XEP-0156 reparieren
Mein XMPP-Server ist vor einiger Zeit mal wieder durch den Complience-Test gefallen, da das Modul XEP-0156 schlapp gemacht hatte. Nun konnte ich die freien Tage über den Jahreswechsel nutzen und den Fehler fixen. Damit die Konfiguration nicht verloren geht, möchte ich diese hier kurz festhalten.
Zur Ausstattung
Mein XMPP-Server läuft unter Prosody 0.11.10 auf Debian 11 Bullseye. Als Webserver wird Apache2 eingesetzt.
Konfiguration
So sieht der VirtualHost aus:
<VirtualHost *:80> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] ServerAdmin info@intux.de DocumentRoot /var/www/html/intux ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ServerName intux.de ServerAlias www.intux.de RewriteCond %{SERVER_NAME} =intux.de [OR] RewriteCond %{SERVER_NAME} =www.intux.de RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> Protocols h2 h2c http/1.1 <Location /http-bind> Order allow,deny Allow from all </Location> <Location ~ "/\.well-known/host-meta(\.json)?"> Header set Access-Control-Allow-Origin "*" </Location> RewriteEngine On RewriteRule ^/http-bind$ http://intux.de:5280/http-bind [P,L] ServerAdmin info@intux.de DocumentRoot /var/www/html/intux Header always set Strict-Transport-Security "max-age=31536000" Header set Access-Control-Allow-Origin "*" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Include /etc/letsencrypt/options-ssl-apache.conf ServerName intux.de ServerAlias www.intux.de SSLCertificateFile /etc/letsencrypt/live/intux.de-0003/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/intux.de-0003/privkey.pem </VirtualHost> </IfModule> <IfModule mod_proxy.c> <IfModule mod_proxy_wstunnel.c> ProxyTimeout 900 <Location "/xmpp-websocket"> ProxyPreserveHost On ProxyPass "ws://localhost:5280/xmpp-websocket" </Location> </IfModule> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Hier die host-meta:
<?xml version='1.0' encoding='utf-8'?> <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> <Link rel="urn:xmpp:alt-connections:xbosh" href="https://intux.de/http-bind" /> <Link rel="urn:xmpp:alt-connections:websocket" href="wss://intux.de:443/xmpp-websocket" /> </XRD>
Die Konfiguration der prosody.cfg.lua:
pidfile = "/var/run/prosody/prosody.pid" storage = "sql" sql = { driver = "MySQL"; database = "prosody"; host = "localhost"; username = "bn"; password = "pw"; } plugin_paths = { "/usr/lib/prosody/prosody-modules" } admins = {"intux@intux.de" } modules_enabled = { "roster"; "saslauth"; "tls"; "dialback"; "disco"; "private"; "blocklist"; "version"; "uptime"; "time"; "ping"; "posix"; "pep"; "register"; "admin_adhoc"; "motd"; "welcome"; "proxy65"; "watchregistrations"; "register_web"; "admin_web"; "http_upload_external"; "mam"; "csi"; "carbons"; "smacks"; "lastlog"; "cloud_notify"; "omemo_all_access"; "server_contact_info"; "profile"; "vcard_legacy"; "pep_vcard_avatar"; "websocket"; "bookmarks"; "bosh"; "http_altconnect"; "turncredentials"; } log = { debug = "/var/log/prosody/prosody.log"; error = "/var/log/prosody/prosody.err"; } legacy_ssl_ports = { 5223 } default_archive_policy = false; archive_expires_after = "1m"; c2s_require_encryption = true s2s_require_encryption = true s2s_secure_auth = true s2s_secure_domains = { "trashserver.net", "jabber.de", "jabber.org", "xmpp.org" } s2s_insecure_domains = {} http_upload_external_base_url = "https://upload.intux.de/upload/" http_upload_external_secret = "prosody2016." http_upload_external_file_size_limit = 10000000 proxy65_ports = { 5212 } authentication = "internal_hashed" turncredentials_host = "cloud.intux.de" turncredentials_secret = "18c5a842b57336a16c97255c4fc1aeb5336e3b6a9254b6bd148d789d8a740779" turncredentials_port = 5349 consider_websocket_secure = true; cross_domain_websocket = true; consider_bosh_secure = true; cross_domain_bosh = true; allow_registration = true min_seconds_between_registrations = 300 registration_blacklist = { "83.218.198.86", "109.185.243.100", "93.114.0.93", "93.114.11.136", "92.114.216.80" } ssl = { protocol = "tlsv1_2"; key = "/etc/prosody/certs/privkey.pem"; certificate = "/etc/prosody/certs/fullchain.pem"; dhparam = "/etc/prosody/certs/dh-4096.pem"; ciphers = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128"; options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" } } contact_info = { abuse = { "mailto:abuse@intux.de", "xmpp:intux@intux.de" }; admin = { "mailto:admin@intux.de", "xmpp:intux@intux.de" }; feedback = { "mailto:admin@intux.de", "xmpp:intux@intux.de" }; sales = { "mailto:admin@intux.de", "xmpp:intux@intux.de" }; security = { "mailto:admin@intux.de", "xmpp:intux@intux.de" }; support = { "xmpp:admin@intux.de", "xmpp:intux@intux.de" }; } VirtualHost "intux.de" Component "proxy.intux.de" "proxy65" proxy65_acl = { "intux.de" } Component "conference.intux.de" "muc" name = "intux.de Chatrooms" restrict_room_creation = false max_history_messages = 500 modules_enabled = { "mam_muc", "vcard_muc", } muc_log_by_default = false
Compliance status for intux.de 100%.