Mein XMPP-Server ist vor einiger Zeit mal wieder durch den Complience-Test gefallen, da das Modul XEP-0156 schlapp gemacht hatte. Nun konnte ich die freien Tage über den Jahreswechsel nutzen und den Fehler fixen. Damit die Konfiguration nicht verloren geht, möchte ich diese hier kurz festhalten.
Zur Ausstattung
Mein XMPP-Server läuft unter Prosody 0.11.10 auf Debian 11 Bullseye. Als Webserver wird Apache2 eingesetzt.
Konfiguration
So sieht der VirtualHost aus:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
ServerAdmin info@intux.de
DocumentRoot /var/www/html/intux
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ServerName intux.de
ServerAlias www.intux.de
RewriteCond %{SERVER_NAME} =intux.de [OR]
RewriteCond %{SERVER_NAME} =www.intux.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
Protocols h2 h2c http/1.1
<Location /http-bind>
Order allow,deny
Allow from all
</Location>
<Location ~ "/\.well-known/host-meta(\.json)?">
Header set Access-Control-Allow-Origin "*"
</Location>
RewriteEngine On
RewriteRule ^/http-bind$ http://intux.de:5280/http-bind [P,L]
ServerAdmin info@intux.de
DocumentRoot /var/www/html/intux
Header always set Strict-Transport-Security "max-age=31536000"
Header set Access-Control-Allow-Origin "*"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName intux.de
ServerAlias www.intux.de
SSLCertificateFile /etc/letsencrypt/live/intux.de-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intux.de-0003/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_proxy.c>
<IfModule mod_proxy_wstunnel.c>
ProxyTimeout 900
<Location "/xmpp-websocket">
ProxyPreserveHost On
ProxyPass "ws://localhost:5280/xmpp-websocket"
</Location>
</IfModule>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Hier die host-meta:
<?xml version='1.0' encoding='utf-8'?>
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
<Link rel="urn:xmpp:alt-connections:xbosh"
href="https://intux.de/http-bind" />
<Link rel="urn:xmpp:alt-connections:websocket"
href="wss://intux.de:443/xmpp-websocket" />
</XRD>
Die Konfiguration der prosody.cfg.lua:
pidfile = "/var/run/prosody/prosody.pid"
storage = "sql"
sql = {
driver = "MySQL";
database = "prosody";
host = "localhost";
username = "bn";
password = "pw";
}
plugin_paths = { "/usr/lib/prosody/prosody-modules" }
admins = {"intux@intux.de" }
modules_enabled = {
"roster";
"saslauth";
"tls";
"dialback";
"disco";
"private";
"blocklist";
"version";
"uptime";
"time";
"ping";
"posix";
"pep";
"register";
"admin_adhoc";
"motd";
"welcome";
"proxy65";
"watchregistrations";
"register_web";
"admin_web";
"http_upload_external";
"mam";
"csi";
"carbons";
"smacks";
"lastlog";
"cloud_notify";
"omemo_all_access";
"server_contact_info";
"profile";
"vcard_legacy";
"pep_vcard_avatar";
"websocket";
"bookmarks";
"bosh";
"http_altconnect";
"turncredentials";
}
log = {
debug = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
}
legacy_ssl_ports = { 5223 }
default_archive_policy = false;
archive_expires_after = "1m";
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
s2s_secure_domains = { "trashserver.net", "jabber.de", "jabber.org", "xmpp.org" }
s2s_insecure_domains = {}
http_upload_external_base_url = "https://upload.intux.de/upload/"
http_upload_external_secret = "prosody2016."
http_upload_external_file_size_limit = 10000000
proxy65_ports = { 5212 }
authentication = "internal_hashed"
turncredentials_host = "cloud.intux.de"
turncredentials_secret = "18c5a842b57336a16c97255c4fc1aeb5336e3b6a9254b6bd148d789d8a740779"
turncredentials_port = 5349
consider_websocket_secure = true;
cross_domain_websocket = true;
consider_bosh_secure = true;
cross_domain_bosh = true;
allow_registration = true
min_seconds_between_registrations = 300
registration_blacklist = { "83.218.198.86", "109.185.243.100", "93.114.0.93", "93.114.11.136", "92.114.216.80" }
ssl = {
protocol = "tlsv1_2";
key = "/etc/prosody/certs/privkey.pem";
certificate = "/etc/prosody/certs/fullchain.pem";
dhparam = "/etc/prosody/certs/dh-4096.pem";
ciphers = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128";
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }
}
contact_info = {
abuse = { "mailto:abuse@intux.de", "xmpp:intux@intux.de" };
admin = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
feedback = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
sales = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
security = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
support = { "xmpp:admin@intux.de", "xmpp:intux@intux.de" };
}
VirtualHost "intux.de"
Component "proxy.intux.de" "proxy65"
proxy65_acl = { "intux.de" }
Component "conference.intux.de" "muc"
name = "intux.de Chatrooms"
restrict_room_creation = false
max_history_messages = 500
modules_enabled = {
"mam_muc",
"vcard_muc",
}
muc_log_by_default = false
Compliance status for intux.de 100%.