From 90d7c5f40f49497a4b78e00a29c1601982c4d3ff Mon Sep 17 00:00:00 2001 From: Elena ``of Valhalla'' Grandi Date: Fri, 1 Dec 2023 15:11:26 +0100 Subject: Upgrade xmpp server instructions to bookworm --- source/self_hosting/modern_xmpp_server/index.rst | 95 +++++++++++++++++------- 1 file changed, 70 insertions(+), 25 deletions(-) (limited to 'source') diff --git a/source/self_hosting/modern_xmpp_server/index.rst b/source/self_hosting/modern_xmpp_server/index.rst index 3f752e9..79977d4 100644 --- a/source/self_hosting/modern_xmpp_server/index.rst +++ b/source/self_hosting/modern_xmpp_server/index.rst @@ -7,8 +7,9 @@ supported in Debian `_ and 100% compliant with the `tests for XEP-0459: XMPP Compliance Suites 2022 on conversations' website `_. -This guide was written for prosody 0.9 under Debian jessie, but is being -kept up to date as I upgrade my server to new Debian releases. +This guide was originally written for prosody 0.9 under Debian jessie, +but is being kept up to date as I upgrade my server to new Debian +releases. .. only:: html @@ -26,7 +27,7 @@ reached with ejabberd_ and other servers. .. _ejabberd: https://www.ejabberd.im/ I'm also targetting Debian_ stable (+ backports_); currently that's -bullseye and prosody 0.11 (upgrade to bookworm is planned soon). +bookworm and prosody 0.12. .. _Debian: https://www.debian.org .. _backports: https://backports.debian.org/ @@ -35,9 +36,8 @@ bullseye and prosody 0.11 (upgrade to bookworm is planned soon). Installation and prerequisites ------------------------------ -You will need to install the packages ``prosody`` and -``prosody-modules``; on jessie the versions in backports were needed, -but currently not on buster. +You will need to install the packages ``prosody``, ``prosody-modules``, +and ``coturn``. You also need to setup some TLS certificates (I used `Let's Encrypt`_); and make them readable by the ``prosody`` user; you can see `Chapter 12 @@ -52,6 +52,10 @@ certificate for https with a configuration stanza such as:: certificate = "/etc/ssl/public/example.org.pem"; key = "/etc/ssl/private/example.org-key.pem"; } + legacy_ssl_ssl = { + certificate = "/etc/ssl/public/example.org.pem"; + key = "/etc/ssl/private/example.org-key.pem"; + } or see the `prosody documentation on certificates `_ to see where to put certificates @@ -62,11 +66,17 @@ so that prosody is able to autodetect them. On your firewall, you'll need to open the following TCP ports: * 5222 (client2server) +* 5223 (client2server, https) * 5269 (server2server) * 5280 (default http port for prosody) * 5281 (default https port for prosody) +* 3478 (coturn) + +As well as the following port for UDP -The latter two are needed to enable some services provided via http(s), +* 3478 (coturn) + +The http ports are needed to enable some services provided via http(s), including rich media transfers. With just a handful of users, I didn't bother to configure LDAP or @@ -74,11 +84,6 @@ anything else, but just created users manually via:: prosodyctl adduser alice@example.org -In-band registration is disabled by default (and I've left it that way, -to prevent my server from being used to send spim_). - -.. _spim: https://en.wikipedia.org/wiki/Messaging_spam - prosody configuration --------------------- @@ -86,18 +91,55 @@ You can then start configuring prosody by editing ``/etc/prosody/prosody.cfg.lua`` and changing a few values from the distribution defaults. -First of all, enforce the use of encryption and certificate checking -both for client2server and server2server communications with:: +First of all, enforce the use of certificate checking for server2server +communications with:: - c2s_require_encryption = true s2s_secure_auth = true and then, if you need to, add to the whitelist any server that you want to talk to and doesn't support secure s2s communication (but note that -gmail.com is no longer needed, as it doesn't support xmpp any longer):: +gmail.com is no longer needed nor useful, as it doesn't support xmpp any +longer):: s2s_insecure_domains = { "gmail.com" } +Also add at least an user (that you have already created with ``prosodyctl +adduser`` as described above) as an admin:: + + admins = { "alice@example.org" } + +disabling in-band registration +------------------------------- + +``mod_register`` is now enabled by default to provide password changing +services, but unless you have the resources to moderate new users you +probably want to disable registration to prevent the server from being +used to send spim_; to do so add the line:: + + allow_registration = false + +.. _spim: https://en.wikipedia.org/wiki/Messaging_spam + +TURN/STUN +--------- + +Support for video calls requires an external STUN / TURN server such as +coturn_, which can be installed on the same machine; its configuration +require setting a realm and a secret for auth in +``/etc/turnserver.conf``:: + + realm=turn.chat.example.org + use-auth-secret + static-auth-secret= + +And then you will have to set the same values in +``/etc/prosody/prosody.cfg.lua``:: + + turncredentials_host = 'turn.chat.example.org' + turncredentials_secret = '' + +.. _coturn: https://github.com/coturn/coturn/ + virtualhosts ------------ @@ -159,15 +201,8 @@ modules inside ``/etc/prosody/prosody.cfg.lua`` (under "something"; Most of these come from the ``prosody-modules`` package (and thus from -https://modules.prosody.im/ ) and some may require changing when prosody -0.10 will be available; when this is the case it is mentioned below. - -``mod_blocklist`` (XEP-0191) - To allow user-controlled blocking of users, including as an anti-spim - measure. -``mod_smacks`` (XEP-0198) - Allow clients to resume a disconnected session before a customizable - timeout and prevent message loss. +https://modules.prosody.im/ ). + ``mod_mam`` (XEP-0313) Archive messages on the server for a limited period of time (default 1 week) and allow clients to retrieve them; this is required to @@ -186,6 +221,16 @@ https://modules.prosody.im/ ) and some may require changing when prosody Allow clients to register an “app server” that is notified about new messages +Proxied file transfers +---------------------- + +To enable proxied file transfers for clients behind NAT or firewalls, +you need to add ``"proxy65";`` to the list of additional modules, and +then enable it in at least one virtual host with the lines:: + + Component "proxy.chat.trueelena.org" "proxy65" + proxy65_address = "proxy.chat.trueelena.org" + See also ======== -- cgit v1.2.3