diff options
author | Elena ``of Valhalla'' Grandi <valhalla@trueelena.org> | 2023-06-14 21:17:47 +0200 |
---|---|---|
committer | Elena ``of Valhalla'' Grandi <valhalla@trueelena.org> | 2023-06-14 21:17:47 +0200 |
commit | 5690a5c438ae5b67a60857e72866b95acd1723aa (patch) | |
tree | 26b90ecbb35ffa3d37d0485d0d2f38676986a131 /source/self_hosting/modern_xmpp_server | |
parent | a472a8e904a326cc6460a4b0abb6b4d567e3cd17 (diff) |
new article: modern xmpp server
Diffstat (limited to 'source/self_hosting/modern_xmpp_server')
-rw-r--r-- | source/self_hosting/modern_xmpp_server/index.rst | 205 |
1 files changed, 205 insertions, 0 deletions
diff --git a/source/self_hosting/modern_xmpp_server/index.rst b/source/self_hosting/modern_xmpp_server/index.rst new file mode 100644 index 0000000..3f752e9 --- /dev/null +++ b/source/self_hosting/modern_xmpp_server/index.rst @@ -0,0 +1,205 @@ +******************* +Modern XMPP Server +******************* + +This is what I did to configure my XMPP server, using only `packages +supported in Debian <https://www.debian.org/security/>`_ and 100% +compliant with the `tests for XEP-0459: XMPP Compliance Suites 2022 on +conversations' website <https://compliance.conversations.im>`_. + +This guide was written for prosody 0.9 under Debian jessie, but is being +kept up to date as I upgrade my server to new Debian releases. + +.. only:: html + + .. contents:: + +How +=== + +I've decided to install prosody_, mostly because it was recommended by +the `RTC QuickStart Guide`_; I've heard that similar results can be +reached with ejabberd_ and other servers. + +.. _prosody: https://prosody.im/ +.. _`RTC QuickStart Guide`: http://rtcquickstart.org/ +.. _ejabberd: https://www.ejabberd.im/ + +I'm also targetting Debian_ stable (+ backports_); currently that's +bullseye and prosody 0.11 (upgrade to bookworm is planned soon). + +.. _Debian: https://www.debian.org +.. _backports: https://backports.debian.org/ + + +Installation and prerequisites +------------------------------ + +You will need to install the packages ``prosody`` and +``prosody-modules``; on jessie the versions in backports were needed, +but currently not on buster. + +You also need to setup some TLS certificates (I used `Let's Encrypt`_); +and make them readable by the ``prosody`` user; you can see `Chapter 12 +of the RTC QuickStart Guide +<http://rtcquickstart.org/guide/multi/xmpp-server-prosody.html>`_ for +more details. + +With prosody 0.10+ you will also need to configure the location of the +certificate for https with a configuration stanza such as:: + + https_ssl = { + certificate = "/etc/ssl/public/example.org.pem"; + key = "/etc/ssl/private/example.org-key.pem"; + } + +or see the `prosody documentation on certificates +<https://prosody.im/doc/certificates>`_ to see where to put certificates +so that prosody is able to autodetect them. + +.. _`Let's Encrypt`: https://letsencrypt.org/ + +On your firewall, you'll need to open the following TCP ports: + +* 5222 (client2server) +* 5269 (server2server) +* 5280 (default http port for prosody) +* 5281 (default https port for prosody) + +The latter two are needed to enable some services provided via http(s), +including rich media transfers. + +With just a handful of users, I didn't bother to configure LDAP or +anything else, but just created users manually via:: + + prosodyctl adduser alice@example.org + +In-band registration is disabled by default (and I've left it that way, +to prevent my server from being used to send spim_). + +.. _spim: https://en.wikipedia.org/wiki/Messaging_spam + +prosody configuration +--------------------- + +You can then start configuring prosody by editing +``/etc/prosody/prosody.cfg.lua`` and changing a few values from the +distribution defaults. + +First of all, enforce the use of encryption and certificate checking +both for client2server and server2server communications with:: + + c2s_require_encryption = true + s2s_secure_auth = true + +and then, if you need to, add to the whitelist any server that you want +to talk to and doesn't support secure s2s communication (but note that +gmail.com is no longer needed, as it doesn't support xmpp any longer):: + + s2s_insecure_domains = { "gmail.com" } + +virtualhosts +------------ + +For each virtualhost you want to configure, create a file +``/etc/prosody/conf.avail/chat.example.org.cfg.lua`` with contents like +the following:: + + VirtualHost "chat.example.org" + enabled = true + ssl = { + key = "/etc/ssl/private/example.org-key.pem"; + certificate = "/etc/ssl/public/example.org.pem"; + } + +For the domains where you also want to enable MUCs, add the follwing +lines:: + + Component "conference.chat.example.org" "muc" + restrict_room_creation = "local" + modules_enabled = { + "mam_muc", + "vcard_muc", + } + +the ``"local"`` configures prosody so that only local users are allowed +to create new rooms (but then everybody can join them, if the room +administrator allows it): this may help reduce unwanted usages of your +server by random people. + +Enabling the ``mam_muc`` module (on prosody 0.10 only) allows people to +syncronize message history between multiple clients (XEP-0313) + +You can also add the following line to enable rich media transfers via +http uploads (XEP-0363_):: + + Component "upload.chat.example.org" "http_upload" + +The defaults are pretty sane, but see +https://modules.prosody.im/mod_http_upload.html for details on what +knobs you can configure for this module; you may want e.g. to change the +maximum file size limit and setup an expiry date:: + + Component "upload.chat.example.org" "http_upload" + http_upload_file_size_limit = 1024 * 1024 * 2 + http_upload_expire_after = 60 * 60 * 24 * 7 + +.. _XEP-0363: https://xmpp.org/extensions/xep-0363.html + +Don't forget to enable the virtualhost by linking the file inside +``/etc/prosody/conf.d/``. + +additional modules +------------------ + +Most of the other interesting XEPs are enabled by loading additional +modules inside ``/etc/prosody/prosody.cfg.lua`` (under +``modules_enabled``); to enable ``mod_something`` just add a line like:: + + "something"; + +Most of these come from the ``prosody-modules`` package (and thus from +https://modules.prosody.im/ ) and some may require changing when prosody +0.10 will be available; when this is the case it is mentioned below. + +``mod_blocklist`` (XEP-0191) + To allow user-controlled blocking of users, including as an anti-spim + measure. +``mod_smacks`` (XEP-0198) + Allow clients to resume a disconnected session before a customizable + timeout and prevent message loss. +``mod_mam`` (XEP-0313) + Archive messages on the server for a limited period of time (default + 1 week) and allow clients to retrieve them; this is required to + syncronize message history between multiple clients. + + With prosody 0.9 only an in-memory storage backend is available, + which may make this module problematic on servers with many users. + prosody 0.10 will fix this by adding support for an SQL backed + storage with archiving capabilities. +``mod_throttle_presence`` + ``mod_filter_chatstates`` (XEP-0352) + Filter out presence updates and chat states when the client announces + (via Client State Indication) that the user isn't looking. + This is useful to reduce power and bandwidth usage for "useless" + traffic. +``cloud_notify`` (XEP-0357) + Allow clients to register an “app server” that is notified about new + messages + +See also +======== + +* `The State of Mobile XMPP in 2016 <https://gultsch.de/xmpp_2016.html>`_ + (blog post by the maintainer of Conversations) +* `Prosody installation instructions in the FreedomBox wiki + <https://wiki.debian.org/FreedomBox/Configs/Prosody>`_ + (for basic prosody configuration) +* `What Prosody modules do I need to support Conversations? + <https://serverfault.com/questions/835635/what-prosody-modules-do-i-need-to-support-conversations/835636>`_ + (on Server Fault) +* `This HOWTO on my old website + <https://www.trueelena.org/computers/howto/modern_xmpp_server.html>`_ +* `Enrico's post on how we configured the server before compliance.conversations.im was a thing <http://www.enricozini.org/blog/2017/debian/modern-and-secure-instant-messaging/>`_ + +.. + vim: set filetype=rst: |