XEP-0156 reparieren

Intux

Von: Frank Lüttig

06. Januar 2022 um 10:44

Mein XMPP-Server ist vor einiger Zeit mal wieder durch den Complience-Test gefallen, da das Modul XEP-0156 schlapp gemacht hatte. Nun konnte ich die freien Tage über den Jahreswechsel nutzen und den Fehler fixen. Damit die Konfiguration nicht verloren geht, möchte ich diese hier kurz festhalten.

Zur Ausstattung

Mein XMPP-Server läuft unter Prosody 0.11.10 auf Debian 11 Bullseye. Als Webserver wird Apache2 eingesetzt.

Konfiguration

So sieht der VirtualHost aus:

<VirtualHost *:80>

        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

        ServerAdmin info@intux.de
        DocumentRoot /var/www/html/intux

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
	CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	ServerName intux.de
	ServerAlias www.intux.de
	RewriteCond %{SERVER_NAME} =intux.de [OR]
	RewriteCond %{SERVER_NAME} =www.intux.de
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

	Protocols h2 h2c http/1.1

<Location /http-bind>
        Order allow,deny
        Allow from all
</Location>

<Location ~ "/\.well-known/host-meta(\.json)?">
    Header set Access-Control-Allow-Origin "*"
</Location>

        RewriteEngine On
	RewriteRule ^/http-bind$ http://intux.de:5280/http-bind [P,L]

	ServerAdmin info@intux.de
        DocumentRoot /var/www/html/intux
        Header always set Strict-Transport-Security "max-age=31536000"
        Header set Access-Control-Allow-Origin "*"
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	Include /etc/letsencrypt/options-ssl-apache.conf
	ServerName intux.de
	ServerAlias www.intux.de

	SSLCertificateFile /etc/letsencrypt/live/intux.de-0003/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/intux.de-0003/privkey.pem
</VirtualHost>
</IfModule>

<IfModule mod_proxy.c>
    <IfModule mod_proxy_wstunnel.c>
    ProxyTimeout 900
    <Location "/xmpp-websocket">
        ProxyPreserveHost On
        ProxyPass "ws://localhost:5280/xmpp-websocket"
    </Location>
    </IfModule>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Hier die host-meta:

<?xml version='1.0' encoding='utf-8'?>
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
  <Link rel="urn:xmpp:alt-connections:xbosh"
        href="https://intux.de/http-bind" />
  <Link rel="urn:xmpp:alt-connections:websocket"
        href="wss://intux.de:443/xmpp-websocket" />
</XRD>

Die Konfiguration der prosody.cfg.lua:

pidfile = "/var/run/prosody/prosody.pid"

storage = "sql"

sql = {
    driver = "MySQL";
    database = "prosody";
    host = "localhost";
    username = "bn";
    password = "pw";
}

plugin_paths = { "/usr/lib/prosody/prosody-modules" }

admins = {"intux@intux.de" }
modules_enabled = {
	"roster";
	"saslauth";
 	"tls";
	"dialback";
	"disco";
	"private";
	"blocklist";
	"version";
	"uptime";
	"time";
	"ping";
	"posix";
	"pep";
	"register";
	"admin_adhoc";
	"motd";
	"welcome";
	"proxy65";
	"watchregistrations";
	"register_web";
	"admin_web";
	"http_upload_external";
	"mam";
	"csi";
	"carbons";
	"smacks";
	"lastlog";
	"cloud_notify";
	"omemo_all_access";
	"server_contact_info";
	"profile";
	"vcard_legacy";
	"pep_vcard_avatar";
	"websocket";
	"bookmarks";
	"bosh";
	"http_altconnect";
	"turncredentials";
}

log = {
 debug = "/var/log/prosody/prosody.log";
 error = "/var/log/prosody/prosody.err";
}

legacy_ssl_ports = { 5223 }

default_archive_policy = false;
archive_expires_after = "1m";

c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
s2s_secure_domains = { "trashserver.net", "jabber.de", "jabber.org", "xmpp.org" }
s2s_insecure_domains = {}

http_upload_external_base_url = "https://upload.intux.de/upload/"
http_upload_external_secret = "prosody2016."
http_upload_external_file_size_limit = 10000000

proxy65_ports = { 5212 }

authentication = "internal_hashed"

turncredentials_host = "cloud.intux.de"
turncredentials_secret = "18c5a842b57336a16c97255c4fc1aeb5336e3b6a9254b6bd148d789d8a740779"
turncredentials_port = 5349

consider_websocket_secure = true;
cross_domain_websocket = true;
consider_bosh_secure = true;
cross_domain_bosh = true;

allow_registration = true
min_seconds_between_registrations = 300
registration_blacklist = { "83.218.198.86", "109.185.243.100", "93.114.0.93", "93.114.11.136", "92.114.216.80" }

ssl = {
	protocol = "tlsv1_2";
        key = "/etc/prosody/certs/privkey.pem";
        certificate = "/etc/prosody/certs/fullchain.pem";

        dhparam = "/etc/prosody/certs/dh-4096.pem";

        ciphers = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128";

        options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }

}

contact_info = {
  abuse = { "mailto:abuse@intux.de", "xmpp:intux@intux.de" };
  admin = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  feedback = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  sales = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  security = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  support = { "xmpp:admin@intux.de", "xmpp:intux@intux.de" };
}

VirtualHost "intux.de"

Component "proxy.intux.de" "proxy65"

	proxy65_acl = { "intux.de" }

Component "conference.intux.de" "muc"
        name = "intux.de Chatrooms"
        restrict_room_creation = false
        max_history_messages = 500
        modules_enabled = {
                "mam_muc",
		"vcard_muc",
        }
        muc_log_by_default = false

Compliance status for intux.de 100%.

Normale Ansicht

Zur Ausstattung

Konfiguration