
conn.clientport = conn.port;
|
||||
end
|
||||
|
||||
-- Attempt to find service by processing port<>service mappings
|
||||
local mapping = mappings[tonumber(conn:serverport())];
|
||||
if mapping == nil then
|
||||
conn:close();
|
||||
module:log("warn", "Connection %s@%s terminated: Could not find mapping for port %d",
|
||||
conn:ip(), conn:proxyip(), conn:serverport());
|
||||
return;
|
||||
end
|
||||
|
||||
if mapping.service == nil then
|
||||
local service = portmanager.get_service(mapping.service_name);
|
||||
|
||||
if service ~= nil then
|
||||
mapping.service = service;
|
||||
else
|
||||
conn:close();
|
||||
module:log("warn", "Connection %s@%s terminated: Could not process mapping for unknown service %s",
|
||||
conn:ip(), conn:proxyip(), mapping.service_name);
|
||||
return;
|
||||
end
|
||||
end
|
||||
|
||||
-- Pass connection to actual service listener and simulate onconnect/onincoming callbacks
|
||||
local service_listener = mapping.service.listener;
|
||||
|
||||
module:log("info", "Passing proxied connection %s:%d to service %s", conn:ip(), conn:port(), mapping.service_name);
|
||||
conn:setlistener(service_listener);
|
||||
if service_listener.onconnect then
|
||||
service_listener.onconnect(conn);
|
||||
end
|
||||
return service_listener.onincoming(conn, session.buffer);
|
||||
end
|
||||
|
||||
local function is_trusted_proxy(conn)
|
||||
-- If no trusted proxies were configured, trust any incoming connection
|
||||
-- While this may seem insecure, the module defaults to only trusting 127.0.0.1 and ::1
|
||||
if trusted_networks:empty() then
|
||||
return true;
|
||||
end
|
||||
|
||||
-- Iterate through all trusted proxies and check for match against connected IP address
|
||||
local conn_ip = ip.new_ip(conn:ip());
|
||||
for trusted_network in trusted_networks:items() do
|
||||
if ip.match(trusted_network.ip, conn_ip, trusted_network.cidr) then
|
||||
return true;
|
||||
end
|
||||
end
|
||||
|
||||
-- Connection does not match any trusted proxy
|
||||
return false;
|
||||
end
|
||||
|
||||
-- Network Listener Methods
|
||||
local listener = {};
|
||||
|
||||
function listener.onconnect(conn)
|
||||
-- Silently drop connections with an IP address of <nil>, which can happen when the socket was closed before the
|
||||
-- responsible net.server backend was able to grab the IP address of the connecting client.
|
||||
if conn:ip() == nil then
|
||||
conn:close();
|
||||
return;
|
||||
end
|
||||
|
||||
-- Check if connection is coming from a trusted proxy
|
||||
if not is_trusted_proxy(conn) then
|
||||
conn:close();
|
||||
module:log("warn", "Dropped connection from untrusted proxy: %s", conn:ip());
|
||||
return;
|
||||
end
|
||||
|
||||
-- Initialize session variables
|
||||
sessions[conn] = {
|
||||
handler = nil;
|
||||
buffer = nil;
|
||||
};
|
||||
end
|
||||
|
||||
function listener.onincoming(conn, data)
|
||||
-- Abort processing if no data has been received
|
||||
if not data then
|
||||
return;
|
||||
end
|
||||
|
||||
-- Lookup session for connection and append received data to buffer
|
||||
local session = sessions[conn];
|
||||
session.buffer = session.buffer and session.buffer .. data or data;
|
||||
|
||||
-- Attempt to determine protocol handler if not done previously
|
||||
if session.handler == nil then
|
||||
-- Match current session buffer against all known protocol signatures to determine protocol handler
|
||||
for handler_name, handler in pairs(PROTO_HANDLERS) do
|
||||
if session.buffer:find("^" .. handler.signature) ~= nil then
|
||||
session.handler = handler.callback;
|
||||
module:log("debug", "Detected %s connection from %s:%d", handler_name, conn:ip(), conn:port());
|
||||
break;
|
||||
end
|
||||
end
|
||||
|
||||
-- Decide between waiting for a complete header signature or terminating the connection when no handler has been found
|
||||
if session.handler == nil then
|
||||
-- Terminate connection if buffer size has exceeded tolerable maximum size
|
||||
if #session.buffer > PROTO_MAX_HEADER_LENGTH then
|
||||
conn:close();
|
||||
module:log("warn", "Connection %s:%d terminated: No valid PROXY header within %d bytes",
|
||||
conn:ip(), conn:port(), PROTO_MAX_HEADER_LENGTH);
|
||||
end
|
||||
|
||||
-- Skip further processing without a valid protocol handler
|
||||
module:log("debug", "No valid header signature detected from %s:%d, waiting for more data...",
|
||||
conn:ip(), conn:port());
|
||||
return;
|
||||
end
|
||||
end
|
||||
|
||||
-- Execute proxy protocol handler and process response
|
||||
local response, proxy_data = session.handler(conn, session);
|
||||
if response == PROTO_HANDLER_STATUS.SUCCESS then
|
||||
module:log("info", "Received PROXY header from %s: %s", conn:ip(), proxy_data:describe());
|
||||
return wrap_proxy_connection(conn, session, proxy_data);
|
||||
elseif response == PROTO_HANDLER_STATUS.POSTPONE then
|
||||
module:log("debug", "Postponed parsing of incomplete PROXY header received from %s", conn:ip());
|
||||
return;
|
||||
elseif response == PROTO_HANDLER_STATUS.FAILURE then
|
||||
conn:close();
|
||||
module:log("warn", "Connection %s terminated: Could not process PROXY header from client, " +
|
||||
"see previous log messages.", conn:ip());
|
||||
return;
|
||||
else
|
||||
-- This code should be never reached, but is included for completeness
|
||||
conn:close();
|
||||
module:log("warn", "Connection terminated: Received invalid protocol handler response with code %d", response);
|
||||
return;
|
||||
end
|
||||
end
|
||||
|
||||
function listener.ondisconnect(conn)
|
||||
sessions[conn] = nil;
|
||||
end
|
||||
|
||||
listener.ondetach = listener.ondisconnect;
|
||||
|
||||
-- Parse trusted proxies which can either contain single hosts or networks
|
||||
if not config_trusted_proxies:empty() then
|
||||
for trusted_proxy in config_trusted_proxies:items() do
|
||||
local network = {};
|
||||
network.ip, network.cidr = ip.parse_cidr(trusted_proxy);
|
||||
trusted_networks:add(network);
|
||||
end
|
||||
else
|
||||
module:log("warn", "No trusted proxies configured, all connections will be accepted - this might be dangerous");
|
||||
end
|
||||
|
||||
-- Process all configured port mappings and generate a list of mapped ports
|
||||
local mapped_ports = {};
|
||||
for port, mapping in pairs(config_mappings) do
|
||||
port = tonumber(port);
|
||||
table.insert(mapped_ports, port);
|
||||
mappings[port] = {
|
||||
service_name = mapping,
|
||||
service = nil,
|
||||
};
|
||||
end
|
||||
|
||||
-- Log error message when user manually specifies ports without configuring the necessary port mappings
|
||||
if not config_ports:empty() then
|
||||
local missing_ports = config_ports - set.new(mapped_ports);
|
||||
if not missing_ports:empty() then
|
||||
module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports));
|
||||
end
|
||||
end
|
||||
|
||||
-- Register the previously declared network listener
|
||||
module:provides("net", {
|
||||
name = "proxy";
|
||||
listener = listener;
|
||||
default_ports = mapped_ports;
|
||||
});
|
105
contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
Normal file
105
contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
Normal file
@ -0,0 +1,105 @@
|
||||
local st = require"util.stanza";
|
||||
local new_ip = require"util.ip".new_ip;
|
||||
local new_outgoing = require"core.s2smanager".new_outgoing;
|
||||
local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq;
|
||||
local initialize_filters = require "util.filters".initialize;
|
||||
local st = require "util.stanza";
|
||||
|
||||
local portmanager = require "core.portmanager";
|
||||
|
||||
local addclient = require "net.server".addclient;
|
||||
|
||||
module:depends("s2s");
|
||||
|
||||
local sessions = module:shared("sessions");
|
||||
|
||||
local s2s_outgoing_proxy = module:get_option("s2s_outgoing_proxy");
|
||||
|
||||
local host, port = s2s_outgoing_proxy[1] or s2s_outgoing_proxy, tonumber(s2s_outgoing_proxy[2]) or 15270;
|
||||
|
||||
-- The proxy_listener handles connection while still connecting to the proxy,
|
||||
-- then it hands them over to the normal listener (in mod_s2s)
|
||||
local proxy_listener = { default_port = port, default_mode = "*a", default_interface = "*" };
|
||||
|
||||
function proxy_listener.onconnect(conn)
|
||||
local session = sessions[conn];
|
||||
|
||||
-- Now the real s2s listener can take over the connection.
|
||||
local listener = portmanager.get_service("s2s").listener;
|
||||
|
||||
session.proxy_handler = nil;
|
||||
|
||||
local w, log = conn.send, session.log;
|
||||
|
||||
local filter = initialize_filters(session);
|
||||
|
||||
session.version = 1;
|
||||
|
||||
session.sends2s = function (t)
|
||||
log("debug", "sending (s2s over proxy): %s", (t.top_tag and t:top_tag()) or t:match("^[^>]*>?"));
|
||||
if t.name then
|
||||
t = filter("stanzas/out", t);
|
||||
end
|
||||
if t then
|
||||
t = filter("bytes/out", tostring(t));
|
||||
if t then
|
||||
return conn:write(tostring(t));
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
session.open_stream = function ()
|
||||
session.sends2s(st.stanza("stream:stream", {
|
||||
xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
|
||||
["xmlns:stream"]='http://etherx.jabber.org/streams',
|
||||
from=session.from_host, to=session.to_host, version='1.0', ["xml:lang"]='en'}):top_tag());
|
||||
end
|
||||
|
||||
conn.setlistener(conn, listener);
|
||||
|
||||
listener.register_outgoing(conn, session);
|
||||
|
||||
listener.onconnect(conn);
|
||||
|
||||
-- this marks outgoing s2s as secure so we accept SASL EXTERNAL on it
|
||||
session.secure = true;
|
||||
end
|
||||
|
||||
function proxy_listener.register_outgoing(conn, session)
|
||||
session.direction = "outgoing";
|
||||
sessions[conn] = session;
|
||||
end
|
||||
|
||||
function proxy_listener.ondisconnect(conn, err)
|
||||
sessions[conn] = nil;
|
||||
end
|
||||
|
||||
module:hook("route/remote", function(event)
|
||||
local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza;
|
||||
log("debug", "opening a new outgoing connection for this stanza");
|
||||
local host_session = new_outgoing(from_host, to_host);
|
||||
|
||||
-- Store in buffer
|
||||
host_session.bounce_sendq = bounce_sendq;
|
||||
host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} };
|
||||
log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name));
|
||||
|
||||
local conn = addclient(host, port, proxy_listener, "*a");
|
||||
|
||||
proxy_listener.register_outgoing(conn, host_session);
|
||||
|
||||
host_session.conn = conn;
|
||||
return true;
|
||||
end, -2);
|
||||
|
||||
-- todo: is this the best place to do this hook?
|
||||
-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
|
||||
module:hook("s2s-stream-features", function(event)
|
||||
local session, features = event.origin, event.features;
|
||||
if session.type == "s2sin_unauthed" then
|
||||
module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
|
||||
session.secure = true;
|
||||
session.cert_chain_status = "valid";
|
||||
session.cert_identity_status = "valid";
|
||||
end
|
||||
end, 3000);
|
39
contrib/prosody-modules/mod_secure_interfaces.lua
Normal file
39
contrib/prosody-modules/mod_secure_interfaces.lua
Normal file
@ -0,0 +1,39 @@
|
||||
local secure_interfaces = module:get_option_set("secure_interfaces", { "127.0.0.1", "::1" });
|
||||
|
||||
local function mark_secure(event, expected_type)
|
||||
local session = event.origin;
|
||||
if session.type ~= expected_type then return; end
|
||||
local socket = session.conn:socket();
|
||||
if not socket.getsockname then
|
||||
module:log("debug", "Unable to determine local address of incoming connection");
|
||||
return;
|
||||
end
|
||||
local localip = socket:getsockname();
|
||||
if secure_interfaces:contains(localip) then
|
||||
module:log("debug", "Marking session from %s to %s as secure", session.ip or "[?]", localip);
|
||||
session.secure = true;
|
||||
session.conn.starttls = false;
|
||||
else
|
||||
module:log("debug", "Not marking session from %s to %s as secure", session.ip or "[?]", localip);
|
||||
end
|
||||
end
|
||||
|
||||
module:hook("stream-features", function (event)
|
||||
mark_secure(event, "c2s_unauthed");
|
||||
end, 25000);
|
||||
|
||||
module:hook("s2s-stream-features", function (event)
|
||||
mark_secure(event, "s2sin_unauthed");
|
||||
end, 25000);
|
||||
|
||||
-- todo: is this the best place to do this hook?
|
||||
-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
|
||||
module:hook("s2s-stream-features", function(event)
|
||||
local session, features = event.origin, event.features;
|
||||
if session.type == "s2sin_unauthed" then
|
||||
module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
|
||||
session.secure = true;
|
||||
session.cert_chain_status = "valid";
|
||||
session.cert_identity_status = "valid";
|
||||
end
|
||||
end, 3000);
|
588
fuzz/Cargo.lock
generated
588
fuzz/Cargo.lock
generated
@ -1,588 +0,0 @@
|
||||
# This file is automatically @generated by Cargo.
|
||||
# It is not intended for manual editing.
|
||||
[[package]]
|
||||
name = "afl"
|
||||
version = "0.10.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a5023646d631c14f4b24425600280676437b2c39d58f9cce91a6187e7af929f4"
|
||||
dependencies = [
|
||||
"cc",
|
||||
"clap",
|
||||
"libc",
|
||||
"rustc_version",
|
||||
"xdg",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "ansi_term"
|
||||
version = "0.11.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
|
||||
dependencies = [
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "anyhow"
|
||||
version = "1.0.40"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "28b2cd92db5cbd74e8e5028f7e27dd7aa3090e89e4f2a197cc7c8dfb69c7063b"
|
||||
|
||||
[[package]]
|
||||
name = "atty"
|
||||
version = "0.2.14"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
|
||||
dependencies = [
|
||||
"hermit-abi",
|
||||
"libc",
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "autocfg"
|
||||
version = "1.0.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
|
||||
|
||||
[[package]]
|
||||
name = "bitflags"
|
||||
version = "1.2.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
|
||||
|
||||
[[package]]
|
||||
name = "block-buffer"
|
||||
version = "0.9.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
|
||||
dependencies = [
|
||||
"generic-array",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bytes"
|
||||
version = "1.0.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040"
|
||||
|
||||
[[package]]
|
||||
name = "cc"
|
||||
version = "1.0.67"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e3c69b077ad434294d3ce9f1f6143a2a4b89a8a2d54ef813d85003a4fd1137fd"
|
||||
|
||||
[[package]]
|
||||
name = "cfg-if"
|
||||
version = "1.0.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
|
||||
|
||||
[[package]]
|
||||
name = "clap"
|
||||
version = "2.33.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
|
||||
dependencies = [
|
||||
"ansi_term",
|
||||
"atty",
|
||||
"bitflags",
|
||||
"strsim",
|
||||
"textwrap",
|
||||
"unicode-width",
|
||||
"vec_map",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "cpufeatures"
|
||||
version = "0.1.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "281f563b2c3a0e535ab12d81d3c5859045795256ad269afa7c19542585b68f93"
|
||||
dependencies = [
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "die"
|
||||
version = "0.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f8634d5e6139f7364a4e99bd718b2f511f2f25863146360e70909bc45a016290"
|
||||
|
||||
[[package]]
|
||||
name = "digest"
|
||||
version = "0.9.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
|
||||
dependencies = [
|
||||
"generic-array",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0e7e43a803dae2fa37c1f6a8fe121e1f7bf9548b4dfc0522a42f34145dadfc27"
|
||||
dependencies = [
|
||||
"futures-channel",
|
||||
"futures-core",
|
||||
"futures-executor",
|
||||
"futures-io",
|
||||
"futures-sink",
|
||||
"futures-task",
|
||||
"futures-util",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures-channel"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e682a68b29a882df0545c143dc3646daefe80ba479bcdede94d5a703de2871e2"
|
||||
dependencies = [
|
||||
"futures-core",
|
||||
"futures-sink",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures-core"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0402f765d8a89a26043b889b26ce3c4679d268fa6bb22cd7c6aad98340e179d1"
|
||||
|
||||
[[package]]
|
||||
name = "futures-executor"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "badaa6a909fac9e7236d0620a2f57f7664640c56575b71a7552fbd68deafab79"
|
||||
dependencies = [
|
||||
"futures-core",
|
||||
"futures-task",
|
||||
"futures-util",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures-io"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "acc499defb3b348f8d8f3f66415835a9131856ff7714bf10dadfc4ec4bdb29a1"
|
||||
|
||||
[[package]]
|
||||
name = "futures-macro"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a4c40298486cdf52cc00cd6d6987892ba502c7656a16a4192a9992b1ccedd121"
|
||||
dependencies = [
|
||||
"autocfg",
|
||||
"proc-macro-hack",
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "futures-sink"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a57bead0ceff0d6dde8f465ecd96c9338121bb7717d3e7b108059531870c4282"
|
||||
|
||||
[[package]]
|
||||
name = "futures-task"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8a16bef9fc1a4dddb5bee51c989e3fbba26569cbb0e31f5b303c184e3dd33dae"
|
||||
|
||||
[[package]]
|
||||
name = "futures-util"
|
||||
version = "0.3.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "feb5c238d27e2bf94ffdfd27b2c29e3df4a68c4193bb6427384259e2bf191967"
|
||||
dependencies = [
|
||||
"autocfg",
|
||||
"futures-channel",
|
||||
"futures-core",
|
||||
"futures-io",
|
||||
"futures-macro",
|
||||
"futures-sink",
|
||||
"futures-task",
|
||||
"memchr",
|
||||
"pin-project-lite",
|
||||
"pin-utils",
|
||||
"proc-macro-hack",
|
||||
"proc-macro-nested",
|
||||
"slab",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "fuzz"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"afl",
|
||||
"rxml",
|
||||
"sha256",
|
||||
"tokio",
|
||||
"xmpp-proxy",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "generic-array"
|
||||
version = "0.14.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "501466ecc8a30d1d3b7fc9229b122b2ce8ed6e9d9223f1138d4babb253e51817"
|
||||
dependencies = [
|
||||
"typenum",
|
||||
"version_check",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hermit-abi"
|
||||
version = "0.1.18"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "322f4de77956e22ed0e5032c359a0f1273f1f7f0d79bfa3b8ffbc730d7fbcc5c"
|
||||
dependencies = [
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hex"
|
||||
version = "0.4.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
|
||||
|
||||
[[package]]
|
||||
name = "libc"
|
||||
version = "0.2.94"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "18794a8ad5b29321f790b55d93dfba91e125cb1a9edbd4f8e3150acc771c1a5e"
|
||||
|
||||
[[package]]
|
||||
name = "log"
|
||||
version = "0.4.14"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "memchr"
|
||||
version = "2.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b16bd47d9e329435e309c58469fe0791c2d0d1ba96ec0954152a5ae2b04387dc"
|
||||
|
||||
[[package]]
|
||||
name = "mio"
|
||||
version = "0.7.11"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cf80d3e903b34e0bd7282b218398aec54e082c840d9baf8339e0080a0c542956"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"log",
|
||||
"miow",
|
||||
"ntapi",
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "miow"
|
||||
version = "0.3.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b9f1c5b025cda876f66ef43a113f91ebc9f4ccef34843000e0adf6ebbab84e21"
|
||||
dependencies = [
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "ntapi"
|
||||
version = "0.3.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3f6bb902e437b6d86e03cce10a7e2af662292c5dfef23b65899ea3ac9354ad44"
|
||||
dependencies = [
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "num_cpus"
|
||||
version = "1.13.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3"
|
||||
dependencies = [
|
||||
"hermit-abi",
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "opaque-debug"
|
||||
version = "0.3.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
|
||||
|
||||
[[package]]
|
||||
name = "pest"
|
||||
version = "2.1.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "10f4872ae94d7b90ae48754df22fd42ad52ce740b8f370b03da4835417403e53"
|
||||
dependencies = [
|
||||
"ucd-trie",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "pin-project-lite"
|
||||
version = "0.2.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "dc0e1f259c92177c30a4c9d177246edd0a3568b25756a977d0632cf8fa37e905"
|
||||
|
||||
[[package]]
|
||||
name = "pin-utils"
|
||||
version = "0.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro-hack"
|
||||
version = "0.5.19"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5"
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro-nested"
|
||||
version = "0.1.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "bc881b2c22681370c6a780e47af9840ef841837bc98118431d4e1868bd0c1086"
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro2"
|
||||
version = "1.0.26"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a152013215dca273577e18d2bf00fa862b89b24169fb78c4c95aeb07992c9cec"
|
||||
dependencies = [
|
||||
"unicode-xid",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "quote"
|
||||
version = "1.0.9"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c3d0b9745dc2debf507c8422de05d7226cc1f0644216dfdfead988f9b1ab32a7"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "rustc_version"
|
||||
version = "0.3.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f0dfe2087c51c460008730de8b57e6a320782fbfb312e1f4d520e6c6fae155ee"
|
||||
dependencies = [
|
||||
"semver",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "rxml"
|
||||
version = "0.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4656aeb6f77b1ba20d3702069ce92551fa01fe0c02449cec92f014d665cd4021"
|
||||
|
||||
[[package]]
|
||||
name = "semver"
|
||||
version = "0.11.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
|
||||
dependencies = [
|
||||
"semver-parser",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "semver-parser"
|
||||
version = "0.10.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
|
||||
dependencies = [
|
||||
"pest",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde"
|
||||
version = "1.0.126"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03"
|
||||
dependencies = [
|
||||
"serde_derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.126"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "sha2"
|
||||
version = "0.9.5"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b362ae5752fd2137731f9fa25fd4d9058af34666ca1966fb969119cc35719f12"
|
||||
dependencies = [
|
||||
"block-buffer",
|
||||
"cfg-if",
|
||||
"cpufeatures",
|
||||
"digest",
|
||||
"opaque-debug",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "sha256"
|
||||
version = "1.0.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "77f336ed3354742b51d11c47dc0403bf81229548f2e130fcd21ccc471433334a"
|
||||
dependencies = [
|
||||
"hex",
|
||||
"sha2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "slab"
|
||||
version = "0.4.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f173ac3d1a7e3b28003f40de0b5ce7fe2710f9b9dc3fc38664cebee46b3b6527"
|
||||
|
||||
[[package]]
|
||||
name = "strsim"
|
||||
version = "0.8.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
|
||||
|
||||
[[package]]
|
||||
name = "syn"
|
||||
version = "1.0.72"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a1e8cdbefb79a9a5a65e0db8b47b723ee907b7c7f8496c76a1770b5c310bab82"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"unicode-xid",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "textwrap"
|
||||
version = "0.11.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
|
||||
dependencies = [
|
||||
"unicode-width",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tokio"
|
||||
version = "1.5.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "83f0c8e7c0addab50b663055baf787d0af7f413a46e6e7fb9559a4e4db7137a5"
|
||||
dependencies = [
|
||||
"autocfg",
|
||||
"bytes",
|
||||
"libc",
|
||||
"memchr",
|
||||
"mio",
|
||||
"num_cpus",
|
||||
"pin-project-lite",
|
||||
"tokio-macros",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tokio-macros"
|
||||
version = "1.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "caf7b11a536f46a809a8a9f0bb4237020f70ecbf115b842360afb127ea2fda57"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "toml"
|
||||
version = "0.5.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a31142970826733df8241ef35dc040ef98c679ab14d7c3e54d827099b3acecaa"
|
||||
dependencies = [
|
||||
"serde",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "typenum"
|
||||
version = "1.13.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "879f6906492a7cd215bfa4cf595b600146ccfac0c79bcbd1f3000162af5e8b06"
|
||||
|
||||
[[package]]
|
||||
name = "ucd-trie"
|
||||
version = "0.1.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "56dee185309b50d1f11bfedef0fe6d036842e3fb77413abef29f8f8d1c5d4c1c"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-width"
|
||||
version = "0.1.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-xid"
|
||||
version = "0.2.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
|
||||
|
||||
[[package]]
|
||||
name = "vec_map"
|
||||
version = "0.8.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
|
||||
|
||||
[[package]]
|
||||
name = "version_check"
|
||||
version = "0.9.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
|
||||
|
||||
[[package]]
|
||||
name = "winapi"
|
||||
version = "0.3.9"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
|
||||
dependencies = [
|
||||
"winapi-i686-pc-windows-gnu",
|
||||
"winapi-x86_64-pc-windows-gnu",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "winapi-i686-pc-windows-gnu"
|
||||
version = "0.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
|
||||
|
||||
[[package]]
|
||||
name = "winapi-x86_64-pc-windows-gnu"
|
||||
version = "0.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
|
||||
|
||||
[[package]]
|
||||
name = "xdg"
|
||||
version = "2.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d089681aa106a86fade1b0128fb5daf07d5867a509ab036d99988dec80429a57"
|
||||
|
||||
[[package]]
|
||||
name = "xmpp-proxy"
|
||||
version = "1.0.0"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"die",
|
||||
"futures",
|
||||
"serde",
|
||||
"serde_derive",
|
||||
"tokio",
|
||||
"toml",
|
||||
]
|
@ -7,11 +7,8 @@ edition = "2018"
|
||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
|
||||
[dependencies]
|
||||
afl = "*"
|
||||
xmpp-proxy = { version = "*", default-features = false, features = [] }
|
||||
tokio = { version = "1.4", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
||||
sha256 = "1.0.2"
|
||||
rxml = "0.1.0"
|
||||
|
||||
[patch.crates-io]
|
||||
xmpp-proxy = { path = "../" }
|
||||
afl = "0.15.1"
|
||||
xmpp-proxy = { path = "..", default-features = false, features = [] }
|
||||
tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
||||
sha256 = "1.4.0"
|
||||
rxml = "0.9.1"
|
||||
|
@ -1,37 +1,34 @@
|
||||
#[macro_use]
|
||||
extern crate afl;
|
||||
extern crate xmpp_proxy;
|
||||
|
||||
use std::io;
|
||||
use std::io::Cursor;
|
||||
|
||||
use std::io::{Cursor, Write};
|
||||
use tokio::runtime::Runtime;
|
||||
use xmpp_proxy::stanzafilter::{StanzaFilter, StanzaReader};
|
||||
|
||||
use xmpp_proxy::{StanzaFilter, StanzaReader};
|
||||
|
||||
fn main_gen_test_cases() {
|
||||
fuzz!(|data: &[u8]| {
|
||||
fn main() {
|
||||
std::fs::create_dir_all("/tmp/afl_test_gen/").unwrap();
|
||||
afl::fuzz!(|data: &[u8]| {
|
||||
let rt = Runtime::new().unwrap();
|
||||
|
||||
rt.block_on(async {
|
||||
let mut filter = StanzaFilter::new(262_144);
|
||||
let mut stanza_reader = StanzaReader(Cursor::new(data));
|
||||
while let Ok(Some(stanza)) = stanza_reader.next(&mut filter).await {
|
||||
use rxml::EventRead;
|
||||
let mut fp = rxml::FeedParser::new();
|
||||
let stanza_vec = &stanza.to_vec();
|
||||
fp.feed(stanza_vec);
|
||||
fp.feed_eof();
|
||||
let result = fp.read_all_eof(|_ev| {
|
||||
let mut fp = rxml::FeedParser::default();
|
||||
let result = rxml::as_eof_flag(fp.parse_all(&mut &stanza[..], true, |_ev| {
|
||||
//println!("got event: {:?}", ev);
|
||||
});
|
||||
}));
|
||||
// true indicates eof
|
||||
if let Ok(result) = result {
|
||||
if result {
|
||||
// wow, afl generated us valid XML, lets output it as a test case
|
||||
let fname = sha256::digest_bytes(&stanza);
|
||||
std::fs::create_dir_all("/tmp/afl_test_gen/").unwrap();
|
||||
std::fs::write("/tmp/afl_test_gen/".to_owned() + &fname, &stanza).unwrap();
|
||||
let fname = sha256::digest(stanza);
|
||||
if let Ok(mut file) = std::fs::OpenOptions::new()
|
||||
.read(true)
|
||||
.write(true)
|
||||
.create_new(true)
|
||||
.open("/tmp/afl_test_gen/".to_owned() + fname.as_str())
|
||||
{
|
||||
file.write_all(stanza).unwrap();
|
||||
file.sync_all().unwrap();
|
||||
}
|
||||
} else {
|
||||
// more data is required, stanzafilter should never let this happen, let's panic
|
||||
panic!("more data required?");
|
||||
@ -41,17 +38,3 @@ fn main_gen_test_cases() {
|
||||
})
|
||||
});
|
||||
}
|
||||
|
||||
fn main() {
|
||||
fuzz!(|data: &[u8]| {
|
||||
let rt = Runtime::new().unwrap();
|
||||
|
||||
rt.block_on(async {
|
||||
let mut filter = StanzaFilter::new(262_144);
|
||||
let mut stanza_reader = StanzaReader(Cursor::new(data));
|
||||
while let Ok(Some(_stanza)) = stanza_reader.next(&mut filter).await {
|
||||
//ret.push(to_str(stanza).to_string());
|
||||
}
|
||||
})
|
||||
});
|
||||
}
|
||||
|
15
integration/00-no-tls/example.org.zone
Normal file
15
integration/00-no-tls/example.org.zone
Normal file
@ -0,0 +1,15 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
|
||||
scansion.one IN CNAME server1
|
||||
scansion.two IN CNAME server1
|
228
integration/00-no-tls/prosody1.cfg.lua
Normal file
228
integration/00-no-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
-- "tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = false
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certsno"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
15
integration/01-starttls/example.org.zone
Normal file
15
integration/01-starttls/example.org.zone
Normal file
@ -0,0 +1,15 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
|
||||
scansion.one IN CNAME server1
|
||||
scansion.two IN CNAME server1
|
225
integration/01-starttls/prosody1.cfg.lua
Normal file
225
integration/01-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
20
integration/02-client-a-record-starttls/example.org.zone
Normal file
20
integration/02-client-a-record-starttls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
|
||||
one IN CNAME server1
|
||||
two IN CNAME server1
|
||||
|
||||
scansion.one IN CNAME xp1
|
||||
scansion.two IN CNAME xp1
|
225
integration/02-client-a-record-starttls/prosody1.cfg.lua
Normal file
225
integration/02-client-a-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/02-client-a-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/02-client-a-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
20
integration/03-client-srv-record-starttls/example.org.zone
Normal file
20
integration/03-client-srv-record-starttls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
|
||||
_xmpp-client._tcp.one IN SRV 5 1 5555 server1
|
||||
_xmpp-client._tcp.two IN SRV 5 1 5555 server1
|
||||
|
||||
scansion.one IN CNAME xp1
|
||||
scansion.two IN CNAME xp1
|
227
integration/03-client-srv-record-starttls/prosody1.cfg.lua
Normal file
227
integration/03-client-srv-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,227 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
c2s_ports = { 5555 };
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/03-client-srv-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/03-client-srv-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
20
integration/04-client-a-record-tls/example.org.zone
Normal file
20
integration/04-client-a-record-tls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
|
||||
one IN CNAME server1
|
||||
two IN CNAME server1
|
||||
|
||||
scansion.one IN CNAME xp1
|
||||
scansion.two IN CNAME xp1
|
225
integration/04-client-a-record-tls/prosody1.cfg.lua
Normal file
225
integration/04-client-a-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
legacy_ssl_ports = { 443 };
|
||||
c2s_ports = { };
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/04-client-a-record-tls/xmpp-proxy1.toml
Normal file
44
integration/04-client-a-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
20
integration/05-client-srv-record-tls/example.org.zone
Normal file
20
integration/05-client-srv-record-tls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
|
||||
_xmpps-client._tcp.one IN SRV 5 1 5443 server1
|
||||
_xmpps-client._tcp.two IN SRV 5 1 5443 server1
|
||||
|
||||
scansion.one IN CNAME xp1
|
||||
scansion.two IN CNAME xp1
|
228
integration/05-client-srv-record-tls/prosody1.cfg.lua
Normal file
228
integration/05-client-srv-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
legacy_ssl_ports = { 5443 };
|
||||
c2s_ports = { };
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
https_certificate = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/05-client-srv-record-tls/xmpp-proxy1.toml
Normal file
44
integration/05-client-srv-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
22
integration/06-client-websocket/example.org.zone
Normal file
22
integration/06-client-websocket/example.org.zone
Normal file
@ -0,0 +1,22 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
|
||||
one IN CNAME server1
|
||||
two IN CNAME server1
|
||||
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||
|
||||
scansion.one IN CNAME xp1
|
||||
scansion.two IN CNAME xp1
|
228
integration/06-client-websocket/prosody1.cfg.lua
Normal file
228
integration/06-client-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
legacy_ssl_ports = { };
|
||||
c2s_ports = { };
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = true
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = true
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/06-client-websocket/xmpp-proxy1.toml
Normal file
44
integration/06-client-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/07-c2s-starttls/example.org.zone
Normal file
21
integration/07-c2s-starttls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp1
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
253
integration/07-c2s-starttls/prosody1.cfg.lua
Normal file
253
integration/07-c2s-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/07-c2s-starttls/xmpp-proxy1.toml
Normal file
44
integration/07-c2s-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/07-c2s-starttls/xmpp-proxy3.toml
Normal file
44
integration/07-c2s-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/08-c2s-tls/example.org.zone
Normal file
21
integration/08-c2s-tls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp1
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
253
integration/08-c2s-tls/prosody1.cfg.lua
Normal file
253
integration/08-c2s-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/08-c2s-tls/xmpp-proxy1.toml
Normal file
44
integration/08-c2s-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:443" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/08-c2s-tls/xmpp-proxy3.toml
Normal file
44
integration/08-c2s-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/09-c2s-a-record-quic/example.org.zone
Normal file
21
integration/09-c2s-a-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp1
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
253
integration/09-c2s-a-record-quic/prosody1.cfg.lua
Normal file
253
integration/09-c2s-a-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/09-c2s-a-record-quic/xmpp-proxy1.toml
Normal file
44
integration/09-c2s-a-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ "0.0.0.0:443" ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/09-c2s-a-record-quic/xmpp-proxy3.toml
Normal file
44
integration/09-c2s-a-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/10-client-srv-record-quic/example.org.zone
Normal file
21
integration/10-client-srv-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
_xmppq-client._udp.one IN SRV 5 1 5443 xp1
|
||||
_xmppq-client._udp.two IN SRV 5 1 5443 xp1
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
253
integration/10-client-srv-record-quic/prosody1.cfg.lua
Normal file
253
integration/10-client-srv-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/10-client-srv-record-quic/xmpp-proxy1.toml
Normal file
44
integration/10-client-srv-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ "0.0.0.0:5443" ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/10-client-srv-record-quic/xmpp-proxy3.toml
Normal file
44
integration/10-client-srv-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
23
integration/11-c2s-websocket/example.org.zone
Normal file
23
integration/11-c2s-websocket/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp1
|
||||
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
253
integration/11-c2s-websocket/prosody1.cfg.lua
Normal file
253
integration/11-c2s-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
42
integration/11-c2s-websocket/xmpp-proxy1.toml
Normal file
42
integration/11-c2s-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,42 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5281" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/11-c2s-websocket/xmpp-proxy3.toml
Normal file
44
integration/11-c2s-websocket/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/12-s2s-a-record-starttls/example.org.zone
Normal file
21
integration/12-s2s-a-record-starttls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp2
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
251
integration/12-s2s-a-record-starttls/prosody1.cfg.lua
Normal file
251
integration/12-s2s-a-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
251
integration/12-s2s-a-record-starttls/prosody2.cfg.lua
Normal file
251
integration/12-s2s-a-record-starttls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.50"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy2.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.30:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.30:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy3.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
23
integration/13-s2s-srv-record-starttls/example.org.zone
Normal file
23
integration/13-s2s-srv-record-starttls/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp2
|
||||
_xmpp-server._tcp.one IN SRV 5 1 52269 xp1
|
||||
_xmpp-server._tcp.two IN SRV 5 1 52269 xp2
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
251
integration/13-s2s-srv-record-starttls/prosody1.cfg.lua
Normal file
251
integration/13-s2s-srv-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
251
integration/13-s2s-srv-record-starttls/prosody2.cfg.lua
Normal file
251
integration/13-s2s-srv-record-starttls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.50"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.30:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.30:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/14-s2s-a-record-tls/example.org.zone
Normal file
21
integration/14-s2s-a-record-tls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp2
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
251
integration/14-s2s-a-record-tls/prosody1.cfg.lua
Normal file
251
integration/14-s2s-a-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
251
integration/14-s2s-a-record-tls/prosody2.cfg.lua
Normal file
251
integration/14-s2s-a-record-tls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.50"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy1.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy2.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.30:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.30:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy3.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
23
integration/15-s2s-srv-record-tls/example.org.zone
Normal file
23
integration/15-s2s-srv-record-tls/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp2
|
||||
_xmpps-server._tcp.one IN SRV 5 1 52269 xp1
|
||||
_xmpps-server._tcp.two IN SRV 5 1 52269 xp2
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
251
integration/15-s2s-srv-record-tls/prosody1.cfg.lua
Normal file
251
integration/15-s2s-srv-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
251
integration/15-s2s-srv-record-tls/prosody2.cfg.lua
Normal file
251
integration/15-s2s-srv-record-tls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.50"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy1.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy2.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.30:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.30:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy3.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
21
integration/16-s2s-a-record-quic/example.org.zone
Normal file
21
integration/16-s2s-a-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp2
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
251
integration/16-s2s-a-record-quic/prosody1.cfg.lua
Normal file
251
integration/16-s2s-a-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.40"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "one.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
251
integration/16-s2s-a-record-quic/prosody2.cfg.lua
Normal file
251
integration/16-s2s-a-record-quic/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
||||
--Important for systemd
|
||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||
daemonize = false
|
||||
run_as_root = true
|
||||
|
||||
pidfile = "/run/prosody/prosody.pid"
|
||||
|
||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
--use_libevent = true
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
--plugin_paths = {}
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||
--"dialback"; -- s2s dialback support
|
||||
"disco"; -- Service discovery
|
||||
|
||||
-- Not essential, but recommended
|
||||
"carbons"; -- Keep multiple clients in sync
|
||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||
"blocklist"; -- Allow users to block communications with other users
|
||||
"vcard4"; -- User profiles (stored in PEP)
|
||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||
|
||||
-- Nice to have
|
||||
"version"; -- Replies to server version requests
|
||||
"uptime"; -- Report how long server has been running
|
||||
"time"; -- Let others know the time here on this server
|
||||
"ping"; -- Replies to XMPP pings with pongs
|
||||
"register"; -- Allow users to register on this server using a client and change passwords
|
||||
--"mam"; -- Store messages in an archive and allow users to access it
|
||||
--"csi_simple"; -- Simple Mobile optimizations
|
||||
|
||||
-- Admin interfaces
|
||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||
|
||||
-- HTTP modules
|
||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||
--"websocket"; -- XMPP over WebSockets
|
||||
--"http_files"; -- Serve static files from a directory over HTTP
|
||||
|
||||
-- Other specific functionality
|
||||
--"groups"; -- Shared roster support
|
||||
--"server_contact_info"; -- Publish contact information for this service
|
||||
--"announce"; -- Send announcement to all online users
|
||||
--"welcome"; -- Welcome users who register accounts
|
||||
--"watchregistrations"; -- Alert admins of registrations
|
||||
--"motd"; -- Send a message to users when they log in
|
||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||
"net_proxy";
|
||||
"s2s_outgoing_proxy";
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
-- "offline"; -- Store offline messages
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||
}
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = false
|
||||
|
||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||
-- these are likely set to true somewhere in your file, find them, make them false
|
||||
-- you can also remove all certificates from your config
|
||||
s2s_require_encryption = false
|
||||
s2s_secure_auth = false
|
||||
|
||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||
|
||||
-- handle PROXY protocol on these ports
|
||||
proxy_port_mappings = {
|
||||
[15222] = "c2s",
|
||||
[15269] = "s2s"
|
||||
}
|
||||
|
||||
--[[
|
||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||
An empty table ({}) can be configured to allow connections from any source.
|
||||
Please read the module documentation about potential security impact.
|
||||
]]--
|
||||
proxy_trusted_proxies = {
|
||||
"192.5.0.50"
|
||||
}
|
||||
|
||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||
-- you might need to comment these out further down in your config file if you set them
|
||||
c2s_ports = {}
|
||||
legacy_ssl_ports = {}
|
||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||
s2s_ports = {15268}
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = false
|
||||
allow_unencrypted_plain_auth = true
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
|
||||
--s2s_insecure_domains = { "insecure.example" }
|
||||
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "jabber.org" }
|
||||
|
||||
-- Enable rate limits for incoming client and server connections
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Select the authentication backend to use. The 'internal' providers
|
||||
-- use Prosody's configured data storage to store the authentication data.
|
||||
|
||||
authentication = "internal_hashed"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||
-- error = "prosody.err";
|
||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
-- statistics = "internal"
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "certs"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "two.example.org"
|
||||
|
||||
--VirtualHost "example.com"
|
||||
-- certificate = "/path/to/example.crt"
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
--Component "conference.example.com" "muc"
|
||||
--- Store MUC messages in an archive and allow users to access it
|
||||
--modules_enabled = { "muc_mam" }
|
||||
|
||||
---Set up an external component (default component port is 5347)
|
||||
--
|
||||
-- External components allow adding various services, such as gateways/
|
||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||
--
|
||||
--Component "gateway.example.com"
|
||||
-- component_secret = "password"
|
44
integration/16-s2s-a-record-quic/xmpp-proxy1.toml
Normal file
44
integration/16-s2s-a-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ "0.0.0.0:443" ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.20:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.20:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/16-s2s-a-record-quic/xmpp-proxy2.toml
Normal file
44
integration/16-s2s-a-record-quic/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ "0.0.0.0:5222" ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ "0.0.0.0:443" ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "192.5.0.30:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "192.5.0.30:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
44
integration/16-s2s-a-record-quic/xmpp-proxy3.toml
Normal file
44
integration/16-s2s-a-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
||||
|
||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||
incoming_listen = [ ]
|
||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||
quic_listen = [ ]
|
||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||
websocket_listen = [ ]
|
||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||
|
||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||
|
||||
# c2s port backend XMPP server listens on
|
||||
c2s_target = "127.0.0.1:15222"
|
||||
|
||||
# s2s port backend XMPP server listens on
|
||||
s2s_target = "127.0.0.1:15269"
|
||||
|
||||
# send PROXYv1 header to backend XMPP server
|
||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||
proxy = true
|
||||
|
||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||
# xmpp-proxy will use this many bytes + 16k per connection
|
||||
max_stanza_size_bytes = 262_144
|
||||
|
||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||
|
||||
# configure logging, defaults are commented
|
||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||
#log_level = "info"
|
||||
# for development/debugging:
|
||||
log_level = "info,xmpp_proxy=trace"
|
||||
|
||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||
#log_style = "never"
|
23
integration/17-s2s-srv-record-quic/example.org.zone
Normal file
23
integration/17-s2s-srv-record-quic/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
||||
$TTL 300
|
||||
; example.org
|
||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||
2018111111 ; Serial
|
||||
28800 ; Refresh
|
||||
1800 ; Retry
|
||||
604800 ; Expire - 1 week
|
||||
86400 ) ; Negative Cache TTL
|
||||
IN NS ns1
|
||||
ns1 IN A 192.5.0.10
|
||||
server1 IN A 192.5.0.20
|
||||
server2 IN A 192.5.0.30
|
||||
xp1 IN A 192.5.0.40
|
||||
xp2 IN A 192.5.0.50
|
||||
xp3 IN A 192.5.0.60
|
||||
|
||||
one IN CNAME xp1
|
||||
two IN CNAME xp2
|
||||
_xmppq-server._udp.one IN SRV 5 1 52269 xp1
|
||||
_xmppq-server._udp.two IN SRV 5 1 52269 xp2
|
||||
|
||||
scansion.one IN CNAME xp3
|
||||
scansion.two IN CNAME xp3
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user