summaryrefslogtreecommitdiff
path: root/source/self_hosting/modern_xmpp_server
diff options
context:
space:
mode:
Diffstat (limited to 'source/self_hosting/modern_xmpp_server')
-rw-r--r--source/self_hosting/modern_xmpp_server/index.rst205
1 files changed, 205 insertions, 0 deletions
diff --git a/source/self_hosting/modern_xmpp_server/index.rst b/source/self_hosting/modern_xmpp_server/index.rst
new file mode 100644
index 0000000..3f752e9
--- /dev/null
+++ b/source/self_hosting/modern_xmpp_server/index.rst
@@ -0,0 +1,205 @@
+*******************
+Modern XMPP Server
+*******************
+
+This is what I did to configure my XMPP server, using only `packages
+supported in Debian <https://www.debian.org/security/>`_ and 100%
+compliant with the `tests for XEP-0459: XMPP Compliance Suites 2022 on
+conversations' website <https://compliance.conversations.im>`_.
+
+This guide was written for prosody 0.9 under Debian jessie, but is being
+kept up to date as I upgrade my server to new Debian releases.
+
+.. only:: html
+
+ .. contents::
+
+How
+===
+
+I've decided to install prosody_, mostly because it was recommended by
+the `RTC QuickStart Guide`_; I've heard that similar results can be
+reached with ejabberd_ and other servers.
+
+.. _prosody: https://prosody.im/
+.. _`RTC QuickStart Guide`: http://rtcquickstart.org/
+.. _ejabberd: https://www.ejabberd.im/
+
+I'm also targetting Debian_ stable (+ backports_); currently that's
+bullseye and prosody 0.11 (upgrade to bookworm is planned soon).
+
+.. _Debian: https://www.debian.org
+.. _backports: https://backports.debian.org/
+
+
+Installation and prerequisites
+------------------------------
+
+You will need to install the packages ``prosody`` and
+``prosody-modules``; on jessie the versions in backports were needed,
+but currently not on buster.
+
+You also need to setup some TLS certificates (I used `Let's Encrypt`_);
+and make them readable by the ``prosody`` user; you can see `Chapter 12
+of the RTC QuickStart Guide
+<http://rtcquickstart.org/guide/multi/xmpp-server-prosody.html>`_ for
+more details.
+
+With prosody 0.10+ you will also need to configure the location of the
+certificate for https with a configuration stanza such as::
+
+ https_ssl = {
+ certificate = "/etc/ssl/public/example.org.pem";
+ key = "/etc/ssl/private/example.org-key.pem";
+ }
+
+or see the `prosody documentation on certificates
+<https://prosody.im/doc/certificates>`_ to see where to put certificates
+so that prosody is able to autodetect them.
+
+.. _`Let's Encrypt`: https://letsencrypt.org/
+
+On your firewall, you'll need to open the following TCP ports:
+
+* 5222 (client2server)
+* 5269 (server2server)
+* 5280 (default http port for prosody)
+* 5281 (default https port for prosody)
+
+The latter two are needed to enable some services provided via http(s),
+including rich media transfers.
+
+With just a handful of users, I didn't bother to configure LDAP or
+anything else, but just created users manually via::
+
+ prosodyctl adduser alice@example.org
+
+In-band registration is disabled by default (and I've left it that way,
+to prevent my server from being used to send spim_).
+
+.. _spim: https://en.wikipedia.org/wiki/Messaging_spam
+
+prosody configuration
+---------------------
+
+You can then start configuring prosody by editing
+``/etc/prosody/prosody.cfg.lua`` and changing a few values from the
+distribution defaults.
+
+First of all, enforce the use of encryption and certificate checking
+both for client2server and server2server communications with::
+
+ c2s_require_encryption = true
+ s2s_secure_auth = true
+
+and then, if you need to, add to the whitelist any server that you want
+to talk to and doesn't support secure s2s communication (but note that
+gmail.com is no longer needed, as it doesn't support xmpp any longer)::
+
+ s2s_insecure_domains = { "gmail.com" }
+
+virtualhosts
+------------
+
+For each virtualhost you want to configure, create a file
+``/etc/prosody/conf.avail/chat.example.org.cfg.lua`` with contents like
+the following::
+
+ VirtualHost "chat.example.org"
+ enabled = true
+ ssl = {
+ key = "/etc/ssl/private/example.org-key.pem";
+ certificate = "/etc/ssl/public/example.org.pem";
+ }
+
+For the domains where you also want to enable MUCs, add the follwing
+lines::
+
+ Component "conference.chat.example.org" "muc"
+ restrict_room_creation = "local"
+ modules_enabled = {
+ "mam_muc",
+ "vcard_muc",
+ }
+
+the ``"local"`` configures prosody so that only local users are allowed
+to create new rooms (but then everybody can join them, if the room
+administrator allows it): this may help reduce unwanted usages of your
+server by random people.
+
+Enabling the ``mam_muc`` module (on prosody 0.10 only) allows people to
+syncronize message history between multiple clients (XEP-0313)
+
+You can also add the following line to enable rich media transfers via
+http uploads (XEP-0363_)::
+
+ Component "upload.chat.example.org" "http_upload"
+
+The defaults are pretty sane, but see
+https://modules.prosody.im/mod_http_upload.html for details on what
+knobs you can configure for this module; you may want e.g. to change the
+maximum file size limit and setup an expiry date::
+
+ Component "upload.chat.example.org" "http_upload"
+ http_upload_file_size_limit = 1024 * 1024 * 2
+ http_upload_expire_after = 60 * 60 * 24 * 7
+
+.. _XEP-0363: https://xmpp.org/extensions/xep-0363.html
+
+Don't forget to enable the virtualhost by linking the file inside
+``/etc/prosody/conf.d/``.
+
+additional modules
+------------------
+
+Most of the other interesting XEPs are enabled by loading additional
+modules inside ``/etc/prosody/prosody.cfg.lua`` (under
+``modules_enabled``); to enable ``mod_something`` just add a line like::
+
+ "something";
+
+Most of these come from the ``prosody-modules`` package (and thus from
+https://modules.prosody.im/ ) and some may require changing when prosody
+0.10 will be available; when this is the case it is mentioned below.
+
+``mod_blocklist`` (XEP-0191)
+ To allow user-controlled blocking of users, including as an anti-spim
+ measure.
+``mod_smacks`` (XEP-0198)
+ Allow clients to resume a disconnected session before a customizable
+ timeout and prevent message loss.
+``mod_mam`` (XEP-0313)
+ Archive messages on the server for a limited period of time (default
+ 1 week) and allow clients to retrieve them; this is required to
+ syncronize message history between multiple clients.
+
+ With prosody 0.9 only an in-memory storage backend is available,
+ which may make this module problematic on servers with many users.
+ prosody 0.10 will fix this by adding support for an SQL backed
+ storage with archiving capabilities.
+``mod_throttle_presence`` + ``mod_filter_chatstates`` (XEP-0352)
+ Filter out presence updates and chat states when the client announces
+ (via Client State Indication) that the user isn't looking.
+ This is useful to reduce power and bandwidth usage for "useless"
+ traffic.
+``cloud_notify`` (XEP-0357)
+ Allow clients to register an “app server” that is notified about new
+ messages
+
+See also
+========
+
+* `The State of Mobile XMPP in 2016 <https://gultsch.de/xmpp_2016.html>`_
+ (blog post by the maintainer of Conversations)
+* `Prosody installation instructions in the FreedomBox wiki
+ <https://wiki.debian.org/FreedomBox/Configs/Prosody>`_
+ (for basic prosody configuration)
+* `What Prosody modules do I need to support Conversations?
+ <https://serverfault.com/questions/835635/what-prosody-modules-do-i-need-to-support-conversations/835636>`_
+ (on Server Fault)
+* `This HOWTO on my old website
+ <https://www.trueelena.org/computers/howto/modern_xmpp_server.html>`_
+* `Enrico's post on how we configured the server before compliance.conversations.im was a thing <http://www.enricozini.org/blog/2017/debian/modern-and-secure-instant-messaging/>`_
+
+..
+ vim: set filetype=rst: