Compare commits
No commits in common. "master" and "v1.0.1" have entirely different histories.
5
.ci/Jenkinsfile
vendored
5
.ci/Jenkinsfile
vendored
@ -28,14 +28,9 @@ node('linux && docker') {
|
|||||||
|
|
||||||
stage('Build + Deploy') {
|
stage('Build + Deploy') {
|
||||||
sh '''
|
sh '''
|
||||||
./check-all-features.sh || exit 1
|
|
||||||
cargo clean
|
|
||||||
mkdir -p release
|
mkdir -p release
|
||||||
cp xmpp-proxy.toml release
|
cp xmpp-proxy.toml release
|
||||||
curl --compressed -sL https://code.moparisthebest.com/moparisthebest/self-ci/raw/branch/master/build-ci.sh | bash
|
curl --compressed -sL https://code.moparisthebest.com/moparisthebest/self-ci/raw/branch/master/build-ci.sh | bash
|
||||||
ret=$?
|
|
||||||
docker system prune -af
|
|
||||||
exit $ret
|
|
||||||
'''
|
'''
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -11,10 +11,6 @@ echo "$TARGET" | grep -E '^x86_64-pc-windows-gnu$' >/dev/null && SUFFIX=".exe"
|
|||||||
|
|
||||||
# ring fails to compile here
|
# ring fails to compile here
|
||||||
echo "$TARGET" | grep -E '^(s390x|powerpc|mips|riscv64gc|.*solaris$)' >/dev/null && echo "$TARGET not supported in rustls" && exit 0
|
echo "$TARGET" | grep -E '^(s390x|powerpc|mips|riscv64gc|.*solaris$)' >/dev/null && echo "$TARGET not supported in rustls" && exit 0
|
||||||
|
|
||||||
# running `docker system prune -af` after these because they are roughly every 25% through and my hard drive space is limited
|
|
||||||
echo "$TARGET" | grep -E '^(armv7-unknown-linux-gnueabihf|x86_64-linux-android|mips-unknown-linux-gnu)$' >/dev/null && docker system prune -af
|
|
||||||
|
|
||||||
# mio fails to link here
|
# mio fails to link here
|
||||||
echo "$TARGET" | grep -E '^x86_64-unknown-netbsd$' >/dev/null && echo "$TARGET not supported in mio" && exit 0
|
echo "$TARGET" | grep -E '^x86_64-unknown-netbsd$' >/dev/null && echo "$TARGET not supported in mio" && exit 0
|
||||||
|
|
||||||
|
1
.gitattributes
vendored
1
.gitattributes
vendored
@ -1 +0,0 @@
|
|||||||
integration/** linguist-documentation
|
|
7
.gitignore
vendored
7
.gitignore
vendored
@ -1,11 +1,4 @@
|
|||||||
/target/
|
/target/
|
||||||
/target
|
|
||||||
**/*.rs.bk
|
**/*.rs.bk
|
||||||
.idea
|
.idea
|
||||||
**/*.kate-swp
|
**/*.kate-swp
|
||||||
**/out/
|
|
||||||
**/core.*
|
|
||||||
fuzz/target/
|
|
||||||
*.txt
|
|
||||||
conflict/
|
|
||||||
*.test.toml
|
|
||||||
|
1813
Cargo.lock
generated
1813
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
97
Cargo.toml
97
Cargo.toml
@ -1,15 +1,9 @@
|
|||||||
[workspace]
|
|
||||||
members = [
|
|
||||||
"fuzz",
|
|
||||||
"."
|
|
||||||
]
|
|
||||||
|
|
||||||
[package]
|
[package]
|
||||||
name = "xmpp-proxy"
|
name = "xmpp-proxy"
|
||||||
version = "1.0.0"
|
version = "1.0.0"
|
||||||
authors = ["moparisthebest <admin@moparisthebest.com>"]
|
authors = ["moparisthebest <admin@moparisthebest.com>"]
|
||||||
|
|
||||||
description = "XMPP reverse proxy and outgoing proxy"
|
description = "Reverse XMPP proxy."
|
||||||
repository = "https://code.moparisthebest.com/moparisthebest/xmpp-proxy"
|
repository = "https://code.moparisthebest.com/moparisthebest/xmpp-proxy"
|
||||||
keywords = ["xmpp", "proxy"]
|
keywords = ["xmpp", "proxy"]
|
||||||
|
|
||||||
@ -26,92 +20,11 @@ include = [
|
|||||||
]
|
]
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
toml = "0.8"
|
toml = "0.5"
|
||||||
serde_derive = "1.0"
|
serde_derive = "1.0"
|
||||||
serde = { version = "1.0", features = ["derive"] }
|
serde = { version = "1.0", features = ["derive"] }
|
||||||
futures = "0.3"
|
futures = "0.3"
|
||||||
die = "0.2"
|
die = "0.2.0"
|
||||||
anyhow = "1.0"
|
anyhow = "1.0"
|
||||||
tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util", "signal", "time"] }
|
tokio = { version = "1.4", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
||||||
ring = "0.17"
|
tokio-rustls = "0.22"
|
||||||
data-encoding = "2.5"
|
|
||||||
async-trait = "0.1"
|
|
||||||
|
|
||||||
|
|
||||||
# logging deps
|
|
||||||
log = "0.4"
|
|
||||||
rand = { version = "0.8", optional = true, features = [] }
|
|
||||||
env_logger = { version = "0.10", optional = true, features = [] }
|
|
||||||
|
|
||||||
# incoming deps
|
|
||||||
tokio-rustls = { version = "0.24", optional = true }
|
|
||||||
webpki = { package = "rustls-webpki", version = "0.101", optional = true }
|
|
||||||
|
|
||||||
# outgoing deps
|
|
||||||
lazy_static = "1.4"
|
|
||||||
trust-dns-resolver = { version = "0.23", optional = true }
|
|
||||||
# todo: feature+code for dns-over-rustls
|
|
||||||
#trust-dns-resolver = { version = "0.21", features = ["dns-over-rustls"], optional = true }
|
|
||||||
webpki-roots = { version = "0.25", optional = true }
|
|
||||||
rustls-native-certs = { version = "0.6", optional = true }
|
|
||||||
# todo: feed reqwest the roots we already have
|
|
||||||
reqwest = { version = "0.11", optional = true, default-features = false, features = ["rustls-tls-native-roots", "json", "gzip", "trust-dns"] }
|
|
||||||
|
|
||||||
# quic deps
|
|
||||||
quinn = { version = "0.10", optional = true }
|
|
||||||
|
|
||||||
# shared deps needed by quic and incoming
|
|
||||||
rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
|
|
||||||
rustls-pemfile = { version = "1.0", optional = true }
|
|
||||||
|
|
||||||
# websocket deps
|
|
||||||
tokio-tungstenite = { version = "0.21", optional = true, default-features = false, features = ["handshake"] }
|
|
||||||
futures-util = { version = "0.3", default-features = false, features = ["async-await", "sink", "std"], optional = true }
|
|
||||||
|
|
||||||
# webtransport deps
|
|
||||||
webtransport-quinn = { version = "0.6", optional = true }
|
|
||||||
|
|
||||||
# systemd dep
|
|
||||||
nix = { version = "0.27", optional = true, default-features = false, features = ["socket"]}
|
|
||||||
|
|
||||||
[features]
|
|
||||||
default = ["c2s-incoming", "c2s-outgoing", "s2s-incoming", "s2s-outgoing", "tls", "quic", "websocket", "webtransport", "logging", "tls-ca-roots-native", "systemd"]
|
|
||||||
|
|
||||||
# you must pick one of these or the other, not both: todo: enable picking both and choosing at runtime
|
|
||||||
# don't need either of these if only doing c2s-incoming
|
|
||||||
tls-ca-roots-native = ["rustls-native-certs", "tokio-rustls", "webpki"] # this loads CA certs from your OS
|
|
||||||
tls-ca-roots-bundled = ["webpki-roots", "webpki"] # this bundles CA certs in the binary
|
|
||||||
|
|
||||||
# internal use only, ignore
|
|
||||||
srv = ["tokio-rustls", "webpki", "trust-dns-resolver", "reqwest"]
|
|
||||||
incoming = ["rustls-pemfile"]
|
|
||||||
outgoing = ["srv"]
|
|
||||||
c2s = []
|
|
||||||
s2s = ["srv", "rustls-pemfile"]
|
|
||||||
|
|
||||||
# you must pick one or more of these, you may pick them all
|
|
||||||
c2s-incoming = ["incoming", "c2s",]
|
|
||||||
c2s-outgoing = ["outgoing", "c2s"]
|
|
||||||
|
|
||||||
s2s-incoming = ["incoming", "s2s"]
|
|
||||||
s2s-outgoing = ["outgoing", "s2s"]
|
|
||||||
|
|
||||||
# protocols you want to support todo: split out tls vs starttls ?
|
|
||||||
tls = ["tokio-rustls", "webpki", "rustls"]
|
|
||||||
quic = ["quinn", "rustls"]
|
|
||||||
websocket = ["tokio-tungstenite", "futures-util", "tls"] # websocket+incoming also enables incoming TLS support as it's free
|
|
||||||
webtransport = ["webtransport-quinn", "quic"] # webtransport requires quic
|
|
||||||
|
|
||||||
logging = ["rand", "env_logger"]
|
|
||||||
systemd = ["nix"]
|
|
||||||
|
|
||||||
# enables unit tests that need network and therefore may be flaky
|
|
||||||
net-test = []
|
|
||||||
|
|
||||||
[dev-dependencies]
|
|
||||||
serde_json = "1.0"
|
|
||||||
|
|
||||||
# need this until a release is made with this commit in it
|
|
||||||
[patch.crates-io]
|
|
||||||
webtransport-quinn = { git = "https://github.com/kixelated/webtransport-rs", rev = "ba1a372a7a89e4ba9f9bc027733f82f87aa9a4fd" }
|
|
||||||
|
|
||||||
|
153
README.md
153
README.md
@ -1,35 +1,12 @@
|
|||||||
|
# xmpp-proxy
|
||||||
<h1 align="center">
|
|
||||||
<br>
|
|
||||||
<img src="https://raw.githubusercontent.com/moparisthebest/xmpp-proxy/master/contrib/logo/xmpp_proxy_color.png" alt="logo" width="200">
|
|
||||||
<br>
|
|
||||||
xmpp-proxy
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
</h1>
|
|
||||||
|
|
||||||
[![Build Status](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/badge/icon%3Fstyle=plastic)](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/)
|
[![Build Status](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/badge/icon%3Fstyle=plastic)](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/)
|
||||||
|
|
||||||
xmpp-proxy is a reverse proxy and outgoing proxy for XMPP servers and clients, providing [STARTTLS], [Direct TLS], [QUIC],
|
xmpp-proxy is a reverse proxy for XMPP servers, providing STARTTLS and TLS over plain-text XMPP connections
|
||||||
[WebSocket C2S], [WebSocket S2S], and [WebTransport] connectivity to plain-text XMPP servers and clients and limiting stanza sizes without an XML parser.
|
and limiting stanza sizes without an XML parser.
|
||||||
|
|
||||||
xmpp-proxy in reverse proxy (incoming) mode will:
|
xmpp-proxy will listen on any number of interfaces/ports and accept any STARTTLS or [Direct TLS](https://xmpp.org/extensions/xep-0368.html)
|
||||||
1. listen on any number of interfaces/ports
|
c2s or s2s connections, terminate TLS, and connect them to a real XMPP server, limiting stanza sizes as configured.
|
||||||
2. accept any STARTTLS, Direct TLS, QUIC, WebSocket, or WebTransport c2s or s2s connections from the internet
|
|
||||||
3. terminate TLS
|
|
||||||
4. for s2s require a client cert and validate it correctly (using CAs, host-meta, host-meta2, and POSH) for SASL EXTERNAL auth
|
|
||||||
5. connect them to a local real XMPP server over plain-text TCP
|
|
||||||
6. send the [PROXY protocol] v1 header if configured, so the XMPP server knows the real client IP
|
|
||||||
7. limit incoming stanza sizes as configured
|
|
||||||
|
|
||||||
xmpp-proxy in outgoing mode will:
|
|
||||||
1. listen on any number of interfaces/ports
|
|
||||||
2. accept any plain-text TCP or WebSocket connection from a local XMPP server or client
|
|
||||||
3. look up the required SRV, [host-meta], [host-meta2], and [POSH] records
|
|
||||||
4. connect to a real XMPP server across the internet over STARTTLS, Direct TLS, QUIC, WebSocket, or WebTransport
|
|
||||||
5. fallback to next SRV target or defaults as required to fully connect
|
|
||||||
6. perform all the proper required certificate validation logic
|
|
||||||
7. limit incoming stanza sizes as configured
|
|
||||||
|
|
||||||
#### Installation
|
#### Installation
|
||||||
* `cargo install xmpp-proxy`
|
* `cargo install xmpp-proxy`
|
||||||
@ -40,74 +17,25 @@ xmpp-proxy in outgoing mode will:
|
|||||||
#### Configuration
|
#### Configuration
|
||||||
* `mkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy/`
|
* `mkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy/`
|
||||||
* edit `/etc/xmpp-proxy/xmpp-proxy.toml` as needed, file is annotated clearly with comments
|
* edit `/etc/xmpp-proxy/xmpp-proxy.toml` as needed, file is annotated clearly with comments
|
||||||
* put your TLS key/cert in `/etc/xmpp-proxy/`
|
* put your TLS key/cert in `/etc/xmpp-proxy/`, if your key has "RSA PRIVATE KEY" in it, change that to "PRIVATE KEY":
|
||||||
|
`sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' /etc/xmpp-proxy/le.key`
|
||||||
* Example systemd unit is provided in xmpp-proxy.service and locks it down with bare minimum permissions. Need to
|
* Example systemd unit is provided in xmpp-proxy.service and locks it down with bare minimum permissions. Need to
|
||||||
set the permissions correctly: `chown -Rv 'systemd-network:' /etc/xmpp-proxy/`
|
set the permissions correctly: `chown -Rv 'systemd-network:' /etc/xmpp-proxy/`
|
||||||
* start xmpp-proxy: `Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]`
|
* start xmpp-proxy: `Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]`
|
||||||
|
|
||||||
#### How do I adapt my running Prosody config to use this instead?
|
#### How do I adapt my running Prosody config to use this instead?
|
||||||
|
|
||||||
You have 2 options here, use xmpp-proxy as only a reverse proxy, or as both reverse and outgoing proxy, I'll cover both:
|
Add these to modules_enabled:
|
||||||
|
|
||||||
###### Reverse proxy and outgoing proxy
|
|
||||||
|
|
||||||
In this mode both prosody doesn't need to do any TLS at all, so it needs no certs. xmpp-proxy need proper TLS
|
|
||||||
certificates, move prosody's TLS key to `/etc/xmpp-proxy/le.key` and TLS cert to `/etc/xmpp-proxy/fullchain.cer`, and
|
|
||||||
use the provided `xmpp-proxy.toml` configuration as-is.
|
|
||||||
|
|
||||||
Edit `/etc/prosody/prosody.cfg.lua`, Add these to modules_enabled:
|
|
||||||
```
|
```
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
```
|
|
||||||
Until prosody-modules is updated, use my new module [mod_s2s_outgoing_proxy.lua](https://www.moparisthebest.com/mod_s2s_outgoing_proxy.lua).
|
|
||||||
|
|
||||||
Add this config:
|
|
||||||
```
|
|
||||||
-- only need to listen on localhost
|
|
||||||
interfaces = { "127.0.0.1" }
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "127.0.0.1", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
```
|
|
||||||
|
|
||||||
###### Reverse proxy only, prosody makes outgoing connections directly itself
|
|
||||||
|
|
||||||
In this mode both prosody and xmpp-proxy need proper TLS certificates, copy prosody's TLS key to `/etc/xmpp-proxy/le.key`
|
|
||||||
and TLS cert to `/etc/xmpp-proxy/fullchain.cer`, and use the provided `xmpp-proxy.toml` configuration as-is.
|
|
||||||
|
|
||||||
Edit `/etc/prosody/prosody.cfg.lua`, Add these to modules_enabled:
|
|
||||||
```
|
|
||||||
"net_proxy";
|
|
||||||
"secure_interfaces";
|
"secure_interfaces";
|
||||||
|
"net_proxy";
|
||||||
```
|
```
|
||||||
Until prosody-modules is updated, use my patched version of [mod_secure_interfaces.lua](https://www.moparisthebest.com/mod_secure_interfaces.lua)
|
Until prosody-modules is updated, use my patched version of [mod_secure_interfaces.lua](https://www.moparisthebest.com/mod_secure_interfaces.lua)
|
||||||
which also works for s2s.
|
which also works for s2s.
|
||||||
|
|
||||||
Add this config:
|
Add this config:
|
||||||
```
|
```
|
||||||
-- trust connections coming to these IPs
|
-- trust connections coming from these IPs
|
||||||
secure_interfaces = { "127.0.0.1", "::1" }
|
secure_interfaces = { "127.0.0.1", "::1" }
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
-- handle PROXY protocol on these ports
|
||||||
@ -121,66 +49,11 @@ proxy_port_mappings = {
|
|||||||
c2s_ports = {}
|
c2s_ports = {}
|
||||||
legacy_ssl_ports = {}
|
legacy_ssl_ports = {}
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
s2s_ports = {15268}
|
s2s_ports = {15269}
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Customize the build
|
Copy prosody's TLS key to `/etc/xmpp-proxy/le.key` and TLS cert to `/etc/xmpp-proxy/fullchain.cer`, and use the provided
|
||||||
|
`xmpp-proxy.toml` configuration as-is.
|
||||||
If you are a grumpy power user who wants to build xmpp-proxy with exactly the features you want, nothing less, nothing
|
|
||||||
more, this section is for you!
|
|
||||||
|
|
||||||
xmpp-proxy has multiple compile-time features, some of which are required, they are grouped as such:
|
|
||||||
|
|
||||||
choose between 1-4 directions:
|
|
||||||
1. `c2s-incoming` - enables a server to accept incoming c2s connections
|
|
||||||
2. `c2s-outgoing` - enables a client to make outgoing c2s connections
|
|
||||||
3. `s2s-incoming` - enables a server to accept incoming s2s connections
|
|
||||||
4. `s2s-outgoing` - enables a server to make outgoing s2s connections
|
|
||||||
|
|
||||||
choose between 1-4 transport protocols:
|
|
||||||
1. `tls` - enables STARTTLS/TLS support
|
|
||||||
2. `quic` - enables QUIC support
|
|
||||||
3. `websocket` - enables WebSocket support, also enables TLS incoming support if the appropriate directions are enabled
|
|
||||||
4. `webtransport` - enables WebTransport support, also enables QUIC
|
|
||||||
|
|
||||||
choose exactly 1 of these methods to get trusted CA roots, not needed if only `c2s-incoming` is enabled:
|
|
||||||
1. `tls-ca-roots-native` - reads CA roots from operating system
|
|
||||||
2. `tls-ca-roots-bundled` - bundles CA roots into the binary from the `webpki-roots` project
|
|
||||||
|
|
||||||
choose any of these optional features:
|
|
||||||
1. `logging` - enables configurable logging
|
|
||||||
|
|
||||||
So to build only supporting reverse proxy STARTTLS/TLS, no QUIC, run: `cargo build --release --no-default-features --features c2s-incoming,s2s-incoming,tls`
|
|
||||||
To build a reverse proxy only, but supporting all of STARTTLS/TLS/QUIC, run: `cargo build --release --no-default-features --features c2s-incoming,s2s-incoming,tls,quic`
|
|
||||||
|
|
||||||
#### Development
|
|
||||||
|
|
||||||
1. `check-all-features.sh` is used to check compilation with all supported feature permutations
|
|
||||||
2. `integration/test.sh` uses [Rootless podman](https://wiki.archlinux.org/title/Podman#Rootless_Podman) to run many tests
|
|
||||||
through xmpp-proxy on a real network with real dns, web, and xmpp servers, all of these should pass before pushing commits,
|
|
||||||
and write new tests to cover new functionality.
|
|
||||||
3. To submit code changes submit a PR on [github](https://github.com/moparisthebest/xmpp-proxy) or
|
|
||||||
[code.moparisthebest.com](https://code.moparisthebest.com/moparisthebest/xmpp-proxy) or send me a patch via email,
|
|
||||||
XMPP, fediverse, or carrier pigeon.
|
|
||||||
|
|
||||||
#### License
|
#### License
|
||||||
GNU/AGPLv3 - Check LICENSE.md for details
|
GNU/AGPLv3 - Check LICENSE.md for details
|
||||||
|
|
||||||
Thanks [rxml](https://github.com/horazont/rxml) for afl-fuzz seeds
|
|
||||||
|
|
||||||
#### Todo
|
|
||||||
1. seamless Tor integration, connecting to and from .onion domains
|
|
||||||
2. Write WebTransport XEP
|
|
||||||
3. Document systemd activation support
|
|
||||||
4. Document use-as-a-library support
|
|
||||||
|
|
||||||
[STARTTLS]: https://datatracker.ietf.org/doc/html/rfc6120#section-5
|
|
||||||
[Direct TLS]: https://xmpp.org/extensions/xep-0368.html
|
|
||||||
[QUIC]: https://xmpp.org/extensions/xep-0467.html
|
|
||||||
[WebSocket C2S]: https://datatracker.ietf.org/doc/html/rfc7395
|
|
||||||
[WebSocket S2S]: https://xmpp.org/extensions/xep-0468.html
|
|
||||||
[WebTransport]: https://www.w3.org/TR/webtransport/
|
|
||||||
[POSH]: https://datatracker.ietf.org/doc/html/rfc7711
|
|
||||||
[host-meta]: https://xmpp.org/extensions/xep-0156.html
|
|
||||||
[host-meta2]: https://xmpp.org/extensions/inbox/host-meta-2.html
|
|
||||||
[PROXY protocol]: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
|
86
build.rs
86
build.rs
@ -1,86 +0,0 @@
|
|||||||
use std::{env, fs::File, io::Write, path::Path};
|
|
||||||
|
|
||||||
fn main() {
|
|
||||||
println!("cargo:rerun-if-changed=build.rs");
|
|
||||||
|
|
||||||
let out_dir = env::var_os("OUT_DIR").unwrap();
|
|
||||||
let dest_path = Path::new(&out_dir).join("version.rs");
|
|
||||||
|
|
||||||
let mut w = File::create(dest_path).unwrap();
|
|
||||||
|
|
||||||
let allowed_features = [
|
|
||||||
"c2s-incoming",
|
|
||||||
"c2s-outgoing",
|
|
||||||
"s2s-incoming",
|
|
||||||
"s2s-outgoing",
|
|
||||||
"tls",
|
|
||||||
"quic",
|
|
||||||
"websocket",
|
|
||||||
"tls-ca-roots-native",
|
|
||||||
"tls-ca-roots-bundled",
|
|
||||||
"logging",
|
|
||||||
"systemd",
|
|
||||||
];
|
|
||||||
let optional_deps = [
|
|
||||||
"rustls",
|
|
||||||
"tokio-rustls",
|
|
||||||
"rustls-pemfile",
|
|
||||||
"quinn",
|
|
||||||
"tokio-tungstenite",
|
|
||||||
"futures-util",
|
|
||||||
"trust-dns-resolver",
|
|
||||||
"reqwest",
|
|
||||||
"lazy-static",
|
|
||||||
"rustls-native-certs",
|
|
||||||
"webpki-roots",
|
|
||||||
"env-logger",
|
|
||||||
"rand",
|
|
||||||
"nix",
|
|
||||||
];
|
|
||||||
let mut features = Vec::new();
|
|
||||||
let mut optional = Vec::new();
|
|
||||||
for (mut key, value) in env::vars() {
|
|
||||||
//writeln!(&mut w, "{key}: {value}", ).unwrap();
|
|
||||||
if value == "1" && key.starts_with("CARGO_FEATURE_") {
|
|
||||||
let mut key = key.split_off(14).replace('_', "-");
|
|
||||||
key.make_ascii_lowercase();
|
|
||||||
if allowed_features.contains(&key.as_str()) {
|
|
||||||
features.push(key);
|
|
||||||
} else if optional_deps.contains(&key.as_str()) {
|
|
||||||
optional.push(key);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
features.sort_by(|a, b| {
|
|
||||||
allowed_features
|
|
||||||
.iter()
|
|
||||||
.position(|&r| r == a)
|
|
||||||
.unwrap()
|
|
||||||
.partial_cmp(&allowed_features.iter().position(|&r| r == b).unwrap())
|
|
||||||
.unwrap()
|
|
||||||
});
|
|
||||||
optional.sort_by(|a, b| {
|
|
||||||
optional_deps
|
|
||||||
.iter()
|
|
||||||
.position(|&r| r == a)
|
|
||||||
.unwrap()
|
|
||||||
.partial_cmp(&optional_deps.iter().position(|&r| r == b).unwrap())
|
|
||||||
.unwrap()
|
|
||||||
});
|
|
||||||
let features = features.join(",");
|
|
||||||
let optional = optional.join(",");
|
|
||||||
|
|
||||||
let name = env!("CARGO_PKG_NAME");
|
|
||||||
let version = env!("CARGO_PKG_VERSION");
|
|
||||||
|
|
||||||
let target = env::var("TARGET").unwrap();
|
|
||||||
|
|
||||||
writeln!(
|
|
||||||
&mut w,
|
|
||||||
"{{println!(
|
|
||||||
\"{name} {version} ({target})
|
|
||||||
Features: {features}
|
|
||||||
Optional crates: {optional}\");}}"
|
|
||||||
)
|
|
||||||
.unwrap();
|
|
||||||
}
|
|
@ -1,111 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
threads="$1"
|
|
||||||
shift
|
|
||||||
clean_after_num_builds="$1"
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
# if we have access to nproc, divide that by 2, otherwise use 1 thread by default
|
|
||||||
[ "$threads" == "" ] && threads=$(($(nproc || echo 2) / 2))
|
|
||||||
|
|
||||||
# 50 is about 1.5gb, ymmv
|
|
||||||
[ "$clean_after_num_builds" == "" ] && clean_after_num_builds=50
|
|
||||||
|
|
||||||
export clean_after_num_builds
|
|
||||||
|
|
||||||
echo "threads: $threads"
|
|
||||||
echo "clean_after_num_builds: $clean_after_num_builds"
|
|
||||||
|
|
||||||
export RUSTFLAGS=-Awarnings
|
|
||||||
|
|
||||||
show() {
|
|
||||||
local -a results=()
|
|
||||||
let idx=$2
|
|
||||||
for (( j = 0; j < $1; j++ )); do
|
|
||||||
if (( idx % 2 )); then results=("${results[@]}" "${list[$j]}"); fi
|
|
||||||
let idx\>\>=1
|
|
||||||
done
|
|
||||||
echo "${results[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
perm_lines() {
|
|
||||||
list=($@)
|
|
||||||
let n=${#list[@]}
|
|
||||||
for (( i = 1; i < 2**n; i++ )); do
|
|
||||||
show $n $i
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
perms() {
|
|
||||||
perm_lines "$@" | tr ' ' ',' | sort -u
|
|
||||||
}
|
|
||||||
|
|
||||||
perms_optional() {
|
|
||||||
perm_lines "$@" | tr ' ' ',' | sort -u | sed 's/^/,/'
|
|
||||||
}
|
|
||||||
|
|
||||||
all_features() {
|
|
||||||
for optional in "" $(perms_optional logging systemd)
|
|
||||||
do
|
|
||||||
for proto in $(perms tls quic websocket webtransport)
|
|
||||||
do
|
|
||||||
for direction in $(perms c2s-incoming c2s-outgoing s2s-incoming s2s-outgoing)
|
|
||||||
do
|
|
||||||
for ca_roots in tls-ca-roots-native tls-ca-roots-bundled
|
|
||||||
do
|
|
||||||
echo $direction,$proto,$ca_roots$optional
|
|
||||||
done
|
|
||||||
done
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
for optional in "" $(perms_optional logging systemd)
|
|
||||||
do
|
|
||||||
for proto in $(perms tls quic websocket webtransport)
|
|
||||||
do
|
|
||||||
echo c2s-incoming,$proto$optional
|
|
||||||
done
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
echo_cargo() {
|
|
||||||
set -euo pipefail
|
|
||||||
#echo cargo run "$@" -- -v
|
|
||||||
#cargo run "$@" -- -v
|
|
||||||
echo cargo check "$@"
|
|
||||||
flock -s /tmp/xmpp-proxy-check-all-features.lock cargo check "$@"
|
|
||||||
ret=$?
|
|
||||||
if [ $ret -ne 0 ]
|
|
||||||
then
|
|
||||||
echo "command failed: cargo check $@"
|
|
||||||
fi
|
|
||||||
(
|
|
||||||
flock -x 200
|
|
||||||
# now we are under an exclusive lock
|
|
||||||
count=$(cat /tmp/xmpp-proxy-check-all-features.count)
|
|
||||||
count=$(( count + 1 ))
|
|
||||||
if [ $count -ge $clean_after_num_builds ]
|
|
||||||
then
|
|
||||||
echo cargo clean
|
|
||||||
cargo clean
|
|
||||||
count=0
|
|
||||||
fi
|
|
||||||
echo $count > /tmp/xmpp-proxy-check-all-features.count
|
|
||||||
|
|
||||||
) 200>/tmp/xmpp-proxy-check-all-features.lock
|
|
||||||
return $ret
|
|
||||||
}
|
|
||||||
|
|
||||||
#all_features | sort -u | wc -l; exit 0
|
|
||||||
|
|
||||||
export -f echo_cargo
|
|
||||||
|
|
||||||
echo 0 > /tmp/xmpp-proxy-check-all-features.count
|
|
||||||
|
|
||||||
echo_cargo
|
|
||||||
|
|
||||||
all_features | sort | xargs -n1 --max-procs=$threads bash -c 'echo_cargo --no-default-features --features "$@" || exit 255' _
|
|
||||||
|
|
||||||
echo good!
|
|
||||||
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
<?xml version='1.0' encoding='UTF-8'?>
|
|
||||||
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
|
||||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
|
||||||
|
|
||||||
<Expires>2010-01-30T09:30:00Z</Expires>
|
|
||||||
<Subject>http://blog.example.com/article/id/314</Subject>
|
|
||||||
|
|
||||||
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
|
||||||
<Alias>http://blog.example.com/steve/article/7</Alias>
|
|
||||||
|
|
||||||
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
|
||||||
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
|
||||||
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
|
||||||
|
|
||||||
<Link rel='author' type='text/html'
|
|
||||||
href='http://blog.example.com/author/steve'>
|
|
||||||
<Title>About the Author</Title>
|
|
||||||
<Title xml:lang='en-us'>Author Information</Title>
|
|
||||||
<Property type='http://example.com/role'>editor</Property>
|
|
||||||
</Link>
|
|
||||||
|
|
||||||
<Link rel='author' href='http://example.com/author/john'>
|
|
||||||
<Title>The other guy</Title>
|
|
||||||
<Title>The other author</Title>
|
|
||||||
</Link>
|
|
||||||
|
|
||||||
<Link rel='copyright'
|
|
||||||
template='http://example.com/copyright?id={uri}'/>
|
|
||||||
</XRD>
|
|
@ -1,37 +0,0 @@
|
|||||||
{
|
|
||||||
"subject": "http://blog.example.com/article/id/314",
|
|
||||||
"expires": "2010-01-30T09:30:00Z",
|
|
||||||
"aliases": [
|
|
||||||
"http://blog.example.com/cool_new_thing",
|
|
||||||
"http://blog.example.com/steve/article/7"
|
|
||||||
],
|
|
||||||
"properties": {
|
|
||||||
"http://blgx.example.net/ns/version": "1.3",
|
|
||||||
"http://blgx.example.net/ns/ext": null
|
|
||||||
},
|
|
||||||
"links": [
|
|
||||||
{
|
|
||||||
"rel": "author",
|
|
||||||
"type": "text/html",
|
|
||||||
"href": "http://blog.example.com/author/steve",
|
|
||||||
"titles": {
|
|
||||||
"default": "About the Author",
|
|
||||||
"en-us": "Author Information"
|
|
||||||
},
|
|
||||||
"properties": {
|
|
||||||
"http://example.com/role": "editor"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "author",
|
|
||||||
"href": "http://example.com/author/john",
|
|
||||||
"titles": {
|
|
||||||
"default": "The other author"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "copyright",
|
|
||||||
"template": "http://example.com/copyright?id={uri}"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
@ -1,29 +0,0 @@
|
|||||||
<?xml version='1.0' encoding='UTF-8'?>
|
|
||||||
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
|
||||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
|
||||||
|
|
||||||
<Subject>http://blog.example.com/article/id/314</Subject>
|
|
||||||
<Expires>2010-01-30T09:30:00Z</Expires>
|
|
||||||
|
|
||||||
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
|
||||||
<Alias>http://blog.example.com/steve/article/7</Alias>
|
|
||||||
|
|
||||||
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
|
||||||
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
|
||||||
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
|
||||||
|
|
||||||
<Link rel='author' type='text/html'
|
|
||||||
href='http://blog.example.com/author/steve'>
|
|
||||||
<Title>About the Author</Title>
|
|
||||||
<Title xml:lang='en-us'>Author Information</Title>
|
|
||||||
<Property type='http://example.com/role'>editor</Property>
|
|
||||||
</Link>
|
|
||||||
|
|
||||||
<Link rel='author' href='http://example.com/author/john'>
|
|
||||||
<Title>The other guy</Title>
|
|
||||||
<Title>The other author</Title>
|
|
||||||
</Link>
|
|
||||||
|
|
||||||
<Link rel='copyright'
|
|
||||||
template='http://example.com/copyright?id={uri}'/>
|
|
||||||
</XRD>
|
|
@ -1,45 +0,0 @@
|
|||||||
{
|
|
||||||
"subject": "http://blog.example.com/article/id/314",
|
|
||||||
"expires": "2010-01-30T09:30:00Z",
|
|
||||||
"aliases": [
|
|
||||||
"http://blog.example.com/cool_new_thing",
|
|
||||||
"http://blog.example.com/steve/article/7"
|
|
||||||
],
|
|
||||||
"properties": {
|
|
||||||
"http://blgx.example.net/ns/version": "1.3",
|
|
||||||
"http://blgx.example.net/ns/ext": null
|
|
||||||
},
|
|
||||||
"links": [
|
|
||||||
{
|
|
||||||
"rel": "author",
|
|
||||||
"type": "text/html",
|
|
||||||
"href": "http://blog.example.com/author/steve",
|
|
||||||
"titles": {
|
|
||||||
"default": "About the Author",
|
|
||||||
"en-us": "Author Information"
|
|
||||||
},
|
|
||||||
"properties": {
|
|
||||||
"http://example.com/role": "editor"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "author",
|
|
||||||
"href": "http://example.com/author/john",
|
|
||||||
"titles": {
|
|
||||||
"default": "The other author"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:xbosh",
|
|
||||||
"href": "https://example.org/http-bind"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:websocket",
|
|
||||||
"href": "wss://example.org/xmpp-websocket"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "copyright",
|
|
||||||
"template": "http://example.com/copyright?id={uri}"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
@ -1,33 +0,0 @@
|
|||||||
<?xml version='1.0' encoding='UTF-8'?>
|
|
||||||
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
|
||||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
|
||||||
|
|
||||||
<Expires>2010-01-30T09:30:00Z</Expires>
|
|
||||||
<Subject>http://blog.example.com/article/id/314</Subject>
|
|
||||||
|
|
||||||
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
|
||||||
<Alias>http://blog.example.com/steve/article/7</Alias>
|
|
||||||
|
|
||||||
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
|
||||||
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
|
||||||
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
|
||||||
|
|
||||||
<Link rel='author' type='text/html'
|
|
||||||
href='http://blog.example.com/author/steve'>
|
|
||||||
<Title>About the Author</Title>
|
|
||||||
<Title xml:lang='en-us'>Author Information</Title>
|
|
||||||
<Property type='http://example.com/role'>editor</Property>
|
|
||||||
</Link>
|
|
||||||
|
|
||||||
<Link rel='author' href='http://example.com/author/john'>
|
|
||||||
<Title>The other guy</Title>
|
|
||||||
<Title>The other author</Title>
|
|
||||||
</Link>
|
|
||||||
|
|
||||||
<Link rel='urn:xmpp:alt-connections:xbosh' href='https://example.org/http-bind'/>
|
|
||||||
|
|
||||||
<Link rel='urn:xmpp:alt-connections:websocket' href='wss://example.org/xmpp-websocket'/>
|
|
||||||
|
|
||||||
<Link rel='copyright'
|
|
||||||
template='http://example.com/copyright?id={uri}'/>
|
|
||||||
</XRD>
|
|
@ -1 +0,0 @@
|
|||||||
{"links":[{"rel":"urn:xmpp:alt-connections:xbosh","href":"https://example.org/http-bind"},{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://example.org/xmpp-websocket"}]}
|
|
@ -1,87 +0,0 @@
|
|||||||
{
|
|
||||||
"xmpp": {
|
|
||||||
"ttl": 3000,
|
|
||||||
"public-key-pins-sha-256": [
|
|
||||||
"4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"links": [
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:websocket",
|
|
||||||
"href": "wss://other.example.org/xmpp-websocket",
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 15,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"alpn": [
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"h3"
|
|
||||||
],
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:tls",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 10,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:quic",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 5,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:s2s-websocket",
|
|
||||||
"href": "wss://other.example.org/s2s-xmpp-websocket",
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 15,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:s2s-tls",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 10,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:s2s-quic",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 5,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
@ -1,133 +0,0 @@
|
|||||||
{
|
|
||||||
"subject": "http://blog.example.com/article/id/314",
|
|
||||||
"expires": "2010-01-30T09:30:00Z",
|
|
||||||
"aliases": [
|
|
||||||
"http://blog.example.com/cool_new_thing",
|
|
||||||
"http://blog.example.com/steve/article/7"
|
|
||||||
],
|
|
||||||
"properties": {
|
|
||||||
"http://blgx.example.net/ns/version": "1.3",
|
|
||||||
"http://blgx.example.net/ns/ext": null
|
|
||||||
},
|
|
||||||
"xmpp": {
|
|
||||||
"ttl": 3000,
|
|
||||||
"public-key-pins-sha-256": [
|
|
||||||
"4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"links": [
|
|
||||||
{
|
|
||||||
"rel": "author",
|
|
||||||
"type": "text/html",
|
|
||||||
"href": "http://blog.example.com/author/steve",
|
|
||||||
"titles": {
|
|
||||||
"default": "About the Author",
|
|
||||||
"en-us": "Author Information"
|
|
||||||
},
|
|
||||||
"properties": {
|
|
||||||
"http://example.com/role": "editor"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "author",
|
|
||||||
"href": "http://example.com/author/john",
|
|
||||||
"titles": {
|
|
||||||
"default": "The other author"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:xbosh",
|
|
||||||
"href": "https://example.org/http-bind"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:websocket",
|
|
||||||
"href": "wss://example.org/xmpp-websocket"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:websocket",
|
|
||||||
"href": "wss://other.example.org/xmpp-websocket",
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 15,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"alpn": [
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"h3"
|
|
||||||
],
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:tls",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 10,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:quic",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 5,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:s2s-websocket",
|
|
||||||
"href": "wss://other.example.org/s2s-xmpp-websocket",
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 15,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"alpn": [
|
|
||||||
"h2",
|
|
||||||
"http/1.1",
|
|
||||||
"h3"
|
|
||||||
],
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:s2s-tls",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 10,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "urn:xmpp:alt-connections:s2s-quic",
|
|
||||||
"port": 443,
|
|
||||||
"ips": [
|
|
||||||
"1.2.3.4",
|
|
||||||
"fd00:feed:dad:beef::1"
|
|
||||||
],
|
|
||||||
"priority": 5,
|
|
||||||
"weight": 50,
|
|
||||||
"sni": "example.org",
|
|
||||||
"ech": "eG1wcC1jbGllbnQ="
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"rel": "copyright",
|
|
||||||
"template": "http://example.com/copyright?id={uri}"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
@ -1,2 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
exec xmllint --noout --schema xrd-1.0-os.xsd "$1"
|
|
@ -1,105 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<schema
|
|
||||||
targetNamespace="http://docs.oasis-open.org/ns/xri/xrd-1.0"
|
|
||||||
xmlns="http://www.w3.org/2001/XMLSchema"
|
|
||||||
xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0"
|
|
||||||
elementFormDefault="unqualified"
|
|
||||||
attributeFormDefault="unqualified"
|
|
||||||
blockDefault="substitution"
|
|
||||||
version="1.0">
|
|
||||||
|
|
||||||
<import namespace="http://www.w3.org/XML/1998/namespace"
|
|
||||||
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
|
|
||||||
|
|
||||||
<annotation>
|
|
||||||
<documentation>
|
|
||||||
Document identifier: xrd-schema-1.0
|
|
||||||
Location: http://docs.oasis-open.org/xri/xrd/v1.0/
|
|
||||||
</documentation>
|
|
||||||
</annotation>
|
|
||||||
|
|
||||||
<complexType name="anyURI">
|
|
||||||
<simpleContent>
|
|
||||||
<extension base="anyURI">
|
|
||||||
<anyAttribute namespace="##other" processContents="lax"/>
|
|
||||||
</extension>
|
|
||||||
</simpleContent>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<complexType name="string">
|
|
||||||
<simpleContent>
|
|
||||||
<extension base="string">
|
|
||||||
<anyAttribute namespace="##other" processContents="lax"/>
|
|
||||||
</extension>
|
|
||||||
</simpleContent>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<element name="XRDS" type="xrd:XRDSType"/>
|
|
||||||
<complexType name="XRDSType">
|
|
||||||
<sequence>
|
|
||||||
<element ref="xrd:XRD" minOccurs="0" maxOccurs="unbounded"/>
|
|
||||||
</sequence>
|
|
||||||
<attribute name="ref" type="anyURI" use="optional"/>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<element name="XRD" type="xrd:XRDType"/>
|
|
||||||
<complexType name="XRDType">
|
|
||||||
<sequence>
|
|
||||||
<element ref="xrd:Expires" minOccurs="0"/>
|
|
||||||
<element ref="xrd:Subject" minOccurs="0"/>
|
|
||||||
<choice minOccurs="0" maxOccurs="unbounded">
|
|
||||||
<element ref="xrd:Alias"/>
|
|
||||||
<element ref="xrd:Property"/>
|
|
||||||
<element ref="xrd:Link"/>
|
|
||||||
<any namespace="##other" processContents="lax"/>
|
|
||||||
</choice>
|
|
||||||
</sequence>
|
|
||||||
<attribute ref="xml:id" use="optional"/>
|
|
||||||
<anyAttribute namespace="##other" processContents="lax"/>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<element name="Expires" type="xrd:ExpiresType"/>
|
|
||||||
<complexType name="ExpiresType">
|
|
||||||
<simpleContent>
|
|
||||||
<extension base="dateTime">
|
|
||||||
<anyAttribute namespace="##other" processContents="lax"/>
|
|
||||||
</extension>
|
|
||||||
</simpleContent>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<element name="Subject" type="xrd:anyURI"/>
|
|
||||||
<element name="Alias" type="xrd:anyURI"/>
|
|
||||||
|
|
||||||
<element name="Property" type="xrd:PropertyType" nillable="true"/>
|
|
||||||
<complexType name="PropertyType">
|
|
||||||
<simpleContent>
|
|
||||||
<extension base="xrd:string">
|
|
||||||
<attribute name="type" type="anyURI" use="required"/>
|
|
||||||
</extension>
|
|
||||||
</simpleContent>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<element name="Link" type="xrd:LinkType"/>
|
|
||||||
<complexType name="LinkType">
|
|
||||||
<choice minOccurs="0" maxOccurs="unbounded">
|
|
||||||
<element ref="xrd:Title"/>
|
|
||||||
<element ref="xrd:Property"/>
|
|
||||||
<any namespace="##other" processContents="lax"/>
|
|
||||||
</choice>
|
|
||||||
<attribute name="rel" type="anyURI" use="optional"/>
|
|
||||||
<attribute name="type" type="string" use="optional"/>
|
|
||||||
<attribute name="href" type="anyURI" use="optional"/>
|
|
||||||
<attribute name="template" type="string" use="optional"/>
|
|
||||||
<anyAttribute namespace="##other" processContents="lax"/>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
<element name="Title" type="xrd:TitleType"/>
|
|
||||||
<complexType name="TitleType">
|
|
||||||
<simpleContent>
|
|
||||||
<extension base="xrd:string">
|
|
||||||
<attribute ref="xml:lang" use="optional"/>
|
|
||||||
</extension>
|
|
||||||
</simpleContent>
|
|
||||||
</complexType>
|
|
||||||
|
|
||||||
</schema>
|
|
File diff suppressed because one or more lines are too long
Before Width: | Height: | Size: 98 KiB |
Binary file not shown.
Before Width: | Height: | Size: 23 KiB |
File diff suppressed because one or more lines are too long
Before Width: | Height: | Size: 21 KiB |
@ -1,24 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# these are just examples for how to grab and hash certificates for POSH
|
|
||||||
# adapted from https://curl.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
|
|
||||||
|
|
||||||
# this is for any direct TLS port like xmpps or https
|
|
||||||
openssl s_client -servername posh.badxmpp.eu -connect posh.badxmpp.eu:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.pem
|
|
||||||
openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.pem -out posh.badxmpp.eu.der
|
|
||||||
openssl dgst -sha256 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha256
|
|
||||||
openssl dgst -sha512 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha512
|
|
||||||
|
|
||||||
openssl base64 < posh.badxmpp.eu.der | tr -d '\n' > posh.badxmpp.eu.der.base64
|
|
||||||
|
|
||||||
# this is for any starttls xmpp port
|
|
||||||
openssl s_client -starttls xmpp -name posh.badxmpp.eu -servername posh.badxmpp.eu -connect snikket2.prosody.im:5222 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.5222.pem
|
|
||||||
openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.5222.pem -out posh.badxmpp.eu.5222.der
|
|
||||||
openssl dgst -sha256 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha256
|
|
||||||
openssl dgst -sha512 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha512
|
|
||||||
|
|
||||||
openssl base64 < posh.badxmpp.eu.5222.der | tr -d '\n' > posh.badxmpp.eu.5222.der.base64
|
|
||||||
|
|
||||||
wget https://posh.badxmpp.eu/.well-known/posh/xmpp-server.json https://posh.badxmpp.eu/.well-known/posh/xmpp-client.json
|
|
||||||
|
|
||||||
grep . *.sha*
|
|
@ -1,467 +0,0 @@
|
|||||||
-- mod_net_proxy.lua
|
|
||||||
-- Copyright (C) 2018 Pascal Mathis <mail@pascalmathis.com>
|
|
||||||
--
|
|
||||||
-- Implementation of PROXY protocol versions 1 and 2
|
|
||||||
-- Specifications: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
|
|
||||||
module:set_global();
|
|
||||||
|
|
||||||
-- Imports
|
|
||||||
local softreq = require "util.dependencies".softreq;
|
|
||||||
local bit = assert(softreq "bit" or softreq "bit32" or softreq "util.bitcompat", "No bit module found. See https://prosody.im/doc/depends#bitop");
|
|
||||||
local hex = require "util.hex";
|
|
||||||
local ip = require "util.ip";
|
|
||||||
local net = require "util.net";
|
|
||||||
local set = require "util.set";
|
|
||||||
local portmanager = require "core.portmanager";
|
|
||||||
|
|
||||||
-- Backwards Compatibility
|
|
||||||
local function net_ntop_bc(input)
|
|
||||||
if input:len() == 4 then
|
|
||||||
return string.format("%d.%d.%d.%d", input:byte(1, 4));
|
|
||||||
elseif input:len() == 16 then
|
|
||||||
local octets = { nil, nil, nil, nil, nil, nil, nil, nil };
|
|
||||||
|
|
||||||
-- Convert received bytes into IPv6 address and skip leading zeroes for each group
|
|
||||||
for index = 1, 8 do
|
|
||||||
local high, low = input:byte(index * 2 - 1, index * 2);
|
|
||||||
octets[index] = string.format("%x", high * 256 + low);
|
|
||||||
end
|
|
||||||
local address = table.concat(octets, ":", 1, 8);
|
|
||||||
|
|
||||||
-- Search for the longest sequence of zeroes
|
|
||||||
local token;
|
|
||||||
local length = (address:match("^0:[0:]+()") or 1) - 1;
|
|
||||||
for s in address:gmatch(":0:[0:]+") do
|
|
||||||
if length < #s then
|
|
||||||
length, token = #s, s;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Return the shortened IPv6 address
|
|
||||||
return address:gsub(token or "^0:[0:]+", "::", 1);
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
local net_ntop = net.ntop or net_ntop_bc
|
|
||||||
|
|
||||||
-- Utility Functions
|
|
||||||
local function _table_invert(input)
|
|
||||||
local output = {};
|
|
||||||
for key, value in pairs(input) do
|
|
||||||
output[value] = key;
|
|
||||||
end
|
|
||||||
return output;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Constants
|
|
||||||
local ADDR_FAMILY = { UNSPEC = 0x0, INET = 0x1, INET6 = 0x2, UNIX = 0x3 };
|
|
||||||
local ADDR_FAMILY_STR = _table_invert(ADDR_FAMILY);
|
|
||||||
local TRANSPORT = { UNSPEC = 0x0, STREAM = 0x1, DGRAM = 0x2 };
|
|
||||||
local TRANSPORT_STR = _table_invert(TRANSPORT);
|
|
||||||
|
|
||||||
local PROTO_MAX_HEADER_LENGTH = 256;
|
|
||||||
local PROTO_HANDLERS = {
|
|
||||||
PROXYv1 = { signature = hex.from("50524F5859"), callback = nil },
|
|
||||||
PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil }
|
|
||||||
};
|
|
||||||
local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 };
|
|
||||||
|
|
||||||
-- Configuration Variables
|
|
||||||
local config_mappings = module:get_option("proxy_port_mappings", {});
|
|
||||||
local config_ports = module:get_option_set("proxy_ports", {});
|
|
||||||
local config_trusted_proxies = module:get_option_set("proxy_trusted_proxies", {"127.0.0.1", "::1"});
|
|
||||||
|
|
||||||
-- Persistent In-Memory Storage
|
|
||||||
local sessions = {};
|
|
||||||
local mappings = {};
|
|
||||||
local trusted_networks = set.new();
|
|
||||||
|
|
||||||
-- Proxy Data Methods
|
|
||||||
local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt;
|
|
||||||
|
|
||||||
function proxy_data_mt:describe()
|
|
||||||
return string.format("proto=%s/%s src=%s:%d dst=%s:%d",
|
|
||||||
self:addr_family_str(), self:transport_str(), self:src_addr(), self:src_port(), self:dst_addr(), self:dst_port());
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:addr_family_str()
|
|
||||||
return ADDR_FAMILY_STR[self._addr_family] or ADDR_FAMILY_STR[ADDR_FAMILY.UNSPEC];
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:transport_str()
|
|
||||||
return TRANSPORT_STR[self._transport] or TRANSPORT_STR[TRANSPORT.UNSPEC];
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:version()
|
|
||||||
return self._version;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:addr_family()
|
|
||||||
return self._addr_family;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:transport()
|
|
||||||
return self._transport;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:src_addr()
|
|
||||||
return self._src_addr;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:src_port()
|
|
||||||
return self._src_port;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:dst_addr()
|
|
||||||
return self._dst_addr;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_data_mt:dst_port()
|
|
||||||
return self._dst_port;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Protocol Handler Functions
|
|
||||||
PROTO_HANDLERS["PROXYv1"].callback = function(conn, session)
|
|
||||||
local addr_family_mappings = { TCP4 = ADDR_FAMILY.INET, TCP6 = ADDR_FAMILY.INET6 };
|
|
||||||
|
|
||||||
-- Postpone processing if CRLF (PROXYv1 header terminator) does not exist within buffer
|
|
||||||
if session.buffer:find("\r\n") == nil then
|
|
||||||
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Declare header pattern and match current buffer against pattern
|
|
||||||
local header_pattern = "^PROXY (%S+) (%S+) (%S+) (%d+) (%d+)\r\n";
|
|
||||||
local addr_family, src_addr, dst_addr, src_port, dst_port = session.buffer:match(header_pattern);
|
|
||||||
src_port, dst_port = tonumber(src_port), tonumber(dst_port);
|
|
||||||
|
|
||||||
-- Ensure that header was successfully parsed and contains a valid address family
|
|
||||||
if addr_family == nil or src_addr == nil or dst_addr == nil or src_port == nil or dst_port == nil then
|
|
||||||
module:log("warn", "Received unparseable PROXYv1 header from %s", conn:ip());
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
if addr_family_mappings[addr_family] == nil then
|
|
||||||
module:log("warn", "Received invalid PROXYv1 address family from %s: %s", conn:ip(), addr_family);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Ensure that received source and destination ports are within 1 and 65535 (0xFFFF)
|
|
||||||
if src_port <= 0 or src_port >= 0xFFFF then
|
|
||||||
module:log("warn", "Received invalid PROXYv1 source port from %s: %d", conn:ip(), src_port);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
if dst_port <= 0 or dst_port >= 0xFFFF then
|
|
||||||
module:log("warn", "Received invalid PROXYv1 destination port from %s: %d", conn:ip(), dst_port);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Ensure that received source and destination address can be parsed
|
|
||||||
local _, err = ip.new_ip(src_addr);
|
|
||||||
if err ~= nil then
|
|
||||||
module:log("warn", "Received unparseable PROXYv1 source address from %s: %s", conn:ip(), src_addr);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
_, err = ip.new_ip(dst_addr);
|
|
||||||
if err ~= nil then
|
|
||||||
module:log("warn", "Received unparseable PROXYv1 destination address from %s: %s", conn:ip(), dst_addr);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Strip parsed header from session buffer and build proxy data
|
|
||||||
session.buffer = session.buffer:gsub(header_pattern, "");
|
|
||||||
|
|
||||||
local proxy_data = {
|
|
||||||
_version = 1,
|
|
||||||
_addr_family = addr_family, _transport = TRANSPORT.STREAM,
|
|
||||||
_src_addr = src_addr, _src_port = src_port,
|
|
||||||
_dst_addr = dst_addr, _dst_port = dst_port
|
|
||||||
};
|
|
||||||
setmetatable(proxy_data, proxy_data_mt);
|
|
||||||
|
|
||||||
-- Return successful response with gathered proxy data
|
|
||||||
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
|
||||||
end
|
|
||||||
|
|
||||||
PROTO_HANDLERS["PROXYv2"].callback = function(conn, session)
|
|
||||||
-- Postpone processing if less than 16 bytes are available
|
|
||||||
if #session.buffer < 16 then
|
|
||||||
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Parse first 16 bytes of protocol header
|
|
||||||
local version = bit.rshift(bit.band(session.buffer:byte(13), 0xF0), 4);
|
|
||||||
local command = bit.band(session.buffer:byte(13), 0x0F);
|
|
||||||
local addr_family = bit.rshift(bit.band(session.buffer:byte(14), 0xF0), 4);
|
|
||||||
local transport = bit.band(session.buffer:byte(14), 0x0F);
|
|
||||||
local length = bit.bor(session.buffer:byte(16), bit.lshift(session.buffer:byte(15), 8));
|
|
||||||
|
|
||||||
-- Postpone processing if less than 16+<length> bytes are available
|
|
||||||
if #session.buffer < 16 + length then
|
|
||||||
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Ensure that version number is correct
|
|
||||||
if version ~= 0x2 then
|
|
||||||
module:log("warn", "Received unsupported PROXYv2 version from %s: %d", conn:ip(), version);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
local payload = session.buffer:sub(17);
|
|
||||||
if command == 0x0 then
|
|
||||||
-- Gather source/destination addresses and ports from local socket
|
|
||||||
local src_addr, src_port = conn:socket():getpeername();
|
|
||||||
local dst_addr, dst_port = conn:socket():getsockname();
|
|
||||||
|
|
||||||
-- Build proxy data based on real connection information
|
|
||||||
local proxy_data = {
|
|
||||||
_version = version,
|
|
||||||
_addr_family = addr_family, _transport = transport,
|
|
||||||
_src_addr = src_addr, _src_port = src_port,
|
|
||||||
_dst_addr = dst_addr, _dst_port = dst_port
|
|
||||||
};
|
|
||||||
setmetatable(proxy_data, proxy_data_mt);
|
|
||||||
|
|
||||||
-- Return successful response with gathered proxy data
|
|
||||||
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
|
||||||
elseif command == 0x1 then
|
|
||||||
local offset = 1;
|
|
||||||
local src_addr, src_port, dst_addr, dst_port;
|
|
||||||
|
|
||||||
-- Verify transport protocol is either STREAM or DGRAM
|
|
||||||
if transport ~= TRANSPORT.STREAM and transport ~= TRANSPORT.DGRAM then
|
|
||||||
module:log("warn", "Received unsupported PROXYv2 transport from %s: 0x%02X", conn:ip(), transport);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Parse source and destination addresses
|
|
||||||
if addr_family == ADDR_FAMILY.INET then
|
|
||||||
src_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
|
|
||||||
dst_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
|
|
||||||
elseif addr_family == ADDR_FAMILY.INET6 then
|
|
||||||
src_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
|
|
||||||
dst_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
|
|
||||||
elseif addr_family == ADDR_FAMILY.UNIX then
|
|
||||||
src_addr = payload:sub(offset, offset + 107); offset = offset + 108;
|
|
||||||
dst_addr = payload:sub(offset, offset + 107); offset = offset + 108;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Parse source and destination ports
|
|
||||||
if addr_family == ADDR_FAMILY.INET or addr_family == ADDR_FAMILY.INET6 then
|
|
||||||
src_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
|
|
||||||
-- luacheck: ignore 311
|
|
||||||
dst_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Strip parsed header from session buffer and build proxy data
|
|
||||||
session.buffer = session.buffer:sub(17 + length);
|
|
||||||
|
|
||||||
local proxy_data = {
|
|
||||||
_version = version,
|
|
||||||
_addr_family = addr_family, _transport = transport,
|
|
||||||
_src_addr = src_addr, _src_port = src_port,
|
|
||||||
_dst_addr = dst_addr, _dst_port = dst_port
|
|
||||||
};
|
|
||||||
setmetatable(proxy_data, proxy_data_mt);
|
|
||||||
|
|
||||||
-- Return successful response with gathered proxy data
|
|
||||||
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
|
||||||
else
|
|
||||||
module:log("warn", "Received unsupported PROXYv2 command from %s: 0x%02X", conn:ip(), command);
|
|
||||||
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Wrap an existing connection with the provided proxy data. This will override several methods of the 'conn' object to
|
|
||||||
-- return the proxied source instead of the source which initiated the TCP connection. Afterwards, the listener of the
|
|
||||||
-- connection gets set according to the globally defined port<>service mappings and the methods 'onconnect' and
|
|
||||||
-- 'onincoming' are being called manually with the current session buffer.
|
|
||||||
local function wrap_proxy_connection(conn, session, proxy_data)
|
|
||||||
-- Override and add functions of 'conn' object when source information has been collected
|
|
||||||
conn.proxyip, conn.proxyport = conn.ip, conn.port;
|
|
||||||
if proxy_data:src_addr() ~= nil and proxy_data:src_port() ~= nil then
|
|
||||||
conn.ip = function()
|
|
||||||
return proxy_data:src_addr();
|
|
||||||
end
|
|
||||||
conn.port = function()
|
|
||||||
return proxy_data:src_port();
|
|
||||||
end
|
|
||||||
conn.clientport = conn.port;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Attempt to find service by processing port<>service mappings
|
|
||||||
local mapping = mappings[tonumber(conn:serverport())];
|
|
||||||
if mapping == nil then
|
|
||||||
conn:close();
|
|
||||||
module:log("warn", "Connection %s@%s terminated: Could not find mapping for port %d",
|
|
||||||
conn:ip(), conn:proxyip(), conn:serverport());
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
|
|
||||||
if mapping.service == nil then
|
|
||||||
local service = portmanager.get_service(mapping.service_name);
|
|
||||||
|
|
||||||
if service ~= nil then
|
|
||||||
mapping.service = service;
|
|
||||||
else
|
|
||||||
conn:close();
|
|
||||||
module:log("warn", "Connection %s@%s terminated: Could not process mapping for unknown service %s",
|
|
||||||
conn:ip(), conn:proxyip(), mapping.service_name);
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Pass connection to actual service listener and simulate onconnect/onincoming callbacks
|
|
||||||
local service_listener = mapping.service.listener;
|
|
||||||
|
|
||||||
module:log("info", "Passing proxied connection %s:%d to service %s", conn:ip(), conn:port(), mapping.service_name);
|
|
||||||
conn:setlistener(service_listener);
|
|
||||||
if service_listener.onconnect then
|
|
||||||
service_listener.onconnect(conn);
|
|
||||||
end
|
|
||||||
return service_listener.onincoming(conn, session.buffer);
|
|
||||||
end
|
|
||||||
|
|
||||||
local function is_trusted_proxy(conn)
|
|
||||||
-- If no trusted proxies were configured, trust any incoming connection
|
|
||||||
-- While this may seem insecure, the module defaults to only trusting 127.0.0.1 and ::1
|
|
||||||
if trusted_networks:empty() then
|
|
||||||
return true;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Iterate through all trusted proxies and check for match against connected IP address
|
|
||||||
local conn_ip = ip.new_ip(conn:ip());
|
|
||||||
for trusted_network in trusted_networks:items() do
|
|
||||||
if ip.match(trusted_network.ip, conn_ip, trusted_network.cidr) then
|
|
||||||
return true;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Connection does not match any trusted proxy
|
|
||||||
return false;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Network Listener Methods
|
|
||||||
local listener = {};
|
|
||||||
|
|
||||||
function listener.onconnect(conn)
|
|
||||||
-- Silently drop connections with an IP address of <nil>, which can happen when the socket was closed before the
|
|
||||||
-- responsible net.server backend was able to grab the IP address of the connecting client.
|
|
||||||
if conn:ip() == nil then
|
|
||||||
conn:close();
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Check if connection is coming from a trusted proxy
|
|
||||||
if not is_trusted_proxy(conn) then
|
|
||||||
conn:close();
|
|
||||||
module:log("warn", "Dropped connection from untrusted proxy: %s", conn:ip());
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Initialize session variables
|
|
||||||
sessions[conn] = {
|
|
||||||
handler = nil;
|
|
||||||
buffer = nil;
|
|
||||||
};
|
|
||||||
end
|
|
||||||
|
|
||||||
function listener.onincoming(conn, data)
|
|
||||||
-- Abort processing if no data has been received
|
|
||||||
if not data then
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Lookup session for connection and append received data to buffer
|
|
||||||
local session = sessions[conn];
|
|
||||||
session.buffer = session.buffer and session.buffer .. data or data;
|
|
||||||
|
|
||||||
-- Attempt to determine protocol handler if not done previously
|
|
||||||
if session.handler == nil then
|
|
||||||
-- Match current session buffer against all known protocol signatures to determine protocol handler
|
|
||||||
for handler_name, handler in pairs(PROTO_HANDLERS) do
|
|
||||||
if session.buffer:find("^" .. handler.signature) ~= nil then
|
|
||||||
session.handler = handler.callback;
|
|
||||||
module:log("debug", "Detected %s connection from %s:%d", handler_name, conn:ip(), conn:port());
|
|
||||||
break;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Decide between waiting for a complete header signature or terminating the connection when no handler has been found
|
|
||||||
if session.handler == nil then
|
|
||||||
-- Terminate connection if buffer size has exceeded tolerable maximum size
|
|
||||||
if #session.buffer > PROTO_MAX_HEADER_LENGTH then
|
|
||||||
conn:close();
|
|
||||||
module:log("warn", "Connection %s:%d terminated: No valid PROXY header within %d bytes",
|
|
||||||
conn:ip(), conn:port(), PROTO_MAX_HEADER_LENGTH);
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Skip further processing without a valid protocol handler
|
|
||||||
module:log("debug", "No valid header signature detected from %s:%d, waiting for more data...",
|
|
||||||
conn:ip(), conn:port());
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Execute proxy protocol handler and process response
|
|
||||||
local response, proxy_data = session.handler(conn, session);
|
|
||||||
if response == PROTO_HANDLER_STATUS.SUCCESS then
|
|
||||||
module:log("info", "Received PROXY header from %s: %s", conn:ip(), proxy_data:describe());
|
|
||||||
return wrap_proxy_connection(conn, session, proxy_data);
|
|
||||||
elseif response == PROTO_HANDLER_STATUS.POSTPONE then
|
|
||||||
module:log("debug", "Postponed parsing of incomplete PROXY header received from %s", conn:ip());
|
|
||||||
return;
|
|
||||||
elseif response == PROTO_HANDLER_STATUS.FAILURE then
|
|
||||||
conn:close();
|
|
||||||
module:log("warn", "Connection %s terminated: Could not process PROXY header from client, " +
|
|
||||||
"see previous log messages.", conn:ip());
|
|
||||||
return;
|
|
||||||
else
|
|
||||||
-- This code should be never reached, but is included for completeness
|
|
||||||
conn:close();
|
|
||||||
module:log("warn", "Connection terminated: Received invalid protocol handler response with code %d", response);
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
function listener.ondisconnect(conn)
|
|
||||||
sessions[conn] = nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
listener.ondetach = listener.ondisconnect;
|
|
||||||
|
|
||||||
-- Parse trusted proxies which can either contain single hosts or networks
|
|
||||||
if not config_trusted_proxies:empty() then
|
|
||||||
for trusted_proxy in config_trusted_proxies:items() do
|
|
||||||
local network = {};
|
|
||||||
network.ip, network.cidr = ip.parse_cidr(trusted_proxy);
|
|
||||||
trusted_networks:add(network);
|
|
||||||
end
|
|
||||||
else
|
|
||||||
module:log("warn", "No trusted proxies configured, all connections will be accepted - this might be dangerous");
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Process all configured port mappings and generate a list of mapped ports
|
|
||||||
local mapped_ports = {};
|
|
||||||
for port, mapping in pairs(config_mappings) do
|
|
||||||
port = tonumber(port);
|
|
||||||
table.insert(mapped_ports, port);
|
|
||||||
mappings[port] = {
|
|
||||||
service_name = mapping,
|
|
||||||
service = nil,
|
|
||||||
};
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Log error message when user manually specifies ports without configuring the necessary port mappings
|
|
||||||
if not config_ports:empty() then
|
|
||||||
local missing_ports = config_ports - set.new(mapped_ports);
|
|
||||||
if not missing_ports:empty() then
|
|
||||||
module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports));
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Register the previously declared network listener
|
|
||||||
module:provides("net", {
|
|
||||||
name = "proxy";
|
|
||||||
listener = listener;
|
|
||||||
default_ports = mapped_ports;
|
|
||||||
});
|
|
@ -1,105 +0,0 @@
|
|||||||
local st = require"util.stanza";
|
|
||||||
local new_ip = require"util.ip".new_ip;
|
|
||||||
local new_outgoing = require"core.s2smanager".new_outgoing;
|
|
||||||
local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq;
|
|
||||||
local initialize_filters = require "util.filters".initialize;
|
|
||||||
local st = require "util.stanza";
|
|
||||||
|
|
||||||
local portmanager = require "core.portmanager";
|
|
||||||
|
|
||||||
local addclient = require "net.server".addclient;
|
|
||||||
|
|
||||||
module:depends("s2s");
|
|
||||||
|
|
||||||
local sessions = module:shared("sessions");
|
|
||||||
|
|
||||||
local s2s_outgoing_proxy = module:get_option("s2s_outgoing_proxy");
|
|
||||||
|
|
||||||
local host, port = s2s_outgoing_proxy[1] or s2s_outgoing_proxy, tonumber(s2s_outgoing_proxy[2]) or 15270;
|
|
||||||
|
|
||||||
-- The proxy_listener handles connection while still connecting to the proxy,
|
|
||||||
-- then it hands them over to the normal listener (in mod_s2s)
|
|
||||||
local proxy_listener = { default_port = port, default_mode = "*a", default_interface = "*" };
|
|
||||||
|
|
||||||
function proxy_listener.onconnect(conn)
|
|
||||||
local session = sessions[conn];
|
|
||||||
|
|
||||||
-- Now the real s2s listener can take over the connection.
|
|
||||||
local listener = portmanager.get_service("s2s").listener;
|
|
||||||
|
|
||||||
session.proxy_handler = nil;
|
|
||||||
|
|
||||||
local w, log = conn.send, session.log;
|
|
||||||
|
|
||||||
local filter = initialize_filters(session);
|
|
||||||
|
|
||||||
session.version = 1;
|
|
||||||
|
|
||||||
session.sends2s = function (t)
|
|
||||||
log("debug", "sending (s2s over proxy): %s", (t.top_tag and t:top_tag()) or t:match("^[^>]*>?"));
|
|
||||||
if t.name then
|
|
||||||
t = filter("stanzas/out", t);
|
|
||||||
end
|
|
||||||
if t then
|
|
||||||
t = filter("bytes/out", tostring(t));
|
|
||||||
if t then
|
|
||||||
return conn:write(tostring(t));
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
session.open_stream = function ()
|
|
||||||
session.sends2s(st.stanza("stream:stream", {
|
|
||||||
xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
|
|
||||||
["xmlns:stream"]='http://etherx.jabber.org/streams',
|
|
||||||
from=session.from_host, to=session.to_host, version='1.0', ["xml:lang"]='en'}):top_tag());
|
|
||||||
end
|
|
||||||
|
|
||||||
conn.setlistener(conn, listener);
|
|
||||||
|
|
||||||
listener.register_outgoing(conn, session);
|
|
||||||
|
|
||||||
listener.onconnect(conn);
|
|
||||||
|
|
||||||
-- this marks outgoing s2s as secure so we accept SASL EXTERNAL on it
|
|
||||||
session.secure = true;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_listener.register_outgoing(conn, session)
|
|
||||||
session.direction = "outgoing";
|
|
||||||
sessions[conn] = session;
|
|
||||||
end
|
|
||||||
|
|
||||||
function proxy_listener.ondisconnect(conn, err)
|
|
||||||
sessions[conn] = nil;
|
|
||||||
end
|
|
||||||
|
|
||||||
module:hook("route/remote", function(event)
|
|
||||||
local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza;
|
|
||||||
log("debug", "opening a new outgoing connection for this stanza");
|
|
||||||
local host_session = new_outgoing(from_host, to_host);
|
|
||||||
|
|
||||||
-- Store in buffer
|
|
||||||
host_session.bounce_sendq = bounce_sendq;
|
|
||||||
host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} };
|
|
||||||
log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name));
|
|
||||||
|
|
||||||
local conn = addclient(host, port, proxy_listener, "*a");
|
|
||||||
|
|
||||||
proxy_listener.register_outgoing(conn, host_session);
|
|
||||||
|
|
||||||
host_session.conn = conn;
|
|
||||||
return true;
|
|
||||||
end, -2);
|
|
||||||
|
|
||||||
-- todo: is this the best place to do this hook?
|
|
||||||
-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
|
|
||||||
module:hook("s2s-stream-features", function(event)
|
|
||||||
local session, features = event.origin, event.features;
|
|
||||||
if session.type == "s2sin_unauthed" then
|
|
||||||
module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
|
|
||||||
session.secure = true;
|
|
||||||
session.cert_chain_status = "valid";
|
|
||||||
session.cert_identity_status = "valid";
|
|
||||||
end
|
|
||||||
end, 3000);
|
|
@ -1,39 +0,0 @@
|
|||||||
local secure_interfaces = module:get_option_set("secure_interfaces", { "127.0.0.1", "::1" });
|
|
||||||
|
|
||||||
local function mark_secure(event, expected_type)
|
|
||||||
local session = event.origin;
|
|
||||||
if session.type ~= expected_type then return; end
|
|
||||||
local socket = session.conn:socket();
|
|
||||||
if not socket.getsockname then
|
|
||||||
module:log("debug", "Unable to determine local address of incoming connection");
|
|
||||||
return;
|
|
||||||
end
|
|
||||||
local localip = socket:getsockname();
|
|
||||||
if secure_interfaces:contains(localip) then
|
|
||||||
module:log("debug", "Marking session from %s to %s as secure", session.ip or "[?]", localip);
|
|
||||||
session.secure = true;
|
|
||||||
session.conn.starttls = false;
|
|
||||||
else
|
|
||||||
module:log("debug", "Not marking session from %s to %s as secure", session.ip or "[?]", localip);
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
module:hook("stream-features", function (event)
|
|
||||||
mark_secure(event, "c2s_unauthed");
|
|
||||||
end, 25000);
|
|
||||||
|
|
||||||
module:hook("s2s-stream-features", function (event)
|
|
||||||
mark_secure(event, "s2sin_unauthed");
|
|
||||||
end, 25000);
|
|
||||||
|
|
||||||
-- todo: is this the best place to do this hook?
|
|
||||||
-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
|
|
||||||
module:hook("s2s-stream-features", function(event)
|
|
||||||
local session, features = event.origin, event.features;
|
|
||||||
if session.type == "s2sin_unauthed" then
|
|
||||||
module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
|
|
||||||
session.secure = true;
|
|
||||||
session.cert_chain_status = "valid";
|
|
||||||
session.cert_identity_status = "valid";
|
|
||||||
end
|
|
||||||
end, 3000);
|
|
@ -1,14 +0,0 @@
|
|||||||
[package]
|
|
||||||
name = "fuzz"
|
|
||||||
version = "0.1.0"
|
|
||||||
authors = ["moparisthebest <admin@moparisthebest.com>"]
|
|
||||||
edition = "2018"
|
|
||||||
|
|
||||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
|
||||||
|
|
||||||
[dependencies]
|
|
||||||
afl = "0.15.1"
|
|
||||||
xmpp-proxy = { path = "..", default-features = false, features = [] }
|
|
||||||
tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
|
||||||
sha256 = "1.4.0"
|
|
||||||
rxml = "0.9.1"
|
|
@ -1 +0,0 @@
|
|||||||
<?xml version='1.0'?>
|
|
@ -1 +0,0 @@
|
|||||||
<element/>
|
|
@ -1 +0,0 @@
|
|||||||
<element attr="abc" attr='def'/>
|
|
@ -1 +0,0 @@
|
|||||||
<element><![CDATA[ fun ]] ]]></element>
|
|
@ -1 +0,0 @@
|
|||||||
<foo><bar/><baz><fnord/></baz></foo>
|
|
@ -1 +0,0 @@
|
|||||||
<foo>with <bar/>some<baz>content <fnord/>mixed </baz>into them</foo>
|
|
@ -1,5 +0,0 @@
|
|||||||
<?xml version='1.0' encoding='utf-8' ?>
|
|
||||||
<foo>
|
|
||||||
<bar>&</bar>
|
|
||||||
<hello xmlns="urn:xmpp"><prefix:world/></hello>
|
|
||||||
</foo>
|
|
@ -1,40 +0,0 @@
|
|||||||
use std::io::{Cursor, Write};
|
|
||||||
use tokio::runtime::Runtime;
|
|
||||||
use xmpp_proxy::stanzafilter::{StanzaFilter, StanzaReader};
|
|
||||||
|
|
||||||
fn main() {
|
|
||||||
std::fs::create_dir_all("/tmp/afl_test_gen/").unwrap();
|
|
||||||
afl::fuzz!(|data: &[u8]| {
|
|
||||||
let rt = Runtime::new().unwrap();
|
|
||||||
|
|
||||||
rt.block_on(async {
|
|
||||||
let mut filter = StanzaFilter::new(262_144);
|
|
||||||
let mut stanza_reader = StanzaReader(Cursor::new(data));
|
|
||||||
while let Ok(Some(stanza)) = stanza_reader.next(&mut filter).await {
|
|
||||||
let mut fp = rxml::FeedParser::default();
|
|
||||||
let result = rxml::as_eof_flag(fp.parse_all(&mut &stanza[..], true, |_ev| {
|
|
||||||
//println!("got event: {:?}", ev);
|
|
||||||
}));
|
|
||||||
// true indicates eof
|
|
||||||
if let Ok(result) = result {
|
|
||||||
if result {
|
|
||||||
// wow, afl generated us valid XML, lets output it as a test case
|
|
||||||
let fname = sha256::digest(stanza);
|
|
||||||
if let Ok(mut file) = std::fs::OpenOptions::new()
|
|
||||||
.read(true)
|
|
||||||
.write(true)
|
|
||||||
.create_new(true)
|
|
||||||
.open("/tmp/afl_test_gen/".to_owned() + fname.as_str())
|
|
||||||
{
|
|
||||||
file.write_all(stanza).unwrap();
|
|
||||||
file.sync_all().unwrap();
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
// more data is required, stanzafilter should never let this happen, let's panic
|
|
||||||
panic!("more data required?");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
})
|
|
||||||
});
|
|
||||||
}
|
|
@ -1,72 +0,0 @@
|
|||||||
#
|
|
||||||
# AFL dictionary for XML
|
|
||||||
# ----------------------
|
|
||||||
#
|
|
||||||
# Several basic syntax elements and attributes, modeled on libxml2.
|
|
||||||
#
|
|
||||||
# Created by Michal Zalewski <lcamtuf@google.com>
|
|
||||||
#
|
|
||||||
|
|
||||||
attr_encoding=" encoding=\"1\""
|
|
||||||
attr_generic=" a=\"1\""
|
|
||||||
attr_href=" href=\"1\""
|
|
||||||
attr_standalone=" standalone=\"no\""
|
|
||||||
attr_version=" version=\"1\""
|
|
||||||
attr_xml_base=" xml:base=\"1\""
|
|
||||||
attr_xml_id=" xml:id=\"1\""
|
|
||||||
attr_xml_lang=" xml:lang=\"1\""
|
|
||||||
attr_xml_space=" xml:space=\"1\""
|
|
||||||
attr_xmlns=" xmlns=\"1\""
|
|
||||||
|
|
||||||
entity_builtin="<"
|
|
||||||
entity_decimal=""
|
|
||||||
entity_external="&a;"
|
|
||||||
entity_hex=""
|
|
||||||
|
|
||||||
string_any="ANY"
|
|
||||||
string_brackets="[]"
|
|
||||||
string_cdata="CDATA"
|
|
||||||
string_col_fallback=":fallback"
|
|
||||||
string_col_generic=":a"
|
|
||||||
string_col_include=":include"
|
|
||||||
string_dashes="--"
|
|
||||||
string_empty="EMPTY"
|
|
||||||
string_empty_dblquotes="\"\""
|
|
||||||
string_empty_quotes="''"
|
|
||||||
string_entities="ENTITIES"
|
|
||||||
string_entity="ENTITY"
|
|
||||||
string_fixed="#FIXED"
|
|
||||||
string_id="ID"
|
|
||||||
string_idref="IDREF"
|
|
||||||
string_idrefs="IDREFS"
|
|
||||||
string_implied="#IMPLIED"
|
|
||||||
string_nmtoken="NMTOKEN"
|
|
||||||
string_nmtokens="NMTOKENS"
|
|
||||||
string_notation="NOTATION"
|
|
||||||
string_parentheses="()"
|
|
||||||
string_pcdata="#PCDATA"
|
|
||||||
string_percent="%a"
|
|
||||||
string_public="PUBLIC"
|
|
||||||
string_required="#REQUIRED"
|
|
||||||
string_schema=":schema"
|
|
||||||
string_system="SYSTEM"
|
|
||||||
string_ucs4="UCS-4"
|
|
||||||
string_utf16="UTF-16"
|
|
||||||
string_utf8="UTF-8"
|
|
||||||
string_xmlns="xmlns:"
|
|
||||||
|
|
||||||
tag_attlist="<!ATTLIST"
|
|
||||||
tag_cdata="<![CDATA["
|
|
||||||
tag_close="</a>"
|
|
||||||
tag_doctype="<!DOCTYPE"
|
|
||||||
tag_element="<!ELEMENT"
|
|
||||||
tag_entity="<!ENTITY"
|
|
||||||
tag_ignore="<![IGNORE["
|
|
||||||
tag_include="<![INCLUDE["
|
|
||||||
tag_notation="<!NOTATION"
|
|
||||||
tag_open="<a>"
|
|
||||||
tag_open_close="<a />"
|
|
||||||
tag_open_exclamation="<!"
|
|
||||||
tag_open_q="<?"
|
|
||||||
tag_sq2_close="]]>"
|
|
||||||
tag_xml_q="<?xml?>"
|
|
@ -1,15 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
|
|
||||||
scansion.one IN CNAME server1
|
|
||||||
scansion.two IN CNAME server1
|
|
@ -1,228 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
-- "tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = false
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certsno"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,15 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
|
|
||||||
scansion.one IN CNAME server1
|
|
||||||
scansion.two IN CNAME server1
|
|
@ -1,225 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,20 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
|
|
||||||
one IN CNAME server1
|
|
||||||
two IN CNAME server1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp1
|
|
||||||
scansion.two IN CNAME xp1
|
|
@ -1,225 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,20 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
|
|
||||||
_xmpp-client._tcp.one IN SRV 5 1 5555 server1
|
|
||||||
_xmpp-client._tcp.two IN SRV 5 1 5555 server1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp1
|
|
||||||
scansion.two IN CNAME xp1
|
|
@ -1,227 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
c2s_ports = { 5555 };
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,20 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
|
|
||||||
one IN CNAME server1
|
|
||||||
two IN CNAME server1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp1
|
|
||||||
scansion.two IN CNAME xp1
|
|
@ -1,225 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
legacy_ssl_ports = { 443 };
|
|
||||||
c2s_ports = { };
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,20 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
|
|
||||||
_xmpps-client._tcp.one IN SRV 5 1 5443 server1
|
|
||||||
_xmpps-client._tcp.two IN SRV 5 1 5443 server1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp1
|
|
||||||
scansion.two IN CNAME xp1
|
|
@ -1,228 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
legacy_ssl_ports = { 5443 };
|
|
||||||
c2s_ports = { };
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
https_certificate = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,22 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
|
|
||||||
one IN CNAME server1
|
|
||||||
two IN CNAME server1
|
|
||||||
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
|
||||||
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp1
|
|
||||||
scansion.two IN CNAME xp1
|
|
@ -1,228 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
legacy_ssl_ports = { };
|
|
||||||
c2s_ports = { };
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force servers to use encrypted connections? This option will
|
|
||||||
-- prevent servers from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
s2s_require_encryption = true
|
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,253 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,253 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:443" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,253 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ "0.0.0.0:443" ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
_xmppq-client._udp.one IN SRV 5 1 5443 xp1
|
|
||||||
_xmppq-client._udp.two IN SRV 5 1 5443 xp1
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,253 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ "0.0.0.0:5443" ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,23 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp1
|
|
||||||
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
|
||||||
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,253 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,42 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5281" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/wildcard.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp2
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.50"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.30:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.30:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,23 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp2
|
|
||||||
_xmpp-server._tcp.one IN SRV 5 1 52269 xp1
|
|
||||||
_xmpp-server._tcp.two IN SRV 5 1 52269 xp2
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.50"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.30:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.30:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp2
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.50"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.30:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.30:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,23 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp2
|
|
||||||
_xmpps-server._tcp.one IN SRV 5 1 52269 xp1
|
|
||||||
_xmpps-server._tcp.two IN SRV 5 1 52269 xp2
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.40"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "one.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,251 +0,0 @@
|
|||||||
--Important for systemd
|
|
||||||
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
|
||||||
daemonize = false
|
|
||||||
run_as_root = true
|
|
||||||
|
|
||||||
pidfile = "/run/prosody/prosody.pid"
|
|
||||||
|
|
||||||
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
|
||||||
|
|
||||||
-- Prosody Example Configuration File
|
|
||||||
--
|
|
||||||
-- Information on configuring Prosody can be found on our
|
|
||||||
-- website at https://prosody.im/doc/configure
|
|
||||||
--
|
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
|
||||||
-- when you have finished by running this command:
|
|
||||||
-- prosodyctl check config
|
|
||||||
-- If there are any errors, it will let you know what and where
|
|
||||||
-- they are, otherwise it will keep quiet.
|
|
||||||
--
|
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
|
||||||
-- Settings in this section apply to the whole server and are the default settings
|
|
||||||
-- for any virtual hosts
|
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
|
||||||
-- for the server. Note that you must create the accounts separately
|
|
||||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
|
||||||
admins = { }
|
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
|
||||||
-- For more information see: https://prosody.im/doc/libevent
|
|
||||||
--use_libevent = true
|
|
||||||
|
|
||||||
-- Prosody will always look in its source directory for modules, but
|
|
||||||
-- this option allows you to specify additional locations where Prosody
|
|
||||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
|
||||||
--plugin_paths = {}
|
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
|
||||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
|
||||||
modules_enabled = {
|
|
||||||
|
|
||||||
-- Generally required
|
|
||||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
|
||||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
|
||||||
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
|
||||||
--"dialback"; -- s2s dialback support
|
|
||||||
"disco"; -- Service discovery
|
|
||||||
|
|
||||||
-- Not essential, but recommended
|
|
||||||
"carbons"; -- Keep multiple clients in sync
|
|
||||||
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
|
||||||
"blocklist"; -- Allow users to block communications with other users
|
|
||||||
"vcard4"; -- User profiles (stored in PEP)
|
|
||||||
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
|
||||||
"limits"; -- Enable bandwidth limiting for XMPP connections
|
|
||||||
|
|
||||||
-- Nice to have
|
|
||||||
"version"; -- Replies to server version requests
|
|
||||||
"uptime"; -- Report how long server has been running
|
|
||||||
"time"; -- Let others know the time here on this server
|
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
|
||||||
--"mam"; -- Store messages in an archive and allow users to access it
|
|
||||||
--"csi_simple"; -- Simple Mobile optimizations
|
|
||||||
|
|
||||||
-- Admin interfaces
|
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
|
||||||
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
|
||||||
|
|
||||||
-- HTTP modules
|
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
|
||||||
--"websocket"; -- XMPP over WebSockets
|
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
|
||||||
|
|
||||||
-- Other specific functionality
|
|
||||||
--"groups"; -- Shared roster support
|
|
||||||
--"server_contact_info"; -- Publish contact information for this service
|
|
||||||
--"announce"; -- Send announcement to all online users
|
|
||||||
--"welcome"; -- Welcome users who register accounts
|
|
||||||
--"watchregistrations"; -- Alert admins of registrations
|
|
||||||
--"motd"; -- Send a message to users when they log in
|
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
|
||||||
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
|
||||||
"net_proxy";
|
|
||||||
"s2s_outgoing_proxy";
|
|
||||||
}
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
|
||||||
-- to disable them then uncomment them here:
|
|
||||||
modules_disabled = {
|
|
||||||
-- "offline"; -- Store offline messages
|
|
||||||
-- "c2s"; -- Handle client connections
|
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
|
||||||
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
|
||||||
-- For more information see https://prosody.im/doc/creating_accounts
|
|
||||||
allow_registration = false
|
|
||||||
|
|
||||||
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
|
||||||
-- these are likely set to true somewhere in your file, find them, make them false
|
|
||||||
-- you can also remove all certificates from your config
|
|
||||||
s2s_require_encryption = false
|
|
||||||
s2s_secure_auth = false
|
|
||||||
|
|
||||||
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
|
||||||
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
|
||||||
proxy_port_mappings = {
|
|
||||||
[15222] = "c2s",
|
|
||||||
[15269] = "s2s"
|
|
||||||
}
|
|
||||||
|
|
||||||
--[[
|
|
||||||
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
|
||||||
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
|
||||||
An empty table ({}) can be configured to allow connections from any source.
|
|
||||||
Please read the module documentation about potential security impact.
|
|
||||||
]]--
|
|
||||||
proxy_trusted_proxies = {
|
|
||||||
"192.5.0.50"
|
|
||||||
}
|
|
||||||
|
|
||||||
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
|
||||||
-- you might need to comment these out further down in your config file if you set them
|
|
||||||
c2s_ports = {}
|
|
||||||
legacy_ssl_ports = {}
|
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
|
||||||
s2s_ports = {15268}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
|
||||||
|
|
||||||
c2s_require_encryption = false
|
|
||||||
allow_unencrypted_plain_auth = true
|
|
||||||
|
|
||||||
-- Some servers have invalid or self-signed certificates. You can list
|
|
||||||
-- remote domains here that will not be required to authenticate using
|
|
||||||
-- certificates. They will be authenticated using DNS instead, even
|
|
||||||
-- when s2s_secure_auth is enabled.
|
|
||||||
|
|
||||||
--s2s_insecure_domains = { "insecure.example" }
|
|
||||||
|
|
||||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
|
||||||
-- certificates for some domains by specifying a list here.
|
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
|
||||||
|
|
||||||
-- Enable rate limits for incoming client and server connections
|
|
||||||
|
|
||||||
limits = {
|
|
||||||
c2s = {
|
|
||||||
rate = "10kb/s";
|
|
||||||
};
|
|
||||||
s2sin = {
|
|
||||||
rate = "30kb/s";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
|
||||||
-- in its configured data directory, but it also supports more backends
|
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
|
||||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
|
||||||
|
|
||||||
--storage = "sql" -- Default is "internal"
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
|
||||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
|
||||||
|
|
||||||
|
|
||||||
-- Archiving configuration
|
|
||||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
|
||||||
-- is used to synchronize conversations between multiple clients, even if
|
|
||||||
-- they are offline. This setting controls how long Prosody will keep
|
|
||||||
-- messages in the archive before removing them.
|
|
||||||
|
|
||||||
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
|
||||||
|
|
||||||
-- You can also configure messages to be stored in-memory only. For more
|
|
||||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
|
||||||
|
|
||||||
-- Logging configuration
|
|
||||||
-- For advanced logging see https://prosody.im/doc/logging
|
|
||||||
log = {
|
|
||||||
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
|
||||||
-- error = "prosody.err";
|
|
||||||
--info = "*syslog"; -- Uncomment this for logging to syslog
|
|
||||||
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Uncomment to enable statistics
|
|
||||||
-- For more info see https://prosody.im/doc/statistics
|
|
||||||
-- statistics = "internal"
|
|
||||||
|
|
||||||
-- Certificates
|
|
||||||
-- Every virtual host and component needs a certificate so that clients and
|
|
||||||
-- servers can securely verify its identity. Prosody will automatically load
|
|
||||||
-- certificates/keys from the directory specified here.
|
|
||||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
|
||||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
|
||||||
|
|
||||||
-- Location of directory to find certificates in (relative to main config file):
|
|
||||||
certificates = "certs"
|
|
||||||
|
|
||||||
-- HTTPS currently only supports a single certificate, specify it here:
|
|
||||||
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
|
||||||
|
|
||||||
VirtualHost "two.example.org"
|
|
||||||
|
|
||||||
--VirtualHost "example.com"
|
|
||||||
-- certificate = "/path/to/example.crt"
|
|
||||||
|
|
||||||
------ Components ------
|
|
||||||
-- You can specify components to add hosts that provide special services,
|
|
||||||
-- like multi-user conferences, and transports.
|
|
||||||
-- For more information on components, see https://prosody.im/doc/components
|
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
|
||||||
--Component "conference.example.com" "muc"
|
|
||||||
--- Store MUC messages in an archive and allow users to access it
|
|
||||||
--modules_enabled = { "muc_mam" }
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
|
||||||
--
|
|
||||||
-- External components allow adding various services, such as gateways/
|
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
|
||||||
-- see: https://prosody.im/doc/components#adding_an_external_component
|
|
||||||
--
|
|
||||||
--Component "gateway.example.com"
|
|
||||||
-- component_secret = "password"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.20:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.20:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/one.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:15270" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "192.5.0.30:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "192.5.0.30:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/prosody/certs/two.example.org.key"
|
|
||||||
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,44 +0,0 @@
|
|||||||
|
|
||||||
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
|
||||||
incoming_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
|
||||||
quic_listen = [ ]
|
|
||||||
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
|
||||||
websocket_listen = [ ]
|
|
||||||
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
|
||||||
outgoing_listen = [ "0.0.0.0:5222" ]
|
|
||||||
|
|
||||||
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
|
||||||
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
|
||||||
|
|
||||||
# c2s port backend XMPP server listens on
|
|
||||||
c2s_target = "127.0.0.1:15222"
|
|
||||||
|
|
||||||
# s2s port backend XMPP server listens on
|
|
||||||
s2s_target = "127.0.0.1:15269"
|
|
||||||
|
|
||||||
# send PROXYv1 header to backend XMPP server
|
|
||||||
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
|
||||||
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
|
||||||
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
|
||||||
proxy = true
|
|
||||||
|
|
||||||
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
|
||||||
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
|
||||||
# xmpp-proxy will use this many bytes + 16k per connection
|
|
||||||
max_stanza_size_bytes = 262_144
|
|
||||||
|
|
||||||
# TLS key/certificate valid for all your XMPP domains, PEM format
|
|
||||||
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
|
||||||
tls_key = "/etc/certs/rsa/one.example.org.key"
|
|
||||||
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
|
||||||
|
|
||||||
# configure logging, defaults are commented
|
|
||||||
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
|
||||||
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
|
||||||
#log_level = "info"
|
|
||||||
# for development/debugging:
|
|
||||||
log_level = "info,xmpp_proxy=trace"
|
|
||||||
|
|
||||||
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
|
||||||
#log_style = "never"
|
|
@ -1,21 +0,0 @@
|
|||||||
$TTL 300
|
|
||||||
; example.org
|
|
||||||
@ IN SOA ns1.example.org. postmaster.example.org. (
|
|
||||||
2018111111 ; Serial
|
|
||||||
28800 ; Refresh
|
|
||||||
1800 ; Retry
|
|
||||||
604800 ; Expire - 1 week
|
|
||||||
86400 ) ; Negative Cache TTL
|
|
||||||
IN NS ns1
|
|
||||||
ns1 IN A 192.5.0.10
|
|
||||||
server1 IN A 192.5.0.20
|
|
||||||
server2 IN A 192.5.0.30
|
|
||||||
xp1 IN A 192.5.0.40
|
|
||||||
xp2 IN A 192.5.0.50
|
|
||||||
xp3 IN A 192.5.0.60
|
|
||||||
|
|
||||||
one IN CNAME xp1
|
|
||||||
two IN CNAME xp2
|
|
||||||
|
|
||||||
scansion.one IN CNAME xp3
|
|
||||||
scansion.two IN CNAME xp3
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user