summaryrefslogtreecommitdiff
path: root/source/self_hosting
diff options
context:
space:
mode:
Diffstat (limited to 'source/self_hosting')
-rw-r--r--source/self_hosting/modern_xmpp_server/index.rst95
1 files changed, 70 insertions, 25 deletions
diff --git a/source/self_hosting/modern_xmpp_server/index.rst b/source/self_hosting/modern_xmpp_server/index.rst
index 3f752e9..79977d4 100644
--- a/source/self_hosting/modern_xmpp_server/index.rst
+++ b/source/self_hosting/modern_xmpp_server/index.rst
@@ -7,8 +7,9 @@ supported in Debian <https://www.debian.org/security/>`_ and 100%
compliant with the `tests for XEP-0459: XMPP Compliance Suites 2022 on
conversations' website <https://compliance.conversations.im>`_.
-This guide was written for prosody 0.9 under Debian jessie, but is being
-kept up to date as I upgrade my server to new Debian releases.
+This guide was originally written for prosody 0.9 under Debian jessie,
+but is being kept up to date as I upgrade my server to new Debian
+releases.
.. only:: html
@@ -26,7 +27,7 @@ reached with ejabberd_ and other servers.
.. _ejabberd: https://www.ejabberd.im/
I'm also targetting Debian_ stable (+ backports_); currently that's
-bullseye and prosody 0.11 (upgrade to bookworm is planned soon).
+bookworm and prosody 0.12.
.. _Debian: https://www.debian.org
.. _backports: https://backports.debian.org/
@@ -35,9 +36,8 @@ bullseye and prosody 0.11 (upgrade to bookworm is planned soon).
Installation and prerequisites
------------------------------
-You will need to install the packages ``prosody`` and
-``prosody-modules``; on jessie the versions in backports were needed,
-but currently not on buster.
+You will need to install the packages ``prosody``, ``prosody-modules``,
+and ``coturn``.
You also need to setup some TLS certificates (I used `Let's Encrypt`_);
and make them readable by the ``prosody`` user; you can see `Chapter 12
@@ -52,6 +52,10 @@ certificate for https with a configuration stanza such as::
certificate = "/etc/ssl/public/example.org.pem";
key = "/etc/ssl/private/example.org-key.pem";
}
+ legacy_ssl_ssl = {
+ certificate = "/etc/ssl/public/example.org.pem";
+ key = "/etc/ssl/private/example.org-key.pem";
+ }
or see the `prosody documentation on certificates
<https://prosody.im/doc/certificates>`_ to see where to put certificates
@@ -62,11 +66,17 @@ so that prosody is able to autodetect them.
On your firewall, you'll need to open the following TCP ports:
* 5222 (client2server)
+* 5223 (client2server, https)
* 5269 (server2server)
* 5280 (default http port for prosody)
* 5281 (default https port for prosody)
+* 3478 (coturn)
+
+As well as the following port for UDP
-The latter two are needed to enable some services provided via http(s),
+* 3478 (coturn)
+
+The http ports are needed to enable some services provided via http(s),
including rich media transfers.
With just a handful of users, I didn't bother to configure LDAP or
@@ -74,11 +84,6 @@ anything else, but just created users manually via::
prosodyctl adduser alice@example.org
-In-band registration is disabled by default (and I've left it that way,
-to prevent my server from being used to send spim_).
-
-.. _spim: https://en.wikipedia.org/wiki/Messaging_spam
-
prosody configuration
---------------------
@@ -86,18 +91,55 @@ You can then start configuring prosody by editing
``/etc/prosody/prosody.cfg.lua`` and changing a few values from the
distribution defaults.
-First of all, enforce the use of encryption and certificate checking
-both for client2server and server2server communications with::
+First of all, enforce the use of certificate checking for server2server
+communications with::
- c2s_require_encryption = true
s2s_secure_auth = true
and then, if you need to, add to the whitelist any server that you want
to talk to and doesn't support secure s2s communication (but note that
-gmail.com is no longer needed, as it doesn't support xmpp any longer)::
+gmail.com is no longer needed nor useful, as it doesn't support xmpp any
+longer)::
s2s_insecure_domains = { "gmail.com" }
+Also add at least an user (that you have already created with ``prosodyctl
+adduser`` as described above) as an admin::
+
+ admins = { "alice@example.org" }
+
+disabling in-band registration
+-------------------------------
+
+``mod_register`` is now enabled by default to provide password changing
+services, but unless you have the resources to moderate new users you
+probably want to disable registration to prevent the server from being
+used to send spim_; to do so add the line::
+
+ allow_registration = false
+
+.. _spim: https://en.wikipedia.org/wiki/Messaging_spam
+
+TURN/STUN
+---------
+
+Support for video calls requires an external STUN / TURN server such as
+coturn_, which can be installed on the same machine; its configuration
+require setting a realm and a secret for auth in
+``/etc/turnserver.conf``::
+
+ realm=turn.chat.example.org
+ use-auth-secret
+ static-auth-secret=<a long random string>
+
+And then you will have to set the same values in
+``/etc/prosody/prosody.cfg.lua``::
+
+ turncredentials_host = 'turn.chat.example.org'
+ turncredentials_secret = '<the same long string as above>'
+
+.. _coturn: https://github.com/coturn/coturn/
+
virtualhosts
------------
@@ -159,15 +201,8 @@ modules inside ``/etc/prosody/prosody.cfg.lua`` (under
"something";
Most of these come from the ``prosody-modules`` package (and thus from
-https://modules.prosody.im/ ) and some may require changing when prosody
-0.10 will be available; when this is the case it is mentioned below.
-
-``mod_blocklist`` (XEP-0191)
- To allow user-controlled blocking of users, including as an anti-spim
- measure.
-``mod_smacks`` (XEP-0198)
- Allow clients to resume a disconnected session before a customizable
- timeout and prevent message loss.
+https://modules.prosody.im/ ).
+
``mod_mam`` (XEP-0313)
Archive messages on the server for a limited period of time (default
1 week) and allow clients to retrieve them; this is required to
@@ -186,6 +221,16 @@ https://modules.prosody.im/ ) and some may require changing when prosody
Allow clients to register an “app server” that is notified about new
messages
+Proxied file transfers
+----------------------
+
+To enable proxied file transfers for clients behind NAT or firewalls,
+you need to add ``"proxy65";`` to the list of additional modules, and
+then enable it in at least one virtual host with the lines::
+
+ Component "proxy.chat.trueelena.org" "proxy65"
+ proxy65_address = "proxy.chat.trueelena.org"
+
See also
========