Compare commits
No commits in common. "v1.0.1" and "master" have entirely different histories.
5
.ci/Jenkinsfile
vendored
5
.ci/Jenkinsfile
vendored
@ -28,9 +28,14 @@ node('linux && docker') {
|
|||||||
|
|
||||||
stage('Build + Deploy') {
|
stage('Build + Deploy') {
|
||||||
sh '''
|
sh '''
|
||||||
|
./check-all-features.sh || exit 1
|
||||||
|
cargo clean
|
||||||
mkdir -p release
|
mkdir -p release
|
||||||
cp xmpp-proxy.toml release
|
cp xmpp-proxy.toml release
|
||||||
curl --compressed -sL https://code.moparisthebest.com/moparisthebest/self-ci/raw/branch/master/build-ci.sh | bash
|
curl --compressed -sL https://code.moparisthebest.com/moparisthebest/self-ci/raw/branch/master/build-ci.sh | bash
|
||||||
|
ret=$?
|
||||||
|
docker system prune -af
|
||||||
|
exit $ret
|
||||||
'''
|
'''
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -11,6 +11,10 @@ echo "$TARGET" | grep -E '^x86_64-pc-windows-gnu$' >/dev/null && SUFFIX=".exe"
|
|||||||
|
|
||||||
# ring fails to compile here
|
# ring fails to compile here
|
||||||
echo "$TARGET" | grep -E '^(s390x|powerpc|mips|riscv64gc|.*solaris$)' >/dev/null && echo "$TARGET not supported in rustls" && exit 0
|
echo "$TARGET" | grep -E '^(s390x|powerpc|mips|riscv64gc|.*solaris$)' >/dev/null && echo "$TARGET not supported in rustls" && exit 0
|
||||||
|
|
||||||
|
# running `docker system prune -af` after these because they are roughly every 25% through and my hard drive space is limited
|
||||||
|
echo "$TARGET" | grep -E '^(armv7-unknown-linux-gnueabihf|x86_64-linux-android|mips-unknown-linux-gnu)$' >/dev/null && docker system prune -af
|
||||||
|
|
||||||
# mio fails to link here
|
# mio fails to link here
|
||||||
echo "$TARGET" | grep -E '^x86_64-unknown-netbsd$' >/dev/null && echo "$TARGET not supported in mio" && exit 0
|
echo "$TARGET" | grep -E '^x86_64-unknown-netbsd$' >/dev/null && echo "$TARGET not supported in mio" && exit 0
|
||||||
|
|
||||||
|
1
.gitattributes
vendored
Normal file
1
.gitattributes
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
integration/** linguist-documentation
|
7
.gitignore
vendored
7
.gitignore
vendored
@ -1,4 +1,11 @@
|
|||||||
/target/
|
/target/
|
||||||
|
/target
|
||||||
**/*.rs.bk
|
**/*.rs.bk
|
||||||
.idea
|
.idea
|
||||||
**/*.kate-swp
|
**/*.kate-swp
|
||||||
|
**/out/
|
||||||
|
**/core.*
|
||||||
|
fuzz/target/
|
||||||
|
*.txt
|
||||||
|
conflict/
|
||||||
|
*.test.toml
|
||||||
|
1839
Cargo.lock
generated
1839
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
97
Cargo.toml
97
Cargo.toml
@ -1,9 +1,15 @@
|
|||||||
|
[workspace]
|
||||||
|
members = [
|
||||||
|
"fuzz",
|
||||||
|
"."
|
||||||
|
]
|
||||||
|
|
||||||
[package]
|
[package]
|
||||||
name = "xmpp-proxy"
|
name = "xmpp-proxy"
|
||||||
version = "1.0.0"
|
version = "1.0.0"
|
||||||
authors = ["moparisthebest <admin@moparisthebest.com>"]
|
authors = ["moparisthebest <admin@moparisthebest.com>"]
|
||||||
|
|
||||||
description = "Reverse XMPP proxy."
|
description = "XMPP reverse proxy and outgoing proxy"
|
||||||
repository = "https://code.moparisthebest.com/moparisthebest/xmpp-proxy"
|
repository = "https://code.moparisthebest.com/moparisthebest/xmpp-proxy"
|
||||||
keywords = ["xmpp", "proxy"]
|
keywords = ["xmpp", "proxy"]
|
||||||
|
|
||||||
@ -20,11 +26,92 @@ include = [
|
|||||||
]
|
]
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
toml = "0.5"
|
toml = "0.8"
|
||||||
serde_derive = "1.0"
|
serde_derive = "1.0"
|
||||||
serde = { version = "1.0", features = ["derive"] }
|
serde = { version = "1.0", features = ["derive"] }
|
||||||
futures = "0.3"
|
futures = "0.3"
|
||||||
die = "0.2.0"
|
die = "0.2"
|
||||||
anyhow = "1.0"
|
anyhow = "1.0"
|
||||||
tokio = { version = "1.4", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util", "signal", "time"] }
|
||||||
tokio-rustls = "0.22"
|
ring = "0.17"
|
||||||
|
data-encoding = "2.5"
|
||||||
|
async-trait = "0.1"
|
||||||
|
|
||||||
|
|
||||||
|
# logging deps
|
||||||
|
log = "0.4"
|
||||||
|
rand = { version = "0.8", optional = true, features = [] }
|
||||||
|
env_logger = { version = "0.10", optional = true, features = [] }
|
||||||
|
|
||||||
|
# incoming deps
|
||||||
|
tokio-rustls = { version = "0.24", optional = true }
|
||||||
|
webpki = { package = "rustls-webpki", version = "0.101", optional = true }
|
||||||
|
|
||||||
|
# outgoing deps
|
||||||
|
lazy_static = "1.4"
|
||||||
|
trust-dns-resolver = { version = "0.23", optional = true }
|
||||||
|
# todo: feature+code for dns-over-rustls
|
||||||
|
#trust-dns-resolver = { version = "0.21", features = ["dns-over-rustls"], optional = true }
|
||||||
|
webpki-roots = { version = "0.25", optional = true }
|
||||||
|
rustls-native-certs = { version = "0.6", optional = true }
|
||||||
|
# todo: feed reqwest the roots we already have
|
||||||
|
reqwest = { version = "0.11", optional = true, default-features = false, features = ["rustls-tls-native-roots", "json", "gzip", "trust-dns"] }
|
||||||
|
|
||||||
|
# quic deps
|
||||||
|
quinn = { version = "0.10", optional = true }
|
||||||
|
|
||||||
|
# shared deps needed by quic and incoming
|
||||||
|
rustls = { version = "0.21", optional = true, features = ["dangerous_configuration"] }
|
||||||
|
rustls-pemfile = { version = "1.0", optional = true }
|
||||||
|
|
||||||
|
# websocket deps
|
||||||
|
tokio-tungstenite = { version = "0.21", optional = true, default-features = false, features = ["handshake"] }
|
||||||
|
futures-util = { version = "0.3", default-features = false, features = ["async-await", "sink", "std"], optional = true }
|
||||||
|
|
||||||
|
# webtransport deps
|
||||||
|
webtransport-quinn = { version = "0.6", optional = true }
|
||||||
|
|
||||||
|
# systemd dep
|
||||||
|
nix = { version = "0.27", optional = true, default-features = false, features = ["socket"]}
|
||||||
|
|
||||||
|
[features]
|
||||||
|
default = ["c2s-incoming", "c2s-outgoing", "s2s-incoming", "s2s-outgoing", "tls", "quic", "websocket", "webtransport", "logging", "tls-ca-roots-native", "systemd"]
|
||||||
|
|
||||||
|
# you must pick one of these or the other, not both: todo: enable picking both and choosing at runtime
|
||||||
|
# don't need either of these if only doing c2s-incoming
|
||||||
|
tls-ca-roots-native = ["rustls-native-certs", "tokio-rustls", "webpki"] # this loads CA certs from your OS
|
||||||
|
tls-ca-roots-bundled = ["webpki-roots", "webpki"] # this bundles CA certs in the binary
|
||||||
|
|
||||||
|
# internal use only, ignore
|
||||||
|
srv = ["tokio-rustls", "webpki", "trust-dns-resolver", "reqwest"]
|
||||||
|
incoming = ["rustls-pemfile"]
|
||||||
|
outgoing = ["srv"]
|
||||||
|
c2s = []
|
||||||
|
s2s = ["srv", "rustls-pemfile"]
|
||||||
|
|
||||||
|
# you must pick one or more of these, you may pick them all
|
||||||
|
c2s-incoming = ["incoming", "c2s",]
|
||||||
|
c2s-outgoing = ["outgoing", "c2s"]
|
||||||
|
|
||||||
|
s2s-incoming = ["incoming", "s2s"]
|
||||||
|
s2s-outgoing = ["outgoing", "s2s"]
|
||||||
|
|
||||||
|
# protocols you want to support todo: split out tls vs starttls ?
|
||||||
|
tls = ["tokio-rustls", "webpki", "rustls"]
|
||||||
|
quic = ["quinn", "rustls"]
|
||||||
|
websocket = ["tokio-tungstenite", "futures-util", "tls"] # websocket+incoming also enables incoming TLS support as it's free
|
||||||
|
webtransport = ["webtransport-quinn", "quic"] # webtransport requires quic
|
||||||
|
|
||||||
|
logging = ["rand", "env_logger"]
|
||||||
|
systemd = ["nix"]
|
||||||
|
|
||||||
|
# enables unit tests that need network and therefore may be flaky
|
||||||
|
net-test = []
|
||||||
|
|
||||||
|
[dev-dependencies]
|
||||||
|
serde_json = "1.0"
|
||||||
|
|
||||||
|
# need this until a release is made with this commit in it
|
||||||
|
[patch.crates-io]
|
||||||
|
webtransport-quinn = { git = "https://github.com/kixelated/webtransport-rs", rev = "ba1a372a7a89e4ba9f9bc027733f82f87aa9a4fd" }
|
||||||
|
|
||||||
|
153
README.md
153
README.md
@ -1,12 +1,35 @@
|
|||||||
# xmpp-proxy
|
|
||||||
|
<h1 align="center">
|
||||||
|
<br>
|
||||||
|
<img src="https://raw.githubusercontent.com/moparisthebest/xmpp-proxy/master/contrib/logo/xmpp_proxy_color.png" alt="logo" width="200">
|
||||||
|
<br>
|
||||||
|
xmpp-proxy
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
</h1>
|
||||||
|
|
||||||
[![Build Status](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/badge/icon%3Fstyle=plastic)](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/)
|
[![Build Status](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/badge/icon%3Fstyle=plastic)](https://ci.moparisthe.best/job/moparisthebest/job/xmpp-proxy/job/master/)
|
||||||
|
|
||||||
xmpp-proxy is a reverse proxy for XMPP servers, providing STARTTLS and TLS over plain-text XMPP connections
|
xmpp-proxy is a reverse proxy and outgoing proxy for XMPP servers and clients, providing [STARTTLS], [Direct TLS], [QUIC],
|
||||||
and limiting stanza sizes without an XML parser.
|
[WebSocket C2S], [WebSocket S2S], and [WebTransport] connectivity to plain-text XMPP servers and clients and limiting stanza sizes without an XML parser.
|
||||||
|
|
||||||
xmpp-proxy will listen on any number of interfaces/ports and accept any STARTTLS or [Direct TLS](https://xmpp.org/extensions/xep-0368.html)
|
xmpp-proxy in reverse proxy (incoming) mode will:
|
||||||
c2s or s2s connections, terminate TLS, and connect them to a real XMPP server, limiting stanza sizes as configured.
|
1. listen on any number of interfaces/ports
|
||||||
|
2. accept any STARTTLS, Direct TLS, QUIC, WebSocket, or WebTransport c2s or s2s connections from the internet
|
||||||
|
3. terminate TLS
|
||||||
|
4. for s2s require a client cert and validate it correctly (using CAs, host-meta, host-meta2, and POSH) for SASL EXTERNAL auth
|
||||||
|
5. connect them to a local real XMPP server over plain-text TCP
|
||||||
|
6. send the [PROXY protocol] v1 header if configured, so the XMPP server knows the real client IP
|
||||||
|
7. limit incoming stanza sizes as configured
|
||||||
|
|
||||||
|
xmpp-proxy in outgoing mode will:
|
||||||
|
1. listen on any number of interfaces/ports
|
||||||
|
2. accept any plain-text TCP or WebSocket connection from a local XMPP server or client
|
||||||
|
3. look up the required SRV, [host-meta], [host-meta2], and [POSH] records
|
||||||
|
4. connect to a real XMPP server across the internet over STARTTLS, Direct TLS, QUIC, WebSocket, or WebTransport
|
||||||
|
5. fallback to next SRV target or defaults as required to fully connect
|
||||||
|
6. perform all the proper required certificate validation logic
|
||||||
|
7. limit incoming stanza sizes as configured
|
||||||
|
|
||||||
#### Installation
|
#### Installation
|
||||||
* `cargo install xmpp-proxy`
|
* `cargo install xmpp-proxy`
|
||||||
@ -17,25 +40,74 @@ c2s or s2s connections, terminate TLS, and connect them to a real XMPP server, l
|
|||||||
#### Configuration
|
#### Configuration
|
||||||
* `mkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy/`
|
* `mkdir /etc/xmpp-proxy/ && cp xmpp-proxy.toml /etc/xmpp-proxy/`
|
||||||
* edit `/etc/xmpp-proxy/xmpp-proxy.toml` as needed, file is annotated clearly with comments
|
* edit `/etc/xmpp-proxy/xmpp-proxy.toml` as needed, file is annotated clearly with comments
|
||||||
* put your TLS key/cert in `/etc/xmpp-proxy/`, if your key has "RSA PRIVATE KEY" in it, change that to "PRIVATE KEY":
|
* put your TLS key/cert in `/etc/xmpp-proxy/`
|
||||||
`sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' /etc/xmpp-proxy/le.key`
|
|
||||||
* Example systemd unit is provided in xmpp-proxy.service and locks it down with bare minimum permissions. Need to
|
* Example systemd unit is provided in xmpp-proxy.service and locks it down with bare minimum permissions. Need to
|
||||||
set the permissions correctly: `chown -Rv 'systemd-network:' /etc/xmpp-proxy/`
|
set the permissions correctly: `chown -Rv 'systemd-network:' /etc/xmpp-proxy/`
|
||||||
* start xmpp-proxy: `Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]`
|
* start xmpp-proxy: `Usage: xmpp-proxy [/path/to/xmpp-proxy.toml (default /etc/xmpp-proxy/xmpp-proxy.toml]`
|
||||||
|
|
||||||
#### How do I adapt my running Prosody config to use this instead?
|
#### How do I adapt my running Prosody config to use this instead?
|
||||||
|
|
||||||
Add these to modules_enabled:
|
You have 2 options here, use xmpp-proxy as only a reverse proxy, or as both reverse and outgoing proxy, I'll cover both:
|
||||||
|
|
||||||
|
###### Reverse proxy and outgoing proxy
|
||||||
|
|
||||||
|
In this mode both prosody doesn't need to do any TLS at all, so it needs no certs. xmpp-proxy need proper TLS
|
||||||
|
certificates, move prosody's TLS key to `/etc/xmpp-proxy/le.key` and TLS cert to `/etc/xmpp-proxy/fullchain.cer`, and
|
||||||
|
use the provided `xmpp-proxy.toml` configuration as-is.
|
||||||
|
|
||||||
|
Edit `/etc/prosody/prosody.cfg.lua`, Add these to modules_enabled:
|
||||||
```
|
```
|
||||||
"secure_interfaces";
|
|
||||||
"net_proxy";
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
```
|
||||||
|
Until prosody-modules is updated, use my new module [mod_s2s_outgoing_proxy.lua](https://www.moparisthebest.com/mod_s2s_outgoing_proxy.lua).
|
||||||
|
|
||||||
|
Add this config:
|
||||||
|
```
|
||||||
|
-- only need to listen on localhost
|
||||||
|
interfaces = { "127.0.0.1" }
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "127.0.0.1", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
```
|
||||||
|
|
||||||
|
###### Reverse proxy only, prosody makes outgoing connections directly itself
|
||||||
|
|
||||||
|
In this mode both prosody and xmpp-proxy need proper TLS certificates, copy prosody's TLS key to `/etc/xmpp-proxy/le.key`
|
||||||
|
and TLS cert to `/etc/xmpp-proxy/fullchain.cer`, and use the provided `xmpp-proxy.toml` configuration as-is.
|
||||||
|
|
||||||
|
Edit `/etc/prosody/prosody.cfg.lua`, Add these to modules_enabled:
|
||||||
|
```
|
||||||
|
"net_proxy";
|
||||||
|
"secure_interfaces";
|
||||||
```
|
```
|
||||||
Until prosody-modules is updated, use my patched version of [mod_secure_interfaces.lua](https://www.moparisthebest.com/mod_secure_interfaces.lua)
|
Until prosody-modules is updated, use my patched version of [mod_secure_interfaces.lua](https://www.moparisthebest.com/mod_secure_interfaces.lua)
|
||||||
which also works for s2s.
|
which also works for s2s.
|
||||||
|
|
||||||
Add this config:
|
Add this config:
|
||||||
```
|
```
|
||||||
-- trust connections coming from these IPs
|
-- trust connections coming to these IPs
|
||||||
secure_interfaces = { "127.0.0.1", "::1" }
|
secure_interfaces = { "127.0.0.1", "::1" }
|
||||||
|
|
||||||
-- handle PROXY protocol on these ports
|
-- handle PROXY protocol on these ports
|
||||||
@ -49,11 +121,66 @@ proxy_port_mappings = {
|
|||||||
c2s_ports = {}
|
c2s_ports = {}
|
||||||
legacy_ssl_ports = {}
|
legacy_ssl_ports = {}
|
||||||
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
s2s_ports = {15269}
|
s2s_ports = {15268}
|
||||||
```
|
```
|
||||||
|
|
||||||
Copy prosody's TLS key to `/etc/xmpp-proxy/le.key` and TLS cert to `/etc/xmpp-proxy/fullchain.cer`, and use the provided
|
#### Customize the build
|
||||||
`xmpp-proxy.toml` configuration as-is.
|
|
||||||
|
If you are a grumpy power user who wants to build xmpp-proxy with exactly the features you want, nothing less, nothing
|
||||||
|
more, this section is for you!
|
||||||
|
|
||||||
|
xmpp-proxy has multiple compile-time features, some of which are required, they are grouped as such:
|
||||||
|
|
||||||
|
choose between 1-4 directions:
|
||||||
|
1. `c2s-incoming` - enables a server to accept incoming c2s connections
|
||||||
|
2. `c2s-outgoing` - enables a client to make outgoing c2s connections
|
||||||
|
3. `s2s-incoming` - enables a server to accept incoming s2s connections
|
||||||
|
4. `s2s-outgoing` - enables a server to make outgoing s2s connections
|
||||||
|
|
||||||
|
choose between 1-4 transport protocols:
|
||||||
|
1. `tls` - enables STARTTLS/TLS support
|
||||||
|
2. `quic` - enables QUIC support
|
||||||
|
3. `websocket` - enables WebSocket support, also enables TLS incoming support if the appropriate directions are enabled
|
||||||
|
4. `webtransport` - enables WebTransport support, also enables QUIC
|
||||||
|
|
||||||
|
choose exactly 1 of these methods to get trusted CA roots, not needed if only `c2s-incoming` is enabled:
|
||||||
|
1. `tls-ca-roots-native` - reads CA roots from operating system
|
||||||
|
2. `tls-ca-roots-bundled` - bundles CA roots into the binary from the `webpki-roots` project
|
||||||
|
|
||||||
|
choose any of these optional features:
|
||||||
|
1. `logging` - enables configurable logging
|
||||||
|
|
||||||
|
So to build only supporting reverse proxy STARTTLS/TLS, no QUIC, run: `cargo build --release --no-default-features --features c2s-incoming,s2s-incoming,tls`
|
||||||
|
To build a reverse proxy only, but supporting all of STARTTLS/TLS/QUIC, run: `cargo build --release --no-default-features --features c2s-incoming,s2s-incoming,tls,quic`
|
||||||
|
|
||||||
|
#### Development
|
||||||
|
|
||||||
|
1. `check-all-features.sh` is used to check compilation with all supported feature permutations
|
||||||
|
2. `integration/test.sh` uses [Rootless podman](https://wiki.archlinux.org/title/Podman#Rootless_Podman) to run many tests
|
||||||
|
through xmpp-proxy on a real network with real dns, web, and xmpp servers, all of these should pass before pushing commits,
|
||||||
|
and write new tests to cover new functionality.
|
||||||
|
3. To submit code changes submit a PR on [github](https://github.com/moparisthebest/xmpp-proxy) or
|
||||||
|
[code.moparisthebest.com](https://code.moparisthebest.com/moparisthebest/xmpp-proxy) or send me a patch via email,
|
||||||
|
XMPP, fediverse, or carrier pigeon.
|
||||||
|
|
||||||
#### License
|
#### License
|
||||||
GNU/AGPLv3 - Check LICENSE.md for details
|
GNU/AGPLv3 - Check LICENSE.md for details
|
||||||
|
|
||||||
|
Thanks [rxml](https://github.com/horazont/rxml) for afl-fuzz seeds
|
||||||
|
|
||||||
|
#### Todo
|
||||||
|
1. seamless Tor integration, connecting to and from .onion domains
|
||||||
|
2. Write WebTransport XEP
|
||||||
|
3. Document systemd activation support
|
||||||
|
4. Document use-as-a-library support
|
||||||
|
|
||||||
|
[STARTTLS]: https://datatracker.ietf.org/doc/html/rfc6120#section-5
|
||||||
|
[Direct TLS]: https://xmpp.org/extensions/xep-0368.html
|
||||||
|
[QUIC]: https://xmpp.org/extensions/xep-0467.html
|
||||||
|
[WebSocket C2S]: https://datatracker.ietf.org/doc/html/rfc7395
|
||||||
|
[WebSocket S2S]: https://xmpp.org/extensions/xep-0468.html
|
||||||
|
[WebTransport]: https://www.w3.org/TR/webtransport/
|
||||||
|
[POSH]: https://datatracker.ietf.org/doc/html/rfc7711
|
||||||
|
[host-meta]: https://xmpp.org/extensions/xep-0156.html
|
||||||
|
[host-meta2]: https://xmpp.org/extensions/inbox/host-meta-2.html
|
||||||
|
[PROXY protocol]: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
86
build.rs
Normal file
86
build.rs
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
use std::{env, fs::File, io::Write, path::Path};
|
||||||
|
|
||||||
|
fn main() {
|
||||||
|
println!("cargo:rerun-if-changed=build.rs");
|
||||||
|
|
||||||
|
let out_dir = env::var_os("OUT_DIR").unwrap();
|
||||||
|
let dest_path = Path::new(&out_dir).join("version.rs");
|
||||||
|
|
||||||
|
let mut w = File::create(dest_path).unwrap();
|
||||||
|
|
||||||
|
let allowed_features = [
|
||||||
|
"c2s-incoming",
|
||||||
|
"c2s-outgoing",
|
||||||
|
"s2s-incoming",
|
||||||
|
"s2s-outgoing",
|
||||||
|
"tls",
|
||||||
|
"quic",
|
||||||
|
"websocket",
|
||||||
|
"tls-ca-roots-native",
|
||||||
|
"tls-ca-roots-bundled",
|
||||||
|
"logging",
|
||||||
|
"systemd",
|
||||||
|
];
|
||||||
|
let optional_deps = [
|
||||||
|
"rustls",
|
||||||
|
"tokio-rustls",
|
||||||
|
"rustls-pemfile",
|
||||||
|
"quinn",
|
||||||
|
"tokio-tungstenite",
|
||||||
|
"futures-util",
|
||||||
|
"trust-dns-resolver",
|
||||||
|
"reqwest",
|
||||||
|
"lazy-static",
|
||||||
|
"rustls-native-certs",
|
||||||
|
"webpki-roots",
|
||||||
|
"env-logger",
|
||||||
|
"rand",
|
||||||
|
"nix",
|
||||||
|
];
|
||||||
|
let mut features = Vec::new();
|
||||||
|
let mut optional = Vec::new();
|
||||||
|
for (mut key, value) in env::vars() {
|
||||||
|
//writeln!(&mut w, "{key}: {value}", ).unwrap();
|
||||||
|
if value == "1" && key.starts_with("CARGO_FEATURE_") {
|
||||||
|
let mut key = key.split_off(14).replace('_', "-");
|
||||||
|
key.make_ascii_lowercase();
|
||||||
|
if allowed_features.contains(&key.as_str()) {
|
||||||
|
features.push(key);
|
||||||
|
} else if optional_deps.contains(&key.as_str()) {
|
||||||
|
optional.push(key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
features.sort_by(|a, b| {
|
||||||
|
allowed_features
|
||||||
|
.iter()
|
||||||
|
.position(|&r| r == a)
|
||||||
|
.unwrap()
|
||||||
|
.partial_cmp(&allowed_features.iter().position(|&r| r == b).unwrap())
|
||||||
|
.unwrap()
|
||||||
|
});
|
||||||
|
optional.sort_by(|a, b| {
|
||||||
|
optional_deps
|
||||||
|
.iter()
|
||||||
|
.position(|&r| r == a)
|
||||||
|
.unwrap()
|
||||||
|
.partial_cmp(&optional_deps.iter().position(|&r| r == b).unwrap())
|
||||||
|
.unwrap()
|
||||||
|
});
|
||||||
|
let features = features.join(",");
|
||||||
|
let optional = optional.join(",");
|
||||||
|
|
||||||
|
let name = env!("CARGO_PKG_NAME");
|
||||||
|
let version = env!("CARGO_PKG_VERSION");
|
||||||
|
|
||||||
|
let target = env::var("TARGET").unwrap();
|
||||||
|
|
||||||
|
writeln!(
|
||||||
|
&mut w,
|
||||||
|
"{{println!(
|
||||||
|
\"{name} {version} ({target})
|
||||||
|
Features: {features}
|
||||||
|
Optional crates: {optional}\");}}"
|
||||||
|
)
|
||||||
|
.unwrap();
|
||||||
|
}
|
111
check-all-features.sh
Executable file
111
check-all-features.sh
Executable file
@ -0,0 +1,111 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
threads="$1"
|
||||||
|
shift
|
||||||
|
clean_after_num_builds="$1"
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# if we have access to nproc, divide that by 2, otherwise use 1 thread by default
|
||||||
|
[ "$threads" == "" ] && threads=$(($(nproc || echo 2) / 2))
|
||||||
|
|
||||||
|
# 50 is about 1.5gb, ymmv
|
||||||
|
[ "$clean_after_num_builds" == "" ] && clean_after_num_builds=50
|
||||||
|
|
||||||
|
export clean_after_num_builds
|
||||||
|
|
||||||
|
echo "threads: $threads"
|
||||||
|
echo "clean_after_num_builds: $clean_after_num_builds"
|
||||||
|
|
||||||
|
export RUSTFLAGS=-Awarnings
|
||||||
|
|
||||||
|
show() {
|
||||||
|
local -a results=()
|
||||||
|
let idx=$2
|
||||||
|
for (( j = 0; j < $1; j++ )); do
|
||||||
|
if (( idx % 2 )); then results=("${results[@]}" "${list[$j]}"); fi
|
||||||
|
let idx\>\>=1
|
||||||
|
done
|
||||||
|
echo "${results[@]}"
|
||||||
|
}
|
||||||
|
|
||||||
|
perm_lines() {
|
||||||
|
list=($@)
|
||||||
|
let n=${#list[@]}
|
||||||
|
for (( i = 1; i < 2**n; i++ )); do
|
||||||
|
show $n $i
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
perms() {
|
||||||
|
perm_lines "$@" | tr ' ' ',' | sort -u
|
||||||
|
}
|
||||||
|
|
||||||
|
perms_optional() {
|
||||||
|
perm_lines "$@" | tr ' ' ',' | sort -u | sed 's/^/,/'
|
||||||
|
}
|
||||||
|
|
||||||
|
all_features() {
|
||||||
|
for optional in "" $(perms_optional logging systemd)
|
||||||
|
do
|
||||||
|
for proto in $(perms tls quic websocket webtransport)
|
||||||
|
do
|
||||||
|
for direction in $(perms c2s-incoming c2s-outgoing s2s-incoming s2s-outgoing)
|
||||||
|
do
|
||||||
|
for ca_roots in tls-ca-roots-native tls-ca-roots-bundled
|
||||||
|
do
|
||||||
|
echo $direction,$proto,$ca_roots$optional
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for optional in "" $(perms_optional logging systemd)
|
||||||
|
do
|
||||||
|
for proto in $(perms tls quic websocket webtransport)
|
||||||
|
do
|
||||||
|
echo c2s-incoming,$proto$optional
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
echo_cargo() {
|
||||||
|
set -euo pipefail
|
||||||
|
#echo cargo run "$@" -- -v
|
||||||
|
#cargo run "$@" -- -v
|
||||||
|
echo cargo check "$@"
|
||||||
|
flock -s /tmp/xmpp-proxy-check-all-features.lock cargo check "$@"
|
||||||
|
ret=$?
|
||||||
|
if [ $ret -ne 0 ]
|
||||||
|
then
|
||||||
|
echo "command failed: cargo check $@"
|
||||||
|
fi
|
||||||
|
(
|
||||||
|
flock -x 200
|
||||||
|
# now we are under an exclusive lock
|
||||||
|
count=$(cat /tmp/xmpp-proxy-check-all-features.count)
|
||||||
|
count=$(( count + 1 ))
|
||||||
|
if [ $count -ge $clean_after_num_builds ]
|
||||||
|
then
|
||||||
|
echo cargo clean
|
||||||
|
cargo clean
|
||||||
|
count=0
|
||||||
|
fi
|
||||||
|
echo $count > /tmp/xmpp-proxy-check-all-features.count
|
||||||
|
|
||||||
|
) 200>/tmp/xmpp-proxy-check-all-features.lock
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
#all_features | sort -u | wc -l; exit 0
|
||||||
|
|
||||||
|
export -f echo_cargo
|
||||||
|
|
||||||
|
echo 0 > /tmp/xmpp-proxy-check-all-features.count
|
||||||
|
|
||||||
|
echo_cargo
|
||||||
|
|
||||||
|
all_features | sort | xargs -n1 --max-procs=$threads bash -c 'echo_cargo --no-default-features --features "$@" || exit 255' _
|
||||||
|
|
||||||
|
echo good!
|
||||||
|
|
||||||
|
|
29
contrib/host-meta/rfc6415.but-valid.xml
Normal file
29
contrib/host-meta/rfc6415.but-valid.xml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
<?xml version='1.0' encoding='UTF-8'?>
|
||||||
|
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
||||||
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
||||||
|
|
||||||
|
<Expires>2010-01-30T09:30:00Z</Expires>
|
||||||
|
<Subject>http://blog.example.com/article/id/314</Subject>
|
||||||
|
|
||||||
|
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
||||||
|
<Alias>http://blog.example.com/steve/article/7</Alias>
|
||||||
|
|
||||||
|
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
||||||
|
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
||||||
|
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
||||||
|
|
||||||
|
<Link rel='author' type='text/html'
|
||||||
|
href='http://blog.example.com/author/steve'>
|
||||||
|
<Title>About the Author</Title>
|
||||||
|
<Title xml:lang='en-us'>Author Information</Title>
|
||||||
|
<Property type='http://example.com/role'>editor</Property>
|
||||||
|
</Link>
|
||||||
|
|
||||||
|
<Link rel='author' href='http://example.com/author/john'>
|
||||||
|
<Title>The other guy</Title>
|
||||||
|
<Title>The other author</Title>
|
||||||
|
</Link>
|
||||||
|
|
||||||
|
<Link rel='copyright'
|
||||||
|
template='http://example.com/copyright?id={uri}'/>
|
||||||
|
</XRD>
|
37
contrib/host-meta/rfc6415.json
Normal file
37
contrib/host-meta/rfc6415.json
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
{
|
||||||
|
"subject": "http://blog.example.com/article/id/314",
|
||||||
|
"expires": "2010-01-30T09:30:00Z",
|
||||||
|
"aliases": [
|
||||||
|
"http://blog.example.com/cool_new_thing",
|
||||||
|
"http://blog.example.com/steve/article/7"
|
||||||
|
],
|
||||||
|
"properties": {
|
||||||
|
"http://blgx.example.net/ns/version": "1.3",
|
||||||
|
"http://blgx.example.net/ns/ext": null
|
||||||
|
},
|
||||||
|
"links": [
|
||||||
|
{
|
||||||
|
"rel": "author",
|
||||||
|
"type": "text/html",
|
||||||
|
"href": "http://blog.example.com/author/steve",
|
||||||
|
"titles": {
|
||||||
|
"default": "About the Author",
|
||||||
|
"en-us": "Author Information"
|
||||||
|
},
|
||||||
|
"properties": {
|
||||||
|
"http://example.com/role": "editor"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "author",
|
||||||
|
"href": "http://example.com/author/john",
|
||||||
|
"titles": {
|
||||||
|
"default": "The other author"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "copyright",
|
||||||
|
"template": "http://example.com/copyright?id={uri}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
29
contrib/host-meta/rfc6415.xml
Normal file
29
contrib/host-meta/rfc6415.xml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
<?xml version='1.0' encoding='UTF-8'?>
|
||||||
|
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
||||||
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
||||||
|
|
||||||
|
<Subject>http://blog.example.com/article/id/314</Subject>
|
||||||
|
<Expires>2010-01-30T09:30:00Z</Expires>
|
||||||
|
|
||||||
|
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
||||||
|
<Alias>http://blog.example.com/steve/article/7</Alias>
|
||||||
|
|
||||||
|
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
||||||
|
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
||||||
|
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
||||||
|
|
||||||
|
<Link rel='author' type='text/html'
|
||||||
|
href='http://blog.example.com/author/steve'>
|
||||||
|
<Title>About the Author</Title>
|
||||||
|
<Title xml:lang='en-us'>Author Information</Title>
|
||||||
|
<Property type='http://example.com/role'>editor</Property>
|
||||||
|
</Link>
|
||||||
|
|
||||||
|
<Link rel='author' href='http://example.com/author/john'>
|
||||||
|
<Title>The other guy</Title>
|
||||||
|
<Title>The other author</Title>
|
||||||
|
</Link>
|
||||||
|
|
||||||
|
<Link rel='copyright'
|
||||||
|
template='http://example.com/copyright?id={uri}'/>
|
||||||
|
</XRD>
|
45
contrib/host-meta/xep-0156-current.json
Normal file
45
contrib/host-meta/xep-0156-current.json
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
{
|
||||||
|
"subject": "http://blog.example.com/article/id/314",
|
||||||
|
"expires": "2010-01-30T09:30:00Z",
|
||||||
|
"aliases": [
|
||||||
|
"http://blog.example.com/cool_new_thing",
|
||||||
|
"http://blog.example.com/steve/article/7"
|
||||||
|
],
|
||||||
|
"properties": {
|
||||||
|
"http://blgx.example.net/ns/version": "1.3",
|
||||||
|
"http://blgx.example.net/ns/ext": null
|
||||||
|
},
|
||||||
|
"links": [
|
||||||
|
{
|
||||||
|
"rel": "author",
|
||||||
|
"type": "text/html",
|
||||||
|
"href": "http://blog.example.com/author/steve",
|
||||||
|
"titles": {
|
||||||
|
"default": "About the Author",
|
||||||
|
"en-us": "Author Information"
|
||||||
|
},
|
||||||
|
"properties": {
|
||||||
|
"http://example.com/role": "editor"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "author",
|
||||||
|
"href": "http://example.com/author/john",
|
||||||
|
"titles": {
|
||||||
|
"default": "The other author"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:xbosh",
|
||||||
|
"href": "https://example.org/http-bind"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:websocket",
|
||||||
|
"href": "wss://example.org/xmpp-websocket"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "copyright",
|
||||||
|
"template": "http://example.com/copyright?id={uri}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
33
contrib/host-meta/xep-0156-current.xml
Normal file
33
contrib/host-meta/xep-0156-current.xml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<?xml version='1.0' encoding='UTF-8'?>
|
||||||
|
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'
|
||||||
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
|
||||||
|
|
||||||
|
<Expires>2010-01-30T09:30:00Z</Expires>
|
||||||
|
<Subject>http://blog.example.com/article/id/314</Subject>
|
||||||
|
|
||||||
|
<Alias>http://blog.example.com/cool_new_thing</Alias>
|
||||||
|
<Alias>http://blog.example.com/steve/article/7</Alias>
|
||||||
|
|
||||||
|
<Property type='http://blgx.example.net/ns/version'>1.2</Property>
|
||||||
|
<Property type='http://blgx.example.net/ns/version'>1.3</Property>
|
||||||
|
<Property type='http://blgx.example.net/ns/ext' xsi:nil='true'/>
|
||||||
|
|
||||||
|
<Link rel='author' type='text/html'
|
||||||
|
href='http://blog.example.com/author/steve'>
|
||||||
|
<Title>About the Author</Title>
|
||||||
|
<Title xml:lang='en-us'>Author Information</Title>
|
||||||
|
<Property type='http://example.com/role'>editor</Property>
|
||||||
|
</Link>
|
||||||
|
|
||||||
|
<Link rel='author' href='http://example.com/author/john'>
|
||||||
|
<Title>The other guy</Title>
|
||||||
|
<Title>The other author</Title>
|
||||||
|
</Link>
|
||||||
|
|
||||||
|
<Link rel='urn:xmpp:alt-connections:xbosh' href='https://example.org/http-bind'/>
|
||||||
|
|
||||||
|
<Link rel='urn:xmpp:alt-connections:websocket' href='wss://example.org/xmpp-websocket'/>
|
||||||
|
|
||||||
|
<Link rel='copyright'
|
||||||
|
template='http://example.com/copyright?id={uri}'/>
|
||||||
|
</XRD>
|
1
contrib/host-meta/xep-0156-minimal.json
Normal file
1
contrib/host-meta/xep-0156-minimal.json
Normal file
@ -0,0 +1 @@
|
|||||||
|
{"links":[{"rel":"urn:xmpp:alt-connections:xbosh","href":"https://example.org/http-bind"},{"rel":"urn:xmpp:alt-connections:websocket","href":"wss://example.org/xmpp-websocket"}]}
|
87
contrib/host-meta/xep-0156-proposed-minimal.json
Normal file
87
contrib/host-meta/xep-0156-proposed-minimal.json
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
{
|
||||||
|
"xmpp": {
|
||||||
|
"ttl": 3000,
|
||||||
|
"public-key-pins-sha-256": [
|
||||||
|
"4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"links": [
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:websocket",
|
||||||
|
"href": "wss://other.example.org/xmpp-websocket",
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 15,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"alpn": [
|
||||||
|
"h2",
|
||||||
|
"http/1.1",
|
||||||
|
"h3"
|
||||||
|
],
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:tls",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 10,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:quic",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 5,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:s2s-websocket",
|
||||||
|
"href": "wss://other.example.org/s2s-xmpp-websocket",
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 15,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:s2s-tls",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 10,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:s2s-quic",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 5,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
133
contrib/host-meta/xep-0156-proposed.json
Normal file
133
contrib/host-meta/xep-0156-proposed.json
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
{
|
||||||
|
"subject": "http://blog.example.com/article/id/314",
|
||||||
|
"expires": "2010-01-30T09:30:00Z",
|
||||||
|
"aliases": [
|
||||||
|
"http://blog.example.com/cool_new_thing",
|
||||||
|
"http://blog.example.com/steve/article/7"
|
||||||
|
],
|
||||||
|
"properties": {
|
||||||
|
"http://blgx.example.net/ns/version": "1.3",
|
||||||
|
"http://blgx.example.net/ns/ext": null
|
||||||
|
},
|
||||||
|
"xmpp": {
|
||||||
|
"ttl": 3000,
|
||||||
|
"public-key-pins-sha-256": [
|
||||||
|
"4/mggdlVx8A3pvHAWW5sD+qJyMtUHgiRuPjVC48N0XQ="
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"links": [
|
||||||
|
{
|
||||||
|
"rel": "author",
|
||||||
|
"type": "text/html",
|
||||||
|
"href": "http://blog.example.com/author/steve",
|
||||||
|
"titles": {
|
||||||
|
"default": "About the Author",
|
||||||
|
"en-us": "Author Information"
|
||||||
|
},
|
||||||
|
"properties": {
|
||||||
|
"http://example.com/role": "editor"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "author",
|
||||||
|
"href": "http://example.com/author/john",
|
||||||
|
"titles": {
|
||||||
|
"default": "The other author"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:xbosh",
|
||||||
|
"href": "https://example.org/http-bind"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:websocket",
|
||||||
|
"href": "wss://example.org/xmpp-websocket"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:websocket",
|
||||||
|
"href": "wss://other.example.org/xmpp-websocket",
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 15,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"alpn": [
|
||||||
|
"h2",
|
||||||
|
"http/1.1",
|
||||||
|
"h3"
|
||||||
|
],
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:tls",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 10,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:quic",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 5,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:s2s-websocket",
|
||||||
|
"href": "wss://other.example.org/s2s-xmpp-websocket",
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 15,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"alpn": [
|
||||||
|
"h2",
|
||||||
|
"http/1.1",
|
||||||
|
"h3"
|
||||||
|
],
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:s2s-tls",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 10,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "urn:xmpp:alt-connections:s2s-quic",
|
||||||
|
"port": 443,
|
||||||
|
"ips": [
|
||||||
|
"1.2.3.4",
|
||||||
|
"fd00:feed:dad:beef::1"
|
||||||
|
],
|
||||||
|
"priority": 5,
|
||||||
|
"weight": 50,
|
||||||
|
"sni": "example.org",
|
||||||
|
"ech": "eG1wcC1jbGllbnQ="
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"rel": "copyright",
|
||||||
|
"template": "http://example.com/copyright?id={uri}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
2
contrib/host-meta/xml-validate.sh
Executable file
2
contrib/host-meta/xml-validate.sh
Executable file
@ -0,0 +1,2 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
exec xmllint --noout --schema xrd-1.0-os.xsd "$1"
|
105
contrib/host-meta/xrd-1.0-os.xsd
Normal file
105
contrib/host-meta/xrd-1.0-os.xsd
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<schema
|
||||||
|
targetNamespace="http://docs.oasis-open.org/ns/xri/xrd-1.0"
|
||||||
|
xmlns="http://www.w3.org/2001/XMLSchema"
|
||||||
|
xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0"
|
||||||
|
elementFormDefault="unqualified"
|
||||||
|
attributeFormDefault="unqualified"
|
||||||
|
blockDefault="substitution"
|
||||||
|
version="1.0">
|
||||||
|
|
||||||
|
<import namespace="http://www.w3.org/XML/1998/namespace"
|
||||||
|
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
|
||||||
|
|
||||||
|
<annotation>
|
||||||
|
<documentation>
|
||||||
|
Document identifier: xrd-schema-1.0
|
||||||
|
Location: http://docs.oasis-open.org/xri/xrd/v1.0/
|
||||||
|
</documentation>
|
||||||
|
</annotation>
|
||||||
|
|
||||||
|
<complexType name="anyURI">
|
||||||
|
<simpleContent>
|
||||||
|
<extension base="anyURI">
|
||||||
|
<anyAttribute namespace="##other" processContents="lax"/>
|
||||||
|
</extension>
|
||||||
|
</simpleContent>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<complexType name="string">
|
||||||
|
<simpleContent>
|
||||||
|
<extension base="string">
|
||||||
|
<anyAttribute namespace="##other" processContents="lax"/>
|
||||||
|
</extension>
|
||||||
|
</simpleContent>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<element name="XRDS" type="xrd:XRDSType"/>
|
||||||
|
<complexType name="XRDSType">
|
||||||
|
<sequence>
|
||||||
|
<element ref="xrd:XRD" minOccurs="0" maxOccurs="unbounded"/>
|
||||||
|
</sequence>
|
||||||
|
<attribute name="ref" type="anyURI" use="optional"/>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<element name="XRD" type="xrd:XRDType"/>
|
||||||
|
<complexType name="XRDType">
|
||||||
|
<sequence>
|
||||||
|
<element ref="xrd:Expires" minOccurs="0"/>
|
||||||
|
<element ref="xrd:Subject" minOccurs="0"/>
|
||||||
|
<choice minOccurs="0" maxOccurs="unbounded">
|
||||||
|
<element ref="xrd:Alias"/>
|
||||||
|
<element ref="xrd:Property"/>
|
||||||
|
<element ref="xrd:Link"/>
|
||||||
|
<any namespace="##other" processContents="lax"/>
|
||||||
|
</choice>
|
||||||
|
</sequence>
|
||||||
|
<attribute ref="xml:id" use="optional"/>
|
||||||
|
<anyAttribute namespace="##other" processContents="lax"/>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<element name="Expires" type="xrd:ExpiresType"/>
|
||||||
|
<complexType name="ExpiresType">
|
||||||
|
<simpleContent>
|
||||||
|
<extension base="dateTime">
|
||||||
|
<anyAttribute namespace="##other" processContents="lax"/>
|
||||||
|
</extension>
|
||||||
|
</simpleContent>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<element name="Subject" type="xrd:anyURI"/>
|
||||||
|
<element name="Alias" type="xrd:anyURI"/>
|
||||||
|
|
||||||
|
<element name="Property" type="xrd:PropertyType" nillable="true"/>
|
||||||
|
<complexType name="PropertyType">
|
||||||
|
<simpleContent>
|
||||||
|
<extension base="xrd:string">
|
||||||
|
<attribute name="type" type="anyURI" use="required"/>
|
||||||
|
</extension>
|
||||||
|
</simpleContent>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<element name="Link" type="xrd:LinkType"/>
|
||||||
|
<complexType name="LinkType">
|
||||||
|
<choice minOccurs="0" maxOccurs="unbounded">
|
||||||
|
<element ref="xrd:Title"/>
|
||||||
|
<element ref="xrd:Property"/>
|
||||||
|
<any namespace="##other" processContents="lax"/>
|
||||||
|
</choice>
|
||||||
|
<attribute name="rel" type="anyURI" use="optional"/>
|
||||||
|
<attribute name="type" type="string" use="optional"/>
|
||||||
|
<attribute name="href" type="anyURI" use="optional"/>
|
||||||
|
<attribute name="template" type="string" use="optional"/>
|
||||||
|
<anyAttribute namespace="##other" processContents="lax"/>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
<element name="Title" type="xrd:TitleType"/>
|
||||||
|
<complexType name="TitleType">
|
||||||
|
<simpleContent>
|
||||||
|
<extension base="xrd:string">
|
||||||
|
<attribute ref="xml:lang" use="optional"/>
|
||||||
|
</extension>
|
||||||
|
</simpleContent>
|
||||||
|
</complexType>
|
||||||
|
|
||||||
|
</schema>
|
321
contrib/logo/xmpp_proxy_bw.svg
Normal file
321
contrib/logo/xmpp_proxy_bw.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 98 KiB |
BIN
contrib/logo/xmpp_proxy_color.png
Normal file
BIN
contrib/logo/xmpp_proxy_color.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 23 KiB |
189
contrib/logo/xmpp_proxy_color.svg
Normal file
189
contrib/logo/xmpp_proxy_color.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 21 KiB |
24
contrib/posh.sh
Executable file
24
contrib/posh.sh
Executable file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# these are just examples for how to grab and hash certificates for POSH
|
||||||
|
# adapted from https://curl.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
|
||||||
|
|
||||||
|
# this is for any direct TLS port like xmpps or https
|
||||||
|
openssl s_client -servername posh.badxmpp.eu -connect posh.badxmpp.eu:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.pem
|
||||||
|
openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.pem -out posh.badxmpp.eu.der
|
||||||
|
openssl dgst -sha256 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha256
|
||||||
|
openssl dgst -sha512 -binary posh.badxmpp.eu.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.der.sha512
|
||||||
|
|
||||||
|
openssl base64 < posh.badxmpp.eu.der | tr -d '\n' > posh.badxmpp.eu.der.base64
|
||||||
|
|
||||||
|
# this is for any starttls xmpp port
|
||||||
|
openssl s_client -starttls xmpp -name posh.badxmpp.eu -servername posh.badxmpp.eu -connect snikket2.prosody.im:5222 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > posh.badxmpp.eu.5222.pem
|
||||||
|
openssl asn1parse -noout -inform pem -in posh.badxmpp.eu.5222.pem -out posh.badxmpp.eu.5222.der
|
||||||
|
openssl dgst -sha256 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha256
|
||||||
|
openssl dgst -sha512 -binary posh.badxmpp.eu.5222.der | openssl base64 | tr -d '\n' > posh.badxmpp.eu.5222.der.sha512
|
||||||
|
|
||||||
|
openssl base64 < posh.badxmpp.eu.5222.der | tr -d '\n' > posh.badxmpp.eu.5222.der.base64
|
||||||
|
|
||||||
|
wget https://posh.badxmpp.eu/.well-known/posh/xmpp-server.json https://posh.badxmpp.eu/.well-known/posh/xmpp-client.json
|
||||||
|
|
||||||
|
grep . *.sha*
|
467
contrib/prosody-modules/mod_net_proxy.lua
Normal file
467
contrib/prosody-modules/mod_net_proxy.lua
Normal file
@ -0,0 +1,467 @@
|
|||||||
|
-- mod_net_proxy.lua
|
||||||
|
-- Copyright (C) 2018 Pascal Mathis <mail@pascalmathis.com>
|
||||||
|
--
|
||||||
|
-- Implementation of PROXY protocol versions 1 and 2
|
||||||
|
-- Specifications: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
|
||||||
|
module:set_global();
|
||||||
|
|
||||||
|
-- Imports
|
||||||
|
local softreq = require "util.dependencies".softreq;
|
||||||
|
local bit = assert(softreq "bit" or softreq "bit32" or softreq "util.bitcompat", "No bit module found. See https://prosody.im/doc/depends#bitop");
|
||||||
|
local hex = require "util.hex";
|
||||||
|
local ip = require "util.ip";
|
||||||
|
local net = require "util.net";
|
||||||
|
local set = require "util.set";
|
||||||
|
local portmanager = require "core.portmanager";
|
||||||
|
|
||||||
|
-- Backwards Compatibility
|
||||||
|
local function net_ntop_bc(input)
|
||||||
|
if input:len() == 4 then
|
||||||
|
return string.format("%d.%d.%d.%d", input:byte(1, 4));
|
||||||
|
elseif input:len() == 16 then
|
||||||
|
local octets = { nil, nil, nil, nil, nil, nil, nil, nil };
|
||||||
|
|
||||||
|
-- Convert received bytes into IPv6 address and skip leading zeroes for each group
|
||||||
|
for index = 1, 8 do
|
||||||
|
local high, low = input:byte(index * 2 - 1, index * 2);
|
||||||
|
octets[index] = string.format("%x", high * 256 + low);
|
||||||
|
end
|
||||||
|
local address = table.concat(octets, ":", 1, 8);
|
||||||
|
|
||||||
|
-- Search for the longest sequence of zeroes
|
||||||
|
local token;
|
||||||
|
local length = (address:match("^0:[0:]+()") or 1) - 1;
|
||||||
|
for s in address:gmatch(":0:[0:]+") do
|
||||||
|
if length < #s then
|
||||||
|
length, token = #s, s;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Return the shortened IPv6 address
|
||||||
|
return address:gsub(token or "^0:[0:]+", "::", 1);
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
local net_ntop = net.ntop or net_ntop_bc
|
||||||
|
|
||||||
|
-- Utility Functions
|
||||||
|
local function _table_invert(input)
|
||||||
|
local output = {};
|
||||||
|
for key, value in pairs(input) do
|
||||||
|
output[value] = key;
|
||||||
|
end
|
||||||
|
return output;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Constants
|
||||||
|
local ADDR_FAMILY = { UNSPEC = 0x0, INET = 0x1, INET6 = 0x2, UNIX = 0x3 };
|
||||||
|
local ADDR_FAMILY_STR = _table_invert(ADDR_FAMILY);
|
||||||
|
local TRANSPORT = { UNSPEC = 0x0, STREAM = 0x1, DGRAM = 0x2 };
|
||||||
|
local TRANSPORT_STR = _table_invert(TRANSPORT);
|
||||||
|
|
||||||
|
local PROTO_MAX_HEADER_LENGTH = 256;
|
||||||
|
local PROTO_HANDLERS = {
|
||||||
|
PROXYv1 = { signature = hex.from("50524F5859"), callback = nil },
|
||||||
|
PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil }
|
||||||
|
};
|
||||||
|
local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 };
|
||||||
|
|
||||||
|
-- Configuration Variables
|
||||||
|
local config_mappings = module:get_option("proxy_port_mappings", {});
|
||||||
|
local config_ports = module:get_option_set("proxy_ports", {});
|
||||||
|
local config_trusted_proxies = module:get_option_set("proxy_trusted_proxies", {"127.0.0.1", "::1"});
|
||||||
|
|
||||||
|
-- Persistent In-Memory Storage
|
||||||
|
local sessions = {};
|
||||||
|
local mappings = {};
|
||||||
|
local trusted_networks = set.new();
|
||||||
|
|
||||||
|
-- Proxy Data Methods
|
||||||
|
local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt;
|
||||||
|
|
||||||
|
function proxy_data_mt:describe()
|
||||||
|
return string.format("proto=%s/%s src=%s:%d dst=%s:%d",
|
||||||
|
self:addr_family_str(), self:transport_str(), self:src_addr(), self:src_port(), self:dst_addr(), self:dst_port());
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:addr_family_str()
|
||||||
|
return ADDR_FAMILY_STR[self._addr_family] or ADDR_FAMILY_STR[ADDR_FAMILY.UNSPEC];
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:transport_str()
|
||||||
|
return TRANSPORT_STR[self._transport] or TRANSPORT_STR[TRANSPORT.UNSPEC];
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:version()
|
||||||
|
return self._version;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:addr_family()
|
||||||
|
return self._addr_family;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:transport()
|
||||||
|
return self._transport;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:src_addr()
|
||||||
|
return self._src_addr;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:src_port()
|
||||||
|
return self._src_port;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:dst_addr()
|
||||||
|
return self._dst_addr;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_data_mt:dst_port()
|
||||||
|
return self._dst_port;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Protocol Handler Functions
|
||||||
|
PROTO_HANDLERS["PROXYv1"].callback = function(conn, session)
|
||||||
|
local addr_family_mappings = { TCP4 = ADDR_FAMILY.INET, TCP6 = ADDR_FAMILY.INET6 };
|
||||||
|
|
||||||
|
-- Postpone processing if CRLF (PROXYv1 header terminator) does not exist within buffer
|
||||||
|
if session.buffer:find("\r\n") == nil then
|
||||||
|
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Declare header pattern and match current buffer against pattern
|
||||||
|
local header_pattern = "^PROXY (%S+) (%S+) (%S+) (%d+) (%d+)\r\n";
|
||||||
|
local addr_family, src_addr, dst_addr, src_port, dst_port = session.buffer:match(header_pattern);
|
||||||
|
src_port, dst_port = tonumber(src_port), tonumber(dst_port);
|
||||||
|
|
||||||
|
-- Ensure that header was successfully parsed and contains a valid address family
|
||||||
|
if addr_family == nil or src_addr == nil or dst_addr == nil or src_port == nil or dst_port == nil then
|
||||||
|
module:log("warn", "Received unparseable PROXYv1 header from %s", conn:ip());
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
if addr_family_mappings[addr_family] == nil then
|
||||||
|
module:log("warn", "Received invalid PROXYv1 address family from %s: %s", conn:ip(), addr_family);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Ensure that received source and destination ports are within 1 and 65535 (0xFFFF)
|
||||||
|
if src_port <= 0 or src_port >= 0xFFFF then
|
||||||
|
module:log("warn", "Received invalid PROXYv1 source port from %s: %d", conn:ip(), src_port);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
if dst_port <= 0 or dst_port >= 0xFFFF then
|
||||||
|
module:log("warn", "Received invalid PROXYv1 destination port from %s: %d", conn:ip(), dst_port);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Ensure that received source and destination address can be parsed
|
||||||
|
local _, err = ip.new_ip(src_addr);
|
||||||
|
if err ~= nil then
|
||||||
|
module:log("warn", "Received unparseable PROXYv1 source address from %s: %s", conn:ip(), src_addr);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
_, err = ip.new_ip(dst_addr);
|
||||||
|
if err ~= nil then
|
||||||
|
module:log("warn", "Received unparseable PROXYv1 destination address from %s: %s", conn:ip(), dst_addr);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Strip parsed header from session buffer and build proxy data
|
||||||
|
session.buffer = session.buffer:gsub(header_pattern, "");
|
||||||
|
|
||||||
|
local proxy_data = {
|
||||||
|
_version = 1,
|
||||||
|
_addr_family = addr_family, _transport = TRANSPORT.STREAM,
|
||||||
|
_src_addr = src_addr, _src_port = src_port,
|
||||||
|
_dst_addr = dst_addr, _dst_port = dst_port
|
||||||
|
};
|
||||||
|
setmetatable(proxy_data, proxy_data_mt);
|
||||||
|
|
||||||
|
-- Return successful response with gathered proxy data
|
||||||
|
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
||||||
|
end
|
||||||
|
|
||||||
|
PROTO_HANDLERS["PROXYv2"].callback = function(conn, session)
|
||||||
|
-- Postpone processing if less than 16 bytes are available
|
||||||
|
if #session.buffer < 16 then
|
||||||
|
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Parse first 16 bytes of protocol header
|
||||||
|
local version = bit.rshift(bit.band(session.buffer:byte(13), 0xF0), 4);
|
||||||
|
local command = bit.band(session.buffer:byte(13), 0x0F);
|
||||||
|
local addr_family = bit.rshift(bit.band(session.buffer:byte(14), 0xF0), 4);
|
||||||
|
local transport = bit.band(session.buffer:byte(14), 0x0F);
|
||||||
|
local length = bit.bor(session.buffer:byte(16), bit.lshift(session.buffer:byte(15), 8));
|
||||||
|
|
||||||
|
-- Postpone processing if less than 16+<length> bytes are available
|
||||||
|
if #session.buffer < 16 + length then
|
||||||
|
return PROTO_HANDLER_STATUS.POSTPONE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Ensure that version number is correct
|
||||||
|
if version ~= 0x2 then
|
||||||
|
module:log("warn", "Received unsupported PROXYv2 version from %s: %d", conn:ip(), version);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
local payload = session.buffer:sub(17);
|
||||||
|
if command == 0x0 then
|
||||||
|
-- Gather source/destination addresses and ports from local socket
|
||||||
|
local src_addr, src_port = conn:socket():getpeername();
|
||||||
|
local dst_addr, dst_port = conn:socket():getsockname();
|
||||||
|
|
||||||
|
-- Build proxy data based on real connection information
|
||||||
|
local proxy_data = {
|
||||||
|
_version = version,
|
||||||
|
_addr_family = addr_family, _transport = transport,
|
||||||
|
_src_addr = src_addr, _src_port = src_port,
|
||||||
|
_dst_addr = dst_addr, _dst_port = dst_port
|
||||||
|
};
|
||||||
|
setmetatable(proxy_data, proxy_data_mt);
|
||||||
|
|
||||||
|
-- Return successful response with gathered proxy data
|
||||||
|
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
||||||
|
elseif command == 0x1 then
|
||||||
|
local offset = 1;
|
||||||
|
local src_addr, src_port, dst_addr, dst_port;
|
||||||
|
|
||||||
|
-- Verify transport protocol is either STREAM or DGRAM
|
||||||
|
if transport ~= TRANSPORT.STREAM and transport ~= TRANSPORT.DGRAM then
|
||||||
|
module:log("warn", "Received unsupported PROXYv2 transport from %s: 0x%02X", conn:ip(), transport);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Parse source and destination addresses
|
||||||
|
if addr_family == ADDR_FAMILY.INET then
|
||||||
|
src_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
|
||||||
|
dst_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
|
||||||
|
elseif addr_family == ADDR_FAMILY.INET6 then
|
||||||
|
src_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
|
||||||
|
dst_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
|
||||||
|
elseif addr_family == ADDR_FAMILY.UNIX then
|
||||||
|
src_addr = payload:sub(offset, offset + 107); offset = offset + 108;
|
||||||
|
dst_addr = payload:sub(offset, offset + 107); offset = offset + 108;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Parse source and destination ports
|
||||||
|
if addr_family == ADDR_FAMILY.INET or addr_family == ADDR_FAMILY.INET6 then
|
||||||
|
src_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
|
||||||
|
-- luacheck: ignore 311
|
||||||
|
dst_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Strip parsed header from session buffer and build proxy data
|
||||||
|
session.buffer = session.buffer:sub(17 + length);
|
||||||
|
|
||||||
|
local proxy_data = {
|
||||||
|
_version = version,
|
||||||
|
_addr_family = addr_family, _transport = transport,
|
||||||
|
_src_addr = src_addr, _src_port = src_port,
|
||||||
|
_dst_addr = dst_addr, _dst_port = dst_port
|
||||||
|
};
|
||||||
|
setmetatable(proxy_data, proxy_data_mt);
|
||||||
|
|
||||||
|
-- Return successful response with gathered proxy data
|
||||||
|
return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
|
||||||
|
else
|
||||||
|
module:log("warn", "Received unsupported PROXYv2 command from %s: 0x%02X", conn:ip(), command);
|
||||||
|
return PROTO_HANDLER_STATUS.FAILURE, nil;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Wrap an existing connection with the provided proxy data. This will override several methods of the 'conn' object to
|
||||||
|
-- return the proxied source instead of the source which initiated the TCP connection. Afterwards, the listener of the
|
||||||
|
-- connection gets set according to the globally defined port<>service mappings and the methods 'onconnect' and
|
||||||
|
-- 'onincoming' are being called manually with the current session buffer.
|
||||||
|
local function wrap_proxy_connection(conn, session, proxy_data)
|
||||||
|
-- Override and add functions of 'conn' object when source information has been collected
|
||||||
|
conn.proxyip, conn.proxyport = conn.ip, conn.port;
|
||||||
|
if proxy_data:src_addr() ~= nil and proxy_data:src_port() ~= nil then
|
||||||
|
conn.ip = function()
|
||||||
|
return proxy_data:src_addr();
|
||||||
|
end
|
||||||
|
conn.port = function()
|
||||||
|
return proxy_data:src_port();
|
||||||
|
end
|
||||||
|
conn.clientport = conn.port;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Attempt to find service by processing port<>service mappings
|
||||||
|
local mapping = mappings[tonumber(conn:serverport())];
|
||||||
|
if mapping == nil then
|
||||||
|
conn:close();
|
||||||
|
module:log("warn", "Connection %s@%s terminated: Could not find mapping for port %d",
|
||||||
|
conn:ip(), conn:proxyip(), conn:serverport());
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
|
||||||
|
if mapping.service == nil then
|
||||||
|
local service = portmanager.get_service(mapping.service_name);
|
||||||
|
|
||||||
|
if service ~= nil then
|
||||||
|
mapping.service = service;
|
||||||
|
else
|
||||||
|
conn:close();
|
||||||
|
module:log("warn", "Connection %s@%s terminated: Could not process mapping for unknown service %s",
|
||||||
|
conn:ip(), conn:proxyip(), mapping.service_name);
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Pass connection to actual service listener and simulate onconnect/onincoming callbacks
|
||||||
|
local service_listener = mapping.service.listener;
|
||||||
|
|
||||||
|
module:log("info", "Passing proxied connection %s:%d to service %s", conn:ip(), conn:port(), mapping.service_name);
|
||||||
|
conn:setlistener(service_listener);
|
||||||
|
if service_listener.onconnect then
|
||||||
|
service_listener.onconnect(conn);
|
||||||
|
end
|
||||||
|
return service_listener.onincoming(conn, session.buffer);
|
||||||
|
end
|
||||||
|
|
||||||
|
local function is_trusted_proxy(conn)
|
||||||
|
-- If no trusted proxies were configured, trust any incoming connection
|
||||||
|
-- While this may seem insecure, the module defaults to only trusting 127.0.0.1 and ::1
|
||||||
|
if trusted_networks:empty() then
|
||||||
|
return true;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Iterate through all trusted proxies and check for match against connected IP address
|
||||||
|
local conn_ip = ip.new_ip(conn:ip());
|
||||||
|
for trusted_network in trusted_networks:items() do
|
||||||
|
if ip.match(trusted_network.ip, conn_ip, trusted_network.cidr) then
|
||||||
|
return true;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Connection does not match any trusted proxy
|
||||||
|
return false;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Network Listener Methods
|
||||||
|
local listener = {};
|
||||||
|
|
||||||
|
function listener.onconnect(conn)
|
||||||
|
-- Silently drop connections with an IP address of <nil>, which can happen when the socket was closed before the
|
||||||
|
-- responsible net.server backend was able to grab the IP address of the connecting client.
|
||||||
|
if conn:ip() == nil then
|
||||||
|
conn:close();
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Check if connection is coming from a trusted proxy
|
||||||
|
if not is_trusted_proxy(conn) then
|
||||||
|
conn:close();
|
||||||
|
module:log("warn", "Dropped connection from untrusted proxy: %s", conn:ip());
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Initialize session variables
|
||||||
|
sessions[conn] = {
|
||||||
|
handler = nil;
|
||||||
|
buffer = nil;
|
||||||
|
};
|
||||||
|
end
|
||||||
|
|
||||||
|
function listener.onincoming(conn, data)
|
||||||
|
-- Abort processing if no data has been received
|
||||||
|
if not data then
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Lookup session for connection and append received data to buffer
|
||||||
|
local session = sessions[conn];
|
||||||
|
session.buffer = session.buffer and session.buffer .. data or data;
|
||||||
|
|
||||||
|
-- Attempt to determine protocol handler if not done previously
|
||||||
|
if session.handler == nil then
|
||||||
|
-- Match current session buffer against all known protocol signatures to determine protocol handler
|
||||||
|
for handler_name, handler in pairs(PROTO_HANDLERS) do
|
||||||
|
if session.buffer:find("^" .. handler.signature) ~= nil then
|
||||||
|
session.handler = handler.callback;
|
||||||
|
module:log("debug", "Detected %s connection from %s:%d", handler_name, conn:ip(), conn:port());
|
||||||
|
break;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Decide between waiting for a complete header signature or terminating the connection when no handler has been found
|
||||||
|
if session.handler == nil then
|
||||||
|
-- Terminate connection if buffer size has exceeded tolerable maximum size
|
||||||
|
if #session.buffer > PROTO_MAX_HEADER_LENGTH then
|
||||||
|
conn:close();
|
||||||
|
module:log("warn", "Connection %s:%d terminated: No valid PROXY header within %d bytes",
|
||||||
|
conn:ip(), conn:port(), PROTO_MAX_HEADER_LENGTH);
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Skip further processing without a valid protocol handler
|
||||||
|
module:log("debug", "No valid header signature detected from %s:%d, waiting for more data...",
|
||||||
|
conn:ip(), conn:port());
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Execute proxy protocol handler and process response
|
||||||
|
local response, proxy_data = session.handler(conn, session);
|
||||||
|
if response == PROTO_HANDLER_STATUS.SUCCESS then
|
||||||
|
module:log("info", "Received PROXY header from %s: %s", conn:ip(), proxy_data:describe());
|
||||||
|
return wrap_proxy_connection(conn, session, proxy_data);
|
||||||
|
elseif response == PROTO_HANDLER_STATUS.POSTPONE then
|
||||||
|
module:log("debug", "Postponed parsing of incomplete PROXY header received from %s", conn:ip());
|
||||||
|
return;
|
||||||
|
elseif response == PROTO_HANDLER_STATUS.FAILURE then
|
||||||
|
conn:close();
|
||||||
|
module:log("warn", "Connection %s terminated: Could not process PROXY header from client, " +
|
||||||
|
"see previous log messages.", conn:ip());
|
||||||
|
return;
|
||||||
|
else
|
||||||
|
-- This code should be never reached, but is included for completeness
|
||||||
|
conn:close();
|
||||||
|
module:log("warn", "Connection terminated: Received invalid protocol handler response with code %d", response);
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
function listener.ondisconnect(conn)
|
||||||
|
sessions[conn] = nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
listener.ondetach = listener.ondisconnect;
|
||||||
|
|
||||||
|
-- Parse trusted proxies which can either contain single hosts or networks
|
||||||
|
if not config_trusted_proxies:empty() then
|
||||||
|
for trusted_proxy in config_trusted_proxies:items() do
|
||||||
|
local network = {};
|
||||||
|
network.ip, network.cidr = ip.parse_cidr(trusted_proxy);
|
||||||
|
trusted_networks:add(network);
|
||||||
|
end
|
||||||
|
else
|
||||||
|
module:log("warn", "No trusted proxies configured, all connections will be accepted - this might be dangerous");
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Process all configured port mappings and generate a list of mapped ports
|
||||||
|
local mapped_ports = {};
|
||||||
|
for port, mapping in pairs(config_mappings) do
|
||||||
|
port = tonumber(port);
|
||||||
|
table.insert(mapped_ports, port);
|
||||||
|
mappings[port] = {
|
||||||
|
service_name = mapping,
|
||||||
|
service = nil,
|
||||||
|
};
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Log error message when user manually specifies ports without configuring the necessary port mappings
|
||||||
|
if not config_ports:empty() then
|
||||||
|
local missing_ports = config_ports - set.new(mapped_ports);
|
||||||
|
if not missing_ports:empty() then
|
||||||
|
module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports));
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Register the previously declared network listener
|
||||||
|
module:provides("net", {
|
||||||
|
name = "proxy";
|
||||||
|
listener = listener;
|
||||||
|
default_ports = mapped_ports;
|
||||||
|
});
|
105
contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
Normal file
105
contrib/prosody-modules/mod_s2s_outgoing_proxy.lua
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
local st = require"util.stanza";
|
||||||
|
local new_ip = require"util.ip".new_ip;
|
||||||
|
local new_outgoing = require"core.s2smanager".new_outgoing;
|
||||||
|
local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq;
|
||||||
|
local initialize_filters = require "util.filters".initialize;
|
||||||
|
local st = require "util.stanza";
|
||||||
|
|
||||||
|
local portmanager = require "core.portmanager";
|
||||||
|
|
||||||
|
local addclient = require "net.server".addclient;
|
||||||
|
|
||||||
|
module:depends("s2s");
|
||||||
|
|
||||||
|
local sessions = module:shared("sessions");
|
||||||
|
|
||||||
|
local s2s_outgoing_proxy = module:get_option("s2s_outgoing_proxy");
|
||||||
|
|
||||||
|
local host, port = s2s_outgoing_proxy[1] or s2s_outgoing_proxy, tonumber(s2s_outgoing_proxy[2]) or 15270;
|
||||||
|
|
||||||
|
-- The proxy_listener handles connection while still connecting to the proxy,
|
||||||
|
-- then it hands them over to the normal listener (in mod_s2s)
|
||||||
|
local proxy_listener = { default_port = port, default_mode = "*a", default_interface = "*" };
|
||||||
|
|
||||||
|
function proxy_listener.onconnect(conn)
|
||||||
|
local session = sessions[conn];
|
||||||
|
|
||||||
|
-- Now the real s2s listener can take over the connection.
|
||||||
|
local listener = portmanager.get_service("s2s").listener;
|
||||||
|
|
||||||
|
session.proxy_handler = nil;
|
||||||
|
|
||||||
|
local w, log = conn.send, session.log;
|
||||||
|
|
||||||
|
local filter = initialize_filters(session);
|
||||||
|
|
||||||
|
session.version = 1;
|
||||||
|
|
||||||
|
session.sends2s = function (t)
|
||||||
|
log("debug", "sending (s2s over proxy): %s", (t.top_tag and t:top_tag()) or t:match("^[^>]*>?"));
|
||||||
|
if t.name then
|
||||||
|
t = filter("stanzas/out", t);
|
||||||
|
end
|
||||||
|
if t then
|
||||||
|
t = filter("bytes/out", tostring(t));
|
||||||
|
if t then
|
||||||
|
return conn:write(tostring(t));
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
session.open_stream = function ()
|
||||||
|
session.sends2s(st.stanza("stream:stream", {
|
||||||
|
xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback',
|
||||||
|
["xmlns:stream"]='http://etherx.jabber.org/streams',
|
||||||
|
from=session.from_host, to=session.to_host, version='1.0', ["xml:lang"]='en'}):top_tag());
|
||||||
|
end
|
||||||
|
|
||||||
|
conn.setlistener(conn, listener);
|
||||||
|
|
||||||
|
listener.register_outgoing(conn, session);
|
||||||
|
|
||||||
|
listener.onconnect(conn);
|
||||||
|
|
||||||
|
-- this marks outgoing s2s as secure so we accept SASL EXTERNAL on it
|
||||||
|
session.secure = true;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_listener.register_outgoing(conn, session)
|
||||||
|
session.direction = "outgoing";
|
||||||
|
sessions[conn] = session;
|
||||||
|
end
|
||||||
|
|
||||||
|
function proxy_listener.ondisconnect(conn, err)
|
||||||
|
sessions[conn] = nil;
|
||||||
|
end
|
||||||
|
|
||||||
|
module:hook("route/remote", function(event)
|
||||||
|
local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza;
|
||||||
|
log("debug", "opening a new outgoing connection for this stanza");
|
||||||
|
local host_session = new_outgoing(from_host, to_host);
|
||||||
|
|
||||||
|
-- Store in buffer
|
||||||
|
host_session.bounce_sendq = bounce_sendq;
|
||||||
|
host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} };
|
||||||
|
log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name));
|
||||||
|
|
||||||
|
local conn = addclient(host, port, proxy_listener, "*a");
|
||||||
|
|
||||||
|
proxy_listener.register_outgoing(conn, host_session);
|
||||||
|
|
||||||
|
host_session.conn = conn;
|
||||||
|
return true;
|
||||||
|
end, -2);
|
||||||
|
|
||||||
|
-- todo: is this the best place to do this hook?
|
||||||
|
-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
|
||||||
|
module:hook("s2s-stream-features", function(event)
|
||||||
|
local session, features = event.origin, event.features;
|
||||||
|
if session.type == "s2sin_unauthed" then
|
||||||
|
module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
|
||||||
|
session.secure = true;
|
||||||
|
session.cert_chain_status = "valid";
|
||||||
|
session.cert_identity_status = "valid";
|
||||||
|
end
|
||||||
|
end, 3000);
|
39
contrib/prosody-modules/mod_secure_interfaces.lua
Normal file
39
contrib/prosody-modules/mod_secure_interfaces.lua
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
local secure_interfaces = module:get_option_set("secure_interfaces", { "127.0.0.1", "::1" });
|
||||||
|
|
||||||
|
local function mark_secure(event, expected_type)
|
||||||
|
local session = event.origin;
|
||||||
|
if session.type ~= expected_type then return; end
|
||||||
|
local socket = session.conn:socket();
|
||||||
|
if not socket.getsockname then
|
||||||
|
module:log("debug", "Unable to determine local address of incoming connection");
|
||||||
|
return;
|
||||||
|
end
|
||||||
|
local localip = socket:getsockname();
|
||||||
|
if secure_interfaces:contains(localip) then
|
||||||
|
module:log("debug", "Marking session from %s to %s as secure", session.ip or "[?]", localip);
|
||||||
|
session.secure = true;
|
||||||
|
session.conn.starttls = false;
|
||||||
|
else
|
||||||
|
module:log("debug", "Not marking session from %s to %s as secure", session.ip or "[?]", localip);
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
module:hook("stream-features", function (event)
|
||||||
|
mark_secure(event, "c2s_unauthed");
|
||||||
|
end, 25000);
|
||||||
|
|
||||||
|
module:hook("s2s-stream-features", function (event)
|
||||||
|
mark_secure(event, "s2sin_unauthed");
|
||||||
|
end, 25000);
|
||||||
|
|
||||||
|
-- todo: is this the best place to do this hook?
|
||||||
|
-- this hook marks incoming s2s as secure so we offer SASL EXTERNAL on it
|
||||||
|
module:hook("s2s-stream-features", function(event)
|
||||||
|
local session, features = event.origin, event.features;
|
||||||
|
if session.type == "s2sin_unauthed" then
|
||||||
|
module:log("debug", "marking hook session.type '%s' secure with validated cert!", session.type);
|
||||||
|
session.secure = true;
|
||||||
|
session.cert_chain_status = "valid";
|
||||||
|
session.cert_identity_status = "valid";
|
||||||
|
end
|
||||||
|
end, 3000);
|
14
fuzz/Cargo.toml
Normal file
14
fuzz/Cargo.toml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[package]
|
||||||
|
name = "fuzz"
|
||||||
|
version = "0.1.0"
|
||||||
|
authors = ["moparisthebest <admin@moparisthebest.com>"]
|
||||||
|
edition = "2018"
|
||||||
|
|
||||||
|
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||||
|
|
||||||
|
[dependencies]
|
||||||
|
afl = "0.15.1"
|
||||||
|
xmpp-proxy = { path = "..", default-features = false, features = [] }
|
||||||
|
tokio = { version = "1.35", features = ["net", "rt", "rt-multi-thread", "macros", "io-util"] }
|
||||||
|
sha256 = "1.4.0"
|
||||||
|
rxml = "0.9.1"
|
1
fuzz/in/1.xml
Normal file
1
fuzz/in/1.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<?xml version='1.0'?>
|
1
fuzz/in/2.xml
Normal file
1
fuzz/in/2.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<element/>
|
1
fuzz/in/3.xml
Normal file
1
fuzz/in/3.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<element attr="abc" attr='def'/>
|
1
fuzz/in/4.xml
Normal file
1
fuzz/in/4.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<element><![CDATA[ fun ]] ]]></element>
|
1
fuzz/in/5.xml
Normal file
1
fuzz/in/5.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<foo><bar/><baz><fnord/></baz></foo>
|
1
fuzz/in/6.xml
Normal file
1
fuzz/in/6.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<foo>with <bar/>some<baz>content <fnord/>mixed </baz>into them</foo>
|
5
fuzz/in/7.xml
Normal file
5
fuzz/in/7.xml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?xml version='1.0' encoding='utf-8' ?>
|
||||||
|
<foo>
|
||||||
|
<bar>&</bar>
|
||||||
|
<hello xmlns="urn:xmpp"><prefix:world/></hello>
|
||||||
|
</foo>
|
40
fuzz/src/main.rs
Normal file
40
fuzz/src/main.rs
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
use std::io::{Cursor, Write};
|
||||||
|
use tokio::runtime::Runtime;
|
||||||
|
use xmpp_proxy::stanzafilter::{StanzaFilter, StanzaReader};
|
||||||
|
|
||||||
|
fn main() {
|
||||||
|
std::fs::create_dir_all("/tmp/afl_test_gen/").unwrap();
|
||||||
|
afl::fuzz!(|data: &[u8]| {
|
||||||
|
let rt = Runtime::new().unwrap();
|
||||||
|
|
||||||
|
rt.block_on(async {
|
||||||
|
let mut filter = StanzaFilter::new(262_144);
|
||||||
|
let mut stanza_reader = StanzaReader(Cursor::new(data));
|
||||||
|
while let Ok(Some(stanza)) = stanza_reader.next(&mut filter).await {
|
||||||
|
let mut fp = rxml::FeedParser::default();
|
||||||
|
let result = rxml::as_eof_flag(fp.parse_all(&mut &stanza[..], true, |_ev| {
|
||||||
|
//println!("got event: {:?}", ev);
|
||||||
|
}));
|
||||||
|
// true indicates eof
|
||||||
|
if let Ok(result) = result {
|
||||||
|
if result {
|
||||||
|
// wow, afl generated us valid XML, lets output it as a test case
|
||||||
|
let fname = sha256::digest(stanza);
|
||||||
|
if let Ok(mut file) = std::fs::OpenOptions::new()
|
||||||
|
.read(true)
|
||||||
|
.write(true)
|
||||||
|
.create_new(true)
|
||||||
|
.open("/tmp/afl_test_gen/".to_owned() + fname.as_str())
|
||||||
|
{
|
||||||
|
file.write_all(stanza).unwrap();
|
||||||
|
file.sync_all().unwrap();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// more data is required, stanzafilter should never let this happen, let's panic
|
||||||
|
panic!("more data required?");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
});
|
||||||
|
}
|
72
fuzz/xml.dict
Normal file
72
fuzz/xml.dict
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
#
|
||||||
|
# AFL dictionary for XML
|
||||||
|
# ----------------------
|
||||||
|
#
|
||||||
|
# Several basic syntax elements and attributes, modeled on libxml2.
|
||||||
|
#
|
||||||
|
# Created by Michal Zalewski <lcamtuf@google.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
attr_encoding=" encoding=\"1\""
|
||||||
|
attr_generic=" a=\"1\""
|
||||||
|
attr_href=" href=\"1\""
|
||||||
|
attr_standalone=" standalone=\"no\""
|
||||||
|
attr_version=" version=\"1\""
|
||||||
|
attr_xml_base=" xml:base=\"1\""
|
||||||
|
attr_xml_id=" xml:id=\"1\""
|
||||||
|
attr_xml_lang=" xml:lang=\"1\""
|
||||||
|
attr_xml_space=" xml:space=\"1\""
|
||||||
|
attr_xmlns=" xmlns=\"1\""
|
||||||
|
|
||||||
|
entity_builtin="<"
|
||||||
|
entity_decimal=""
|
||||||
|
entity_external="&a;"
|
||||||
|
entity_hex=""
|
||||||
|
|
||||||
|
string_any="ANY"
|
||||||
|
string_brackets="[]"
|
||||||
|
string_cdata="CDATA"
|
||||||
|
string_col_fallback=":fallback"
|
||||||
|
string_col_generic=":a"
|
||||||
|
string_col_include=":include"
|
||||||
|
string_dashes="--"
|
||||||
|
string_empty="EMPTY"
|
||||||
|
string_empty_dblquotes="\"\""
|
||||||
|
string_empty_quotes="''"
|
||||||
|
string_entities="ENTITIES"
|
||||||
|
string_entity="ENTITY"
|
||||||
|
string_fixed="#FIXED"
|
||||||
|
string_id="ID"
|
||||||
|
string_idref="IDREF"
|
||||||
|
string_idrefs="IDREFS"
|
||||||
|
string_implied="#IMPLIED"
|
||||||
|
string_nmtoken="NMTOKEN"
|
||||||
|
string_nmtokens="NMTOKENS"
|
||||||
|
string_notation="NOTATION"
|
||||||
|
string_parentheses="()"
|
||||||
|
string_pcdata="#PCDATA"
|
||||||
|
string_percent="%a"
|
||||||
|
string_public="PUBLIC"
|
||||||
|
string_required="#REQUIRED"
|
||||||
|
string_schema=":schema"
|
||||||
|
string_system="SYSTEM"
|
||||||
|
string_ucs4="UCS-4"
|
||||||
|
string_utf16="UTF-16"
|
||||||
|
string_utf8="UTF-8"
|
||||||
|
string_xmlns="xmlns:"
|
||||||
|
|
||||||
|
tag_attlist="<!ATTLIST"
|
||||||
|
tag_cdata="<![CDATA["
|
||||||
|
tag_close="</a>"
|
||||||
|
tag_doctype="<!DOCTYPE"
|
||||||
|
tag_element="<!ELEMENT"
|
||||||
|
tag_entity="<!ENTITY"
|
||||||
|
tag_ignore="<![IGNORE["
|
||||||
|
tag_include="<![INCLUDE["
|
||||||
|
tag_notation="<!NOTATION"
|
||||||
|
tag_open="<a>"
|
||||||
|
tag_open_close="<a />"
|
||||||
|
tag_open_exclamation="<!"
|
||||||
|
tag_open_q="<?"
|
||||||
|
tag_sq2_close="]]>"
|
||||||
|
tag_xml_q="<?xml?>"
|
15
integration/00-no-tls/example.org.zone
Normal file
15
integration/00-no-tls/example.org.zone
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
|
||||||
|
scansion.one IN CNAME server1
|
||||||
|
scansion.two IN CNAME server1
|
228
integration/00-no-tls/prosody1.cfg.lua
Normal file
228
integration/00-no-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
-- "tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = false
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certsno"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
15
integration/01-starttls/example.org.zone
Normal file
15
integration/01-starttls/example.org.zone
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
|
||||||
|
scansion.one IN CNAME server1
|
||||||
|
scansion.two IN CNAME server1
|
225
integration/01-starttls/prosody1.cfg.lua
Normal file
225
integration/01-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
20
integration/02-client-a-record-starttls/example.org.zone
Normal file
20
integration/02-client-a-record-starttls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
one IN CNAME server1
|
||||||
|
two IN CNAME server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
225
integration/02-client-a-record-starttls/prosody1.cfg.lua
Normal file
225
integration/02-client-a-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/02-client-a-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/02-client-a-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
20
integration/03-client-srv-record-starttls/example.org.zone
Normal file
20
integration/03-client-srv-record-starttls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
_xmpp-client._tcp.one IN SRV 5 1 5555 server1
|
||||||
|
_xmpp-client._tcp.two IN SRV 5 1 5555 server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
227
integration/03-client-srv-record-starttls/prosody1.cfg.lua
Normal file
227
integration/03-client-srv-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
c2s_ports = { 5555 };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/03-client-srv-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/03-client-srv-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
20
integration/04-client-a-record-tls/example.org.zone
Normal file
20
integration/04-client-a-record-tls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
one IN CNAME server1
|
||||||
|
two IN CNAME server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
225
integration/04-client-a-record-tls/prosody1.cfg.lua
Normal file
225
integration/04-client-a-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,225 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
legacy_ssl_ports = { 443 };
|
||||||
|
c2s_ports = { };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/04-client-a-record-tls/xmpp-proxy1.toml
Normal file
44
integration/04-client-a-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
20
integration/05-client-srv-record-tls/example.org.zone
Normal file
20
integration/05-client-srv-record-tls/example.org.zone
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
_xmpps-client._tcp.one IN SRV 5 1 5443 server1
|
||||||
|
_xmpps-client._tcp.two IN SRV 5 1 5443 server1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
228
integration/05-client-srv-record-tls/prosody1.cfg.lua
Normal file
228
integration/05-client-srv-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
legacy_ssl_ports = { 5443 };
|
||||||
|
c2s_ports = { };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
https_certificate = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/05-client-srv-record-tls/xmpp-proxy1.toml
Normal file
44
integration/05-client-srv-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
22
integration/06-client-websocket/example.org.zone
Normal file
22
integration/06-client-websocket/example.org.zone
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
|
||||||
|
one IN CNAME server1
|
||||||
|
two IN CNAME server1
|
||||||
|
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||||
|
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp1
|
||||||
|
scansion.two IN CNAME xp1
|
228
integration/06-client-websocket/prosody1.cfg.lua
Normal file
228
integration/06-client-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
legacy_ssl_ports = { };
|
||||||
|
c2s_ports = { };
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force certificate authentication for server-to-server connections?
|
||||||
|
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/06-client-websocket/xmpp-proxy1.toml
Normal file
44
integration/06-client-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/07-c2s-starttls/example.org.zone
Normal file
21
integration/07-c2s-starttls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/07-c2s-starttls/prosody1.cfg.lua
Normal file
253
integration/07-c2s-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/07-c2s-starttls/xmpp-proxy1.toml
Normal file
44
integration/07-c2s-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/07-c2s-starttls/xmpp-proxy3.toml
Normal file
44
integration/07-c2s-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/08-c2s-tls/example.org.zone
Normal file
21
integration/08-c2s-tls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/08-c2s-tls/prosody1.cfg.lua
Normal file
253
integration/08-c2s-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/08-c2s-tls/xmpp-proxy1.toml
Normal file
44
integration/08-c2s-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/08-c2s-tls/xmpp-proxy3.toml
Normal file
44
integration/08-c2s-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/09-c2s-a-record-quic/example.org.zone
Normal file
21
integration/09-c2s-a-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/09-c2s-a-record-quic/prosody1.cfg.lua
Normal file
253
integration/09-c2s-a-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/09-c2s-a-record-quic/xmpp-proxy1.toml
Normal file
44
integration/09-c2s-a-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/09-c2s-a-record-quic/xmpp-proxy3.toml
Normal file
44
integration/09-c2s-a-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/10-client-srv-record-quic/example.org.zone
Normal file
21
integration/10-client-srv-record-quic/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
_xmppq-client._udp.one IN SRV 5 1 5443 xp1
|
||||||
|
_xmppq-client._udp.two IN SRV 5 1 5443 xp1
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/10-client-srv-record-quic/prosody1.cfg.lua
Normal file
253
integration/10-client-srv-record-quic/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/10-client-srv-record-quic/xmpp-proxy1.toml
Normal file
44
integration/10-client-srv-record-quic/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ "0.0.0.0:5443" ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/10-client-srv-record-quic/xmpp-proxy3.toml
Normal file
44
integration/10-client-srv-record-quic/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/11-c2s-websocket/example.org.zone
Normal file
23
integration/11-c2s-websocket/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp1
|
||||||
|
_xmppconnect.one IN TXT "_xmpp-client-websocket=wss://one.example.org:5281/xmpp-websocket"
|
||||||
|
_xmppconnect.two IN TXT "_xmpp-client-websocket=wss://two.example.org:5281/xmpp-websocket"
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
253
integration/11-c2s-websocket/prosody1.cfg.lua
Normal file
253
integration/11-c2s-websocket/prosody1.cfg.lua
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "xp1.example.org", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
42
integration/11-c2s-websocket/xmpp-proxy1.toml
Normal file
42
integration/11-c2s-websocket/xmpp-proxy1.toml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5281" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/wildcard.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/wildcard.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/11-c2s-websocket/xmpp-proxy3.toml
Normal file
44
integration/11-c2s-websocket/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/12-s2s-a-record-starttls/example.org.zone
Normal file
21
integration/12-s2s-a-record-starttls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/12-s2s-a-record-starttls/prosody1.cfg.lua
Normal file
251
integration/12-s2s-a-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/12-s2s-a-record-starttls/prosody2.cfg.lua
Normal file
251
integration/12-s2s-a-record-starttls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy2.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:5269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/12-s2s-a-record-starttls/xmpp-proxy3.toml
Normal file
44
integration/12-s2s-a-record-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/13-s2s-srv-record-starttls/example.org.zone
Normal file
23
integration/13-s2s-srv-record-starttls/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
_xmpp-server._tcp.one IN SRV 5 1 52269 xp1
|
||||||
|
_xmpp-server._tcp.two IN SRV 5 1 52269 xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/13-s2s-srv-record-starttls/prosody1.cfg.lua
Normal file
251
integration/13-s2s-srv-record-starttls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/13-s2s-srv-record-starttls/prosody2.cfg.lua
Normal file
251
integration/13-s2s-srv-record-starttls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml
Normal file
44
integration/13-s2s-srv-record-starttls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
21
integration/14-s2s-a-record-tls/example.org.zone
Normal file
21
integration/14-s2s-a-record-tls/example.org.zone
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/14-s2s-a-record-tls/prosody1.cfg.lua
Normal file
251
integration/14-s2s-a-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/14-s2s-a-record-tls/prosody2.cfg.lua
Normal file
251
integration/14-s2s-a-record-tls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy1.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy2.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:443" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/14-s2s-a-record-tls/xmpp-proxy3.toml
Normal file
44
integration/14-s2s-a-record-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
23
integration/15-s2s-srv-record-tls/example.org.zone
Normal file
23
integration/15-s2s-srv-record-tls/example.org.zone
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
$TTL 300
|
||||||
|
; example.org
|
||||||
|
@ IN SOA ns1.example.org. postmaster.example.org. (
|
||||||
|
2018111111 ; Serial
|
||||||
|
28800 ; Refresh
|
||||||
|
1800 ; Retry
|
||||||
|
604800 ; Expire - 1 week
|
||||||
|
86400 ) ; Negative Cache TTL
|
||||||
|
IN NS ns1
|
||||||
|
ns1 IN A 192.5.0.10
|
||||||
|
server1 IN A 192.5.0.20
|
||||||
|
server2 IN A 192.5.0.30
|
||||||
|
xp1 IN A 192.5.0.40
|
||||||
|
xp2 IN A 192.5.0.50
|
||||||
|
xp3 IN A 192.5.0.60
|
||||||
|
|
||||||
|
one IN CNAME xp1
|
||||||
|
two IN CNAME xp2
|
||||||
|
_xmpps-server._tcp.one IN SRV 5 1 52269 xp1
|
||||||
|
_xmpps-server._tcp.two IN SRV 5 1 52269 xp2
|
||||||
|
|
||||||
|
scansion.one IN CNAME xp3
|
||||||
|
scansion.two IN CNAME xp3
|
251
integration/15-s2s-srv-record-tls/prosody1.cfg.lua
Normal file
251
integration/15-s2s-srv-record-tls/prosody1.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.40", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.40"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "one.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
251
integration/15-s2s-srv-record-tls/prosody2.cfg.lua
Normal file
251
integration/15-s2s-srv-record-tls/prosody2.cfg.lua
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
--Important for systemd
|
||||||
|
-- daemonize is important for systemd. if you set this to false the systemd startup will freeze.
|
||||||
|
daemonize = false
|
||||||
|
run_as_root = true
|
||||||
|
|
||||||
|
pidfile = "/run/prosody/prosody.pid"
|
||||||
|
|
||||||
|
plugin_paths = { "/opt/xmpp-proxy/prosody-modules", "/opt/prosody-modules" }
|
||||||
|
|
||||||
|
-- Prosody Example Configuration File
|
||||||
|
--
|
||||||
|
-- Information on configuring Prosody can be found on our
|
||||||
|
-- website at https://prosody.im/doc/configure
|
||||||
|
--
|
||||||
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
|
-- If there are any errors, it will let you know what and where
|
||||||
|
-- they are, otherwise it will keep quiet.
|
||||||
|
--
|
||||||
|
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||||
|
-- blanks. Good luck, and happy Jabbering!
|
||||||
|
|
||||||
|
|
||||||
|
---------- Server-wide settings ----------
|
||||||
|
-- Settings in this section apply to the whole server and are the default settings
|
||||||
|
-- for any virtual hosts
|
||||||
|
|
||||||
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
|
-- for the server. Note that you must create the accounts separately
|
||||||
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
|
admins = { }
|
||||||
|
|
||||||
|
-- Enable use of libevent for better performance under high load
|
||||||
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
|
--use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
--plugin_paths = {}
|
||||||
|
|
||||||
|
-- This is the list of modules Prosody will load on startup.
|
||||||
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
|
modules_enabled = {
|
||||||
|
|
||||||
|
-- Generally required
|
||||||
|
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||||
|
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||||
|
--"tls"; -- Add support for secure TLS on c2s/s2s connections
|
||||||
|
--"dialback"; -- s2s dialback support
|
||||||
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
|
"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
|
|
||||||
|
-- Nice to have
|
||||||
|
"version"; -- Replies to server version requests
|
||||||
|
"uptime"; -- Report how long server has been running
|
||||||
|
"time"; -- Let others know the time here on this server
|
||||||
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
|
-- Admin interfaces
|
||||||
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
|
||||||
|
|
||||||
|
-- HTTP modules
|
||||||
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
|
-- Other specific functionality
|
||||||
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
|
--"announce"; -- Send announcement to all online users
|
||||||
|
--"welcome"; -- Welcome users who register accounts
|
||||||
|
--"watchregistrations"; -- Alert admins of registrations
|
||||||
|
--"motd"; -- Send a message to users when they log in
|
||||||
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
"net_proxy";
|
||||||
|
"s2s_outgoing_proxy";
|
||||||
|
}
|
||||||
|
|
||||||
|
-- These modules are auto-loaded, but should you want
|
||||||
|
-- to disable them then uncomment them here:
|
||||||
|
modules_disabled = {
|
||||||
|
-- "offline"; -- Store offline messages
|
||||||
|
-- "c2s"; -- Handle client connections
|
||||||
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Disable account creation by default, for security
|
||||||
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
|
allow_registration = false
|
||||||
|
|
||||||
|
-- we don't need prosody doing any encryption, xmpp-proxy does this now
|
||||||
|
-- these are likely set to true somewhere in your file, find them, make them false
|
||||||
|
-- you can also remove all certificates from your config
|
||||||
|
s2s_require_encryption = false
|
||||||
|
s2s_secure_auth = false
|
||||||
|
|
||||||
|
-- xmpp-proxy outgoing is listening on this port, make all outgoing s2s connections directly to here
|
||||||
|
s2s_outgoing_proxy = { "192.5.0.50", 15270 }
|
||||||
|
|
||||||
|
-- handle PROXY protocol on these ports
|
||||||
|
proxy_port_mappings = {
|
||||||
|
[15222] = "c2s",
|
||||||
|
[15269] = "s2s"
|
||||||
|
}
|
||||||
|
|
||||||
|
--[[
|
||||||
|
Specifies a list of trusted hosts or networks which may use the PROXY protocol
|
||||||
|
If not specified, it will default to: 127.0.0.1, ::1 (local connections only)
|
||||||
|
An empty table ({}) can be configured to allow connections from any source.
|
||||||
|
Please read the module documentation about potential security impact.
|
||||||
|
]]--
|
||||||
|
proxy_trusted_proxies = {
|
||||||
|
"192.5.0.50"
|
||||||
|
}
|
||||||
|
|
||||||
|
-- don't listen on any normal c2s/s2s ports (xmpp-proxy listens on these now)
|
||||||
|
-- you might need to comment these out further down in your config file if you set them
|
||||||
|
c2s_ports = {}
|
||||||
|
legacy_ssl_ports = {}
|
||||||
|
-- you MUST have at least one s2s_ports defined if you want outgoing S2S to work, don't ask..
|
||||||
|
s2s_ports = {15268}
|
||||||
|
|
||||||
|
-- Force clients to use encrypted connections? This option will
|
||||||
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
c2s_require_encryption = false
|
||||||
|
allow_unencrypted_plain_auth = true
|
||||||
|
|
||||||
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
|
-- remote domains here that will not be required to authenticate using
|
||||||
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Enable rate limits for incoming client and server connections
|
||||||
|
|
||||||
|
limits = {
|
||||||
|
c2s = {
|
||||||
|
rate = "10kb/s";
|
||||||
|
};
|
||||||
|
s2sin = {
|
||||||
|
rate = "30kb/s";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
|
|
||||||
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
|
-- in its configured data directory, but it also supports more backends
|
||||||
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
|
--storage = "sql" -- Default is "internal"
|
||||||
|
|
||||||
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
|
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
|
-- Logging configuration
|
||||||
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
|
log = {
|
||||||
|
-- info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
|
||||||
|
-- error = "prosody.err";
|
||||||
|
--info = "*syslog"; -- Uncomment this for logging to syslog
|
||||||
|
debug = "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||||
|
}
|
||||||
|
|
||||||
|
-- Uncomment to enable statistics
|
||||||
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
|
-- statistics = "internal"
|
||||||
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
|
----------- Virtual hosts -----------
|
||||||
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
|
VirtualHost "two.example.org"
|
||||||
|
|
||||||
|
--VirtualHost "example.com"
|
||||||
|
-- certificate = "/path/to/example.crt"
|
||||||
|
|
||||||
|
------ Components ------
|
||||||
|
-- You can specify components to add hosts that provide special services,
|
||||||
|
-- like multi-user conferences, and transports.
|
||||||
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
|
--modules_enabled = { "muc_mam" }
|
||||||
|
|
||||||
|
---Set up an external component (default component port is 5347)
|
||||||
|
--
|
||||||
|
-- External components allow adding various services, such as gateways/
|
||||||
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
|
--
|
||||||
|
--Component "gateway.example.com"
|
||||||
|
-- component_secret = "password"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy1.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy1.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.20:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.20:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/one.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy2.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy2.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ "0.0.0.0:5222", "0.0.0.0:52269" ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:15270" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "192.5.0.30:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "192.5.0.30:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/prosody/certs/two.example.org.key"
|
||||||
|
tls_cert = "/etc/prosody/certs/two.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
44
integration/15-s2s-srv-record-tls/xmpp-proxy3.toml
Normal file
44
integration/15-s2s-srv-record-tls/xmpp-proxy3.toml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
|
||||||
|
# interfaces to listen for reverse proxy STARTTLS/Direct TLS XMPP connections on, should be open to the internet
|
||||||
|
incoming_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy QUIC XMPP connections on, should be open to the internet
|
||||||
|
quic_listen = [ ]
|
||||||
|
# interfaces to listen for reverse proxy TLS WebSocket (wss) XMPP connections on, should be open to the internet
|
||||||
|
websocket_listen = [ ]
|
||||||
|
# interfaces to listen for outgoing proxy TCP XMPP connections on, should be localhost
|
||||||
|
outgoing_listen = [ "0.0.0.0:5222" ]
|
||||||
|
|
||||||
|
# these ports shouldn't do any TLS, but should assume any connection from xmpp-proxy is secure
|
||||||
|
# prosody module: https://modules.prosody.im/mod_secure_interfaces.html
|
||||||
|
|
||||||
|
# c2s port backend XMPP server listens on
|
||||||
|
c2s_target = "127.0.0.1:15222"
|
||||||
|
|
||||||
|
# s2s port backend XMPP server listens on
|
||||||
|
s2s_target = "127.0.0.1:15269"
|
||||||
|
|
||||||
|
# send PROXYv1 header to backend XMPP server
|
||||||
|
# https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
|
||||||
|
# prosody module: https://modules.prosody.im/mod_net_proxy.html
|
||||||
|
# ejabberd config: https://docs.ejabberd.im/admin/configuration/listen-options/#use-proxy-protocol
|
||||||
|
proxy = true
|
||||||
|
|
||||||
|
# limit incoming stanzas to this many bytes, default to ejabberd's default
|
||||||
|
# https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32
|
||||||
|
# xmpp-proxy will use this many bytes + 16k per connection
|
||||||
|
max_stanza_size_bytes = 262_144
|
||||||
|
|
||||||
|
# TLS key/certificate valid for all your XMPP domains, PEM format
|
||||||
|
# included systemd unit can only read files from /etc/xmpp-proxy/ so put them in there
|
||||||
|
tls_key = "/etc/certs/rsa/one.example.org.key"
|
||||||
|
tls_cert = "/etc/certs/rsa/one.example.org.crt"
|
||||||
|
|
||||||
|
# configure logging, defaults are commented
|
||||||
|
# can also set env variables XMPP_PROXY_LOG_LEVEL and/or XMPP_PROXY_LOG_STYLE, but values in this file override them
|
||||||
|
# many options, trace is XML-console-level, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#enabling-logging
|
||||||
|
#log_level = "info"
|
||||||
|
# for development/debugging:
|
||||||
|
log_level = "info,xmpp_proxy=trace"
|
||||||
|
|
||||||
|
# one of auto, always, never, refer to: https://docs.rs/env_logger/0.8.3/env_logger/#disabling-colors
|
||||||
|
#log_style = "never"
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user