Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende ÜberarbeitungNächste ÜberarbeitungBeide Seiten der Revision | ||
prosody [05.12.2015 21:44] – angelegt havelock | prosody [24.12.2015 21:09] – [Konfiguration] x1lent | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | Prosody | + | ====== |
- | | + | * Installation auf ffpi-services |
- | Wird unter xmpp.ffpi oder xmpp.pinneberg.freifunk.net erreichbar sein | + | |
- | Warum Prosody? | + | ===== Warum Prosody? |
Sicher fragt man sich warum wir kein ejabberd nutzen. Dies ist schlicht und ergreifend eigenen Präferenz. Ich persöhnlich störe mich daran bei ejabberd die Cipher-Suites für den verschlüsselten Austausch mit anderen Servern nicht manuell einstellen zu können. Weiterhin lässt sich ejabberd meiner Meinung schlechter warten, da es mit erlang geschrieben wurde. Prosody im Kontrast wurde mit lua geschrieben. Alleine schon die Packages die für den Betrieb benötigt werden sind kleiner und weniger von der Anzahl her. Weiterhin verbraucht Prosody nur 1/3 des Speicherbedarf von ejabberd. | Sicher fragt man sich warum wir kein ejabberd nutzen. Dies ist schlicht und ergreifend eigenen Präferenz. Ich persöhnlich störe mich daran bei ejabberd die Cipher-Suites für den verschlüsselten Austausch mit anderen Servern nicht manuell einstellen zu können. Weiterhin lässt sich ejabberd meiner Meinung schlechter warten, da es mit erlang geschrieben wurde. Prosody im Kontrast wurde mit lua geschrieben. Alleine schon die Packages die für den Betrieb benötigt werden sind kleiner und weniger von der Anzahl her. Weiterhin verbraucht Prosody nur 1/3 des Speicherbedarf von ejabberd. | ||
- | Installation | + | |
+ | ===== Installation | ||
Vorausgesetzt wird ein Debian Jessie 8.1 System. | Vorausgesetzt wird ein Debian Jessie 8.1 System. | ||
Zeile 13: | Zeile 14: | ||
Als erstes muss die Paketquelle von Prosody hinzugefügt werden: | Als erstes muss die Paketquelle von Prosody hinzugefügt werden: | ||
+ | < | ||
echo "deb http:// | echo "deb http:// | ||
wget https:// | wget https:// | ||
apt-get update | apt-get update | ||
+ | </ | ||
Nachdem dies erledigt wurde wird prosody an sich installiert: | Nachdem dies erledigt wurde wird prosody an sich installiert: | ||
+ | < | ||
apt-get update | apt-get update | ||
apt-get install prosody lua-sec | apt-get install prosody lua-sec | ||
+ | </ | ||
Sollte die Version von lua-sec aus dem offiziellen Package Repos < 5.0 sein solltet ihr anstatt von lua-sec lua-sec-prosody installieren, | Sollte die Version von lua-sec aus dem offiziellen Package Repos < 5.0 sein solltet ihr anstatt von lua-sec lua-sec-prosody installieren, | ||
- | Modifikation | + | |
+ | ===== Modifikation | ||
Da es nur Clients aus dem FFPI Netz erlaubt werden soll einen Account beim XMPP Server zu erstellen muss die mod_register.lua modifiziert werden, da prosody das nicht von Haus aus unterstützt. Weiterhin wollen wir, dass der XMPP Server bei der Registration für mehrere VirtualHosts einen Account erstellt. | Da es nur Clients aus dem FFPI Netz erlaubt werden soll einen Account beim XMPP Server zu erstellen muss die mod_register.lua modifiziert werden, da prosody das nicht von Haus aus unterstützt. Weiterhin wollen wir, dass der XMPP Server bei der Registration für mehrere VirtualHosts einen Account erstellt. | ||
- | / | + | <file lua / |
[...] | [...] | ||
Zeile 75: | Zeile 81: | ||
end | end | ||
[...] | [...] | ||
+ | </ | ||
- | Konfiguration | + | ===== Konfiguration |
- | Als erstes wird der DH-Schlüssel für FS (Forward Secrecy) generiert: | ||
+ | Als erstes wird der DH-Schlüssel für FS (Forward Secrecy) generiert: | ||
+ | < | ||
openssl dhparam -out / | openssl dhparam -out / | ||
+ | </ | ||
+ | Dies kann einige Zeit dauern. In der zwischenzeit erstellen wir einen Mysqluser + DB für prosody: | ||
- | Dies kann einige Zeit dauern. Also in der Zwischenzeit einen Kaffee machen. | + | < |
+ | mysql -u root -p | ||
+ | mysql> create database prosody; | ||
+ | mysql> grant usage on *.* to prosody@localhost identified by ' | ||
+ | mysql> grant all privileges on prosody.* to prosody@localhost; | ||
+ | </ | ||
Nun geht es an die eigentliche Anpassung von Prosody. Die Namen der Domainzertifikate sowie die Domain müssen natürlich entsprechend ausgefüllt werden. | Nun geht es an die eigentliche Anpassung von Prosody. Die Namen der Domainzertifikate sowie die Domain müssen natürlich entsprechend ausgefüllt werden. | ||
- | / | + | <file lua / |
+ | -- Prosody XMPP Server Configuration | ||
+ | -- | ||
+ | -- Information on configuring Prosody can be found on our | ||
+ | -- website at http:// | ||
+ | -- | ||
+ | -- Tip: You can check that the syntax of this file is correct | ||
+ | -- when you have finished by running: luac -p prosody.cfg.lua | ||
+ | -- If there are any errors, it will let you know what and where | ||
+ | -- they are, otherwise it will keep quiet. | ||
+ | -- | ||
+ | -- Good luck, and happy Jabbering! | ||
+ | |||
+ | |||
+ | ---------- Server-wide settings ---------- | ||
+ | -- Settings in this section apply to the whole server and are the default settings | ||
+ | -- for any virtual hosts | ||
+ | |||
+ | -- This is a (by default, empty) list of accounts that are admins | ||
+ | -- for the server. Note that you must create the accounts separately | ||
+ | -- (see http:// | ||
+ | -- Example: admins = { " | ||
+ | admins = {} | ||
+ | |||
+ | -- Enable use of libevent for better performance under high load | ||
+ | -- For more information see: http:// | ||
+ | use_libevent = true; | ||
+ | |||
+ | |||
+ | plugin_paths = {"" | ||
+ | |||
+ | -- This is the list of modules Prosody will load on startup. | ||
+ | -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. | ||
+ | -- Documentation on modules can be found at: http:// | ||
+ | modules_enabled = { | ||
+ | |||
+ | -- Generally required | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | |||
+ | -- Not essential, but recommended | ||
+ | " | ||
+ | " | ||
+ | |||
+ | -- These are commented by default as they have a performance impact | ||
+ | --" | ||
+ | --" | ||
+ | |||
+ | -- Nice to have | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | --" | ||
+ | |||
+ | -- Admin interfaces | ||
+ | " | ||
+ | --" | ||
+ | |||
+ | -- HTTP modules | ||
+ | --" | ||
+ | " | ||
+ | |||
+ | -- Other specific functionality | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | }; | ||
+ | |||
+ | -- These modules are auto-loaded, | ||
+ | -- to disable them then uncomment them here: | ||
+ | modules_disabled = { | ||
+ | -- " | ||
+ | -- " | ||
+ | -- " | ||
+ | }; | ||
+ | |||
+ | -- Disable account creation by default, for security | ||
+ | -- For more information see http:// | ||
+ | allow_registration = true; | ||
+ | registration_hosts={' | ||
+ | |||
+ | daemonize = true; | ||
+ | -- Required for init scripts and prosodyctl | ||
+ | pidfile = "/ | ||
+ | |||
+ | http_files_dir="/ | ||
+ | http_dir_listing=true; | ||
+ | |||
+ | http_ports = { 5280 } | ||
+ | http_interfaces = { " | ||
+ | |||
+ | -- These are the SSL/ | ||
+ | -- to use SSL/TLS, you may comment or remove this | ||
+ | ssl = { | ||
+ | key = "/ | ||
+ | certificate = "/ | ||
+ | } | ||
+ | |||
+ | -- Force clients to use encrypted connections? | ||
+ | -- prevent clients from authenticating unless they are using encryption. | ||
+ | |||
+ | c2s_require_encryption = true | ||
+ | |||
+ | -- Force certificate authentication for server-to-server connections? | ||
+ | -- This provides ideal security, but requires servers you communicate | ||
+ | -- with to support encryption AND present valid, trusted certificates. | ||
+ | -- NOTE: Your version of LuaSec must support certificate verification! | ||
+ | -- For more information see http:// | ||
+ | |||
+ | s2s_require_encryption = true | ||
+ | s2s_secure_auth = false | ||
+ | |||
+ | -- Many servers don't support encryption or have invalid or self-signed | ||
+ | -- certificates. You can list domains here that will not be required to | ||
+ | -- authenticate using certificates. They will be authenticated using DNS. | ||
+ | |||
+ | s2s_insecure_domains = { " | ||
+ | |||
+ | -- Even if you leave s2s_secure_auth disabled, you can still require valid | ||
+ | -- certificates for some domains by specifying a list here. | ||
+ | |||
+ | s2s_secure_domains = { " | ||
+ | |||
+ | -- Select the authentication backend to use. The ' | ||
+ | -- use Prosody' | ||
+ | -- To allow Prosody to offer secure authentication mechanisms to clients, the | ||
+ | -- default provider stores passwords in plaintext. If you do not trust your | ||
+ | -- server please see http:// | ||
+ | -- for information about using the hashed backend. | ||
+ | |||
+ | --authentication = " | ||
+ | |||
+ | -- we want passwords to be hashed on disk! | ||
+ | authentication = " | ||
+ | |||
+ | -- Select the storage backend to use. By default Prosody uses flat files | ||
+ | -- in its configured data directory, but it also supports more backends | ||
+ | -- through modules. An " | ||
+ | -- additional dependencies. See http:// | ||
+ | |||
+ | storage = " | ||
+ | |||
+ | -- For the " | ||
+ | --sql = { driver = " | ||
+ | sql = { driver = " | ||
+ | --sql = { driver = " | ||
+ | |||
+ | -- Logging configuration | ||
+ | -- For advanced logging see http:// | ||
+ | log = { | ||
+ | info = "/ | ||
+ | error = "/ | ||
+ | -- Syslog: | ||
+ | { levels = { " | ||
+ | -- " | ||
+ | } | ||
+ | |||
- | -- Prosody XMPP Server Configuration | + | |
- | -- | + | http_paths = { |
- | -- Information on configuring Prosody can be found on our | + | register_web = "/"; |
- | -- website at http:// | + | files=" |
- | -- | + | } |
- | -- Tip: You can check that the syntax of this file is correct | + | |
- | -- when you have finished by running: luac -p prosody.cfg.lua | + | http_host = "127.0.0.1" |
- | -- If there are any errors, it will let you know what and where | + | |
- | -- they are, otherwise it will keep quiet. | + | ----------- |
- | -- | + | -- You need to add a VirtualHost entry for each domain |
- | -- Good luck, and happy Jabbering! | + | -- Settings |
- | + | ||
- | + | ||
- | | + | --VirtualHost |
- | -- Settings in this section apply to the whole server and are the default settings | + | |
- | -- for any virtual hosts | + | -- Section |
- | + | ||
- | -- This is a (by default, empty) list of accounts that are admins | + | VirtualHost |
- | -- for the server. Note that you must create the accounts separately | + | --enabled = false -- Remove this line to enable this host |
- | -- (see http:// | + | |
- | -- Example: admins = { " | + | -- Assign this host a certificate |
- | admins = {} | + | -- set in the global section |
- | + | -- Note that old-style SSL on port 5223 only supports one certificate, and will always | |
- | -- Enable use of libevent for better performance | + | -- use the global one. |
- | -- For more information see: http:// | + | ssl = { |
- | --use_libevent = true; | + | key = "/ |
- | + | certificate = "/ | |
- | -- This is the list of modules Prosody will load on startup. | + | |
- | -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. | + | -- We do not want SSL2 and SSL3, no compression, no client cipher preference. |
- | -- Documentation on modules can be found at: http:// | + | |
- | | + | --options |
- | + | --options | |
- | | + | -- Only FS (Forward Secrecy) Ciphers |
- | | + | |
- | " | + | |
- | " | + | } |
- | "dialback"; -- s2s dialback support | + | |
- | " | + | |
- | " | + | |
- | | + | VirtualHost |
- | -- Not essential, but recommended | + | --enabled = false -- Remove this line to enable this host |
- | " | + | |
- | " | + | -- Assign this host a certificate for TLS, otherwise it would use the one |
- | + | -- set in the global section (if any). | |
- | -- These are commented by default as they have a performance impact | + | -- Note that old-style SSL on port 5223 only supports one certificate, |
- | --" | + | -- use the global one. |
- | --" | + | ssl = { |
- | + | key = "/ | |
- | | + | certificate = "/ |
- | " | + | |
- | " | + | -- We do not want SSL2 and SSL3, no compression, |
- | " | + | options = { " |
- | " | + | --options = { " |
- | " | + | --options = { " |
- | " | + | -- Only FS (Forward Secrecy) Ciphers |
- | + | ciphers = " | |
- | -- Admin interfaces | + | dhparam = "/ |
- | " | + | } |
- | --" | + | |
- | + | ------ Components ------ | |
- | -- HTTP modules | + | -- You can specify components to add hosts that provide special services, |
- | --" | + | -- like multi-user conferences, |
- | --" | + | -- For more information on components, see http:// |
- | + | ||
- | -- Other specific functionality | + | -- Set up a MUC (multi-user chat) room server on conference.example.com: |
- | --" | + | --Component " |
- | --" | + | |
- | --" | + | -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: |
- | --" | + | --Component " |
- | --" | + | |
- | --" | + | ---Set up an external component (default component port is 5347) |
- | }; | + | --Component " |
- | + | -- component_secret = " | |
- | | + | |
- | -- to disable them then uncomment them here: | + | </ |
- | modules_disabled = { | + | |
- | -- " | + | |
- | -- " | + | |
- | -- " | + | |
- | }; | + | |
- | + | ||
- | -- Disable account creation by default, for security | + | |
- | -- For more information see http:// | + | |
- | allow_registration = true; | + | |
- | whitelist_registration_only = true; | + | |
- | registration_whitelist_starts_with = { ' | + | |
- | registration_hosts = {' | + | |
- | + | ||
- | + | ||
- | daemonize = true; | + | |
- | -- Required for init scripts and prosodyctl | + | |
- | pidfile = "/ | + | |
- | + | ||
- | -- These are the SSL/ | + | |
- | -- to use SSL/TLS, you may comment or remove this | + | |
- | | + | |
- | key = "/ | + | |
- | certificate = "/ | + | |
- | } | + | |
- | + | ||
- | | + | |
- | -- prevent clients from authenticating unless they are using encryption. | + | |
- | + | ||
- | c2s_require_encryption = true | + | |
- | + | ||
- | -- Force certificate authentication for server-to-server connections? | + | |
- | -- This provides ideal security, but requires servers you communicate | + | |
- | -- with to support encryption AND present valid, trusted certificates. | + | |
- | -- NOTE: Your version of LuaSec must support certificate verification! | + | |
- | -- For more information see http:// | + | |
- | + | ||
- | s2s_require_encryption = true | + | |
- | s2s_secure_auth = false | + | |
- | + | ||
- | -- Many servers don't support encryption or have invalid or self-signed | + | |
- | -- certificates. You can list domains here that will not be required to | + | |
- | -- authenticate using certificates. They will be authenticated using DNS. | + | |
- | + | ||
- | s2s_insecure_domains | + | |
- | + | ||
- | -- Even if you leave s2s_secure_auth disabled, you can still require valid | + | |
- | -- certificates for some domains by specifying a list here. | + | |
- | + | ||
- | s2s_secure_domains = { "jabber.org" | + | |
- | + | ||
- | -- Select the authentication backend to use. The ' | + | |
- | -- use Prosody' | + | |
- | -- To allow Prosody to offer secure authentication mechanisms to clients, the | + | |
- | -- default provider stores passwords in plaintext. If you do not trust your | + | |
- | -- server please see http:// | + | |
- | -- for information about using the hashed backend. | + | |
- | + | ||
- | --authentication = "internal_plain" | + | |
- | + | ||
- | -- we want passwords to be hashed on disk! | + | |
- | authentication = " | + | |
- | + | ||
- | -- Select the storage backend to use. By default Prosody uses flat files | + | |
- | -- in its configured data directory, but it also supports more backends | + | |
- | -- through modules. An "sql" | + | |
- | -- additional dependencies. See http:// | + | |
- | + | ||
- | --storage = "sql" | + | |
- | + | ||
- | -- For the " | + | |
- | --sql = { driver = "SQLite3", | + | |
- | --sql = { driver = "MySQL", | + | |
- | --sql = { driver = "PostgreSQL", | + | |
- | + | ||
- | | + | |
- | -- For advanced logging see http:// | + | |
- | log = { | + | |
- | info = "/ | + | |
- | | + | |
- | -- Syslog: | + | |
- | { levels = { " | + | |
- | | + | |
- | } | + | |
- | | + | |
- | | + | |
- | -- You need to add a VirtualHost | + | |
- | -- Settings under each VirtualHost entry apply *only* to that host. | + | |
- | + | ||
- | VirtualHost " | + | |
- | + | ||
- | -- Section for host | + | |
- | + | ||
- | VirtualHost "hier der domain name" | + | |
- | | + | |
- | | + | |
- | -- Assign this host a certificate for TLS, otherwise it would use the one | + | |
- | -- set in the global section (if any). | + | |
- | -- Note that old-style SSL on port 5223 only supports one certificate, | + | |
- | -- use the global one. | + | |
- | ssl = { | + | |
- | key = "/ | + | |
- | certificate = "/ | + | |
- | | + | |
- | -- We do not want SSL2 and SSL3, no compression, | + | |
- | options = { " | + | |
- | --options = { " | + | |
- | --options = { " | + | |
- | -- Only FS (Forward Secrecy) Ciphers | + | |
- | ciphers = " | + | |
- | dhparam = "/ | + | |
- | } | + | |
- | | + | |
- | ------ Components ------ | + | |
- | -- You can specify components to add hosts that provide special services, | + | |
- | -- like multi-user conferences, | + | |
- | -- For more information on components, see http:// | + | |
- | | + | |
- | -- Set up a MUC (multi-user chat) room server on conference.example.com: | + | |
- | --Component " | + | |
- | | + | |
- | -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: | + | |
- | --Component " | + | |
- | | + | |
- | ---Set up an external component (default component port is 5347) | + | |
- | --Component " | + | |
- | -- component_secret = " | + | |
Bei der Auswahl der Ciphers wurde ein besonderes Augenmerk auf die Sicherheit der Übertragung gelegt. Leider lässt sich eine eine ausschließe Verwendung von FS-Ciphers nicht umsetzen, da viele Server kein FS Support haben. Um aber trotzdem mit diesen Servern kommunizieren zu können wurde AES-128/256 im GCM (Galois-Counter-Mode) aktiviert. | Bei der Auswahl der Ciphers wurde ein besonderes Augenmerk auf die Sicherheit der Übertragung gelegt. Leider lässt sich eine eine ausschließe Verwendung von FS-Ciphers nicht umsetzen, da viele Server kein FS Support haben. Um aber trotzdem mit diesen Servern kommunizieren zu können wurde AES-128/256 im GCM (Galois-Counter-Mode) aktiviert. | ||
- | DNS-Konfiguration | + | |
+ | ===== DNS-Konfiguration | ||
Jetzt müssen noch die richtigen DNS Einträge für den Server gesetzt werden. | Jetzt müssen noch die richtigen DNS Einträge für den Server gesetzt werden. | ||
- | ffpi.zone | + | <file conf ffpi.zone> |
; _service._proto.name TTL class SRV priority weight port target | ; _service._proto.name TTL class SRV priority weight port target | ||
_xmpp-client._tcp.ffpi. 86400 IN SRV 5 0 5222 srv02.ffpi. | _xmpp-client._tcp.ffpi. 86400 IN SRV 5 0 5222 srv02.ffpi. | ||
_xmpp-server._tcp.ffpi. 86400 IN SRV 5 0 5269 srv02.ffpi. | _xmpp-server._tcp.ffpi. 86400 IN SRV 5 0 5269 srv02.ffpi. | ||
+ | </ | ||
- | Abschluss | + | ===== Abschluss |
Anschließend Prosody einmal neustarten | Anschließend Prosody einmal neustarten | ||
- | service prosody restart | + | |