Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende ÜberarbeitungNächste ÜberarbeitungBeide Seiten der Revision | ||
prosody [06.12.2015 03:46] – havelock | prosody [25.12.2015 11:12] – [Installation] x1lent | ||
---|---|---|---|
Zeile 2: | Zeile 2: | ||
* Installation auf ffpi-services | * Installation auf ffpi-services | ||
- | * Wird unter xmpp.ffpi oder xmpp.pinneberg.freifunk.net erreichbar | + | * Ist unter xmpp.ffpi oder xmpp.pinneberg.freifunk.net erreichbar |
===== Warum Prosody? ===== | ===== Warum Prosody? ===== | ||
- | Sicher fragt man sich warum wir kein ejabberd nutzen. Dies ist schlicht und ergreifend eigenen Präferenz. Ich persöhnlich | + | Sicher fragt man sich warum wir kein ejabberd nutzen. Dies ist schlicht und ergreifend eigenen Präferenz. Ich persönlich |
===== Installation ===== | ===== Installation ===== | ||
Zeile 24: | Zeile 24: | ||
< | < | ||
apt-get update | apt-get update | ||
- | apt-get install prosody lua-sec | + | apt-get install prosody lua-sec |
</ | </ | ||
- | Sollte die Version von lua-sec aus dem offiziellen Package Repos < 5.0 sein solltet ihr anstatt | + | Sollte die Version von lua-sec aus dem offiziellen Package Repos < 5.0 sein solltet ihr anstelle |
===== Modifikation ===== | ===== Modifikation ===== | ||
- | Da es nur Clients aus dem FFPI Netz erlaubt werden soll einen Account beim XMPP Server zu erstellen | + | Da es nur Clients aus dem FFPI Netz erlaubt werden soll einen Account beim XMPP Server zu erstellen |
- | + | ||
- | <file lua / | + | |
- | + | ||
- | [...] | + | |
- | local blacklisted_ips = module: | + | |
- | local whitelist_ip_starts_with = module: | + | |
- | local register_hosts = module: | + | |
- | --IP Check for FFPI -- | + | |
- | function checkIP(ipadress, | + | |
- | for i, ipstart in ipairs(whitelist_start) do | + | |
- | if string.sub(ipadress, | + | |
- | return true | + | |
- | end | + | |
- | | + | |
- | | + | |
- | end | + | |
- | + | ||
- | [...] | + | |
- | + | ||
- | elseif blacklisted_ips[session.ip] or (whitelist_only and not whitelisted_ips[session.ip]) then | + | |
- | module: | + | |
- | if (whitelist_only and not checkIP(session.ip, | + | |
- | session.send(st.error_reply(stanza, | + | |
- | return true; | + | |
- | end | + | |
- | [...] | + | |
- | + | ||
- | else | + | |
- | -- TODO unable to write file, file may be locked, etc, what's the correct error? | + | |
- | local error_reply = st.error_reply(stanza, | + | |
- | + | ||
- | for i, reg_host | + | |
- | module: | + | |
- | if usermanager_create_user(username, | + | |
- | if next(data) and not account_details: | + | |
- | usermanager_delete_user(username, | + | |
- | session.send(error_reply); | + | |
- | return true; | + | |
- | end | + | |
- | session.send(st.reply(stanza)); | + | |
- | module: | + | |
- | module: | + | |
- | username = username, reg_host = reg_host, source = " | + | |
- | session = session }); | + | |
- | else | + | |
- | session.send(error_reply); | + | |
- | end | + | |
- | end | + | |
- | [...] | + | |
- | </ | + | |
+ | < | ||
+ | cd / | ||
+ | apt-get install git | ||
+ | git clone https:// | ||
+ | </ | ||
===== Konfiguration ===== | ===== Konfiguration ===== | ||
Zeile 90: | Zeile 45: | ||
openssl dhparam -out / | openssl dhparam -out / | ||
</ | </ | ||
- | Dies kann einige Zeit dauern. | + | Dies kann einige Zeit dauern. |
- | Nun geht es an die eigentliche | + | < |
+ | mysql -u root -p | ||
+ | mysql> create database prosody; | ||
+ | mysql> grant usage on *.* to prosody@localhost identified by ' | ||
+ | mysql> grant all privileges on prosody.* to prosody@localhost; | ||
+ | </ | ||
+ | |||
+ | Nun geht es an die eigentliche | ||
<file lua / | <file lua / | ||
+ | -- Prosody XMPP Server Configuration | ||
+ | -- | ||
+ | -- Information on configuring Prosody can be found on our | ||
+ | -- website at http:// | ||
+ | -- | ||
+ | -- Tip: You can check that the syntax of this file is correct | ||
+ | -- when you have finished by running: luac -p prosody.cfg.lua | ||
+ | -- If there are any errors, it will let you know what and where | ||
+ | -- they are, otherwise it will keep quiet. | ||
+ | -- | ||
+ | -- Good luck, and happy Jabbering! | ||
+ | |||
+ | |||
+ | ---------- Server-wide settings ---------- | ||
+ | -- Settings in this section apply to the whole server and are the default settings | ||
+ | -- for any virtual hosts | ||
+ | |||
+ | -- This is a (by default, empty) list of accounts that are admins | ||
+ | -- for the server. Note that you must create the accounts separately | ||
+ | -- (see http:// | ||
+ | -- Example: admins = { " | ||
+ | admins = {} | ||
+ | |||
+ | -- Enable use of libevent for better performance under high load | ||
+ | -- For more information see: http:// | ||
+ | use_libevent = true; | ||
+ | |||
+ | |||
+ | plugin_paths = {"" | ||
+ | |||
+ | -- This is the list of modules Prosody will load on startup. | ||
+ | -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. | ||
+ | -- Documentation on modules can be found at: http:// | ||
+ | modules_enabled = { | ||
+ | |||
+ | -- Generally required | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | |||
+ | -- Not essential, but recommended | ||
+ | " | ||
+ | " | ||
+ | |||
+ | -- These are commented by default as they have a performance impact | ||
+ | --" | ||
+ | --" | ||
+ | |||
+ | -- Nice to have | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | --" | ||
+ | |||
+ | -- Admin interfaces | ||
+ | " | ||
+ | --" | ||
+ | |||
+ | -- HTTP modules | ||
+ | --" | ||
+ | " | ||
+ | |||
+ | -- Other specific functionality | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | --" | ||
+ | }; | ||
+ | |||
+ | -- These modules are auto-loaded, | ||
+ | -- to disable them then uncomment them here: | ||
+ | modules_disabled = { | ||
+ | -- " | ||
+ | -- " | ||
+ | -- " | ||
+ | }; | ||
+ | |||
+ | -- Disable account creation by default, for security | ||
+ | -- For more information see http:// | ||
+ | allow_registration = true; | ||
+ | registration_hosts={' | ||
+ | |||
+ | daemonize = true; | ||
+ | -- Required for init scripts and prosodyctl | ||
+ | pidfile = "/ | ||
+ | |||
+ | http_files_dir="/ | ||
+ | http_dir_listing=true; | ||
+ | |||
+ | http_ports = { 5280 } | ||
+ | http_interfaces = { " | ||
+ | |||
+ | -- These are the SSL/ | ||
+ | -- to use SSL/TLS, you may comment or remove this | ||
+ | ssl = { | ||
+ | key = "/ | ||
+ | certificate = "/ | ||
+ | } | ||
+ | |||
+ | -- Force clients to use encrypted connections? | ||
+ | -- prevent clients from authenticating unless they are using encryption. | ||
+ | |||
+ | c2s_require_encryption = true | ||
+ | |||
+ | -- Force certificate authentication for server-to-server connections? | ||
+ | -- This provides ideal security, but requires servers you communicate | ||
+ | -- with to support encryption AND present valid, trusted certificates. | ||
+ | -- NOTE: Your version of LuaSec must support certificate verification! | ||
+ | -- For more information see http:// | ||
+ | |||
+ | s2s_require_encryption = true | ||
+ | s2s_secure_auth = false | ||
+ | |||
+ | -- Many servers don't support encryption or have invalid or self-signed | ||
+ | -- certificates. You can list domains here that will not be required to | ||
+ | -- authenticate using certificates. They will be authenticated using DNS. | ||
+ | |||
+ | s2s_insecure_domains = { " | ||
+ | |||
+ | -- Even if you leave s2s_secure_auth disabled, you can still require valid | ||
+ | -- certificates for some domains by specifying a list here. | ||
+ | |||
+ | s2s_secure_domains = { " | ||
+ | |||
+ | -- Select the authentication backend to use. The ' | ||
+ | -- use Prosody' | ||
+ | -- To allow Prosody to offer secure authentication mechanisms to clients, the | ||
+ | -- default provider stores passwords in plaintext. If you do not trust your | ||
+ | -- server please see http:// | ||
+ | -- for information about using the hashed backend. | ||
+ | |||
+ | --authentication = " | ||
+ | |||
+ | -- we want passwords to be hashed on disk! | ||
+ | authentication = " | ||
+ | |||
+ | -- Select the storage backend to use. By default Prosody uses flat files | ||
+ | -- in its configured data directory, but it also supports more backends | ||
+ | -- through modules. An " | ||
+ | -- additional dependencies. See http:// | ||
+ | |||
+ | storage = " | ||
+ | |||
+ | -- For the " | ||
+ | --sql = { driver = " | ||
+ | sql = { driver = " | ||
+ | --sql = { driver = " | ||
+ | |||
+ | -- Logging configuration | ||
+ | -- For advanced logging see http:// | ||
+ | log = { | ||
+ | info = "/ | ||
+ | error = "/ | ||
+ | -- Syslog: | ||
+ | { levels = { " | ||
+ | -- " | ||
+ | } | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | http_paths = { | ||
+ | register_web = "/"; | ||
+ | files="/ | ||
+ | } | ||
+ | |||
+ | http_host = " | ||
+ | |||
+ | ----------- Virtual hosts ----------- | ||
+ | -- You need to add a VirtualHost entry for each domain you wish Prosody to serve. | ||
+ | -- Settings under each VirtualHost entry apply *only* to that host. | ||
+ | |||
+ | |||
+ | --VirtualHost " | ||
+ | |||
+ | -- Section for host | ||
+ | |||
+ | VirtualHost " | ||
+ | --enabled = false -- Remove this line to enable this host | ||
+ | |||
+ | -- Assign this host a certificate for TLS, otherwise it would use the one | ||
+ | -- set in the global section (if any). | ||
+ | -- Note that old-style SSL on port 5223 only supports one certificate, | ||
+ | -- use the global one. | ||
+ | ssl = { | ||
+ | key = "/ | ||
+ | certificate = "/ | ||
+ | |||
+ | -- We do not want SSL2 and SSL3, no compression, | ||
+ | options = { " | ||
+ | --options = { " | ||
+ | --options = { " | ||
+ | -- Only FS (Forward Secrecy) Ciphers | ||
+ | ciphers = " | ||
+ | dhparam = "/ | ||
+ | } | ||
+ | |||
+ | |||
+ | |||
+ | VirtualHost " | ||
+ | --enabled = false -- Remove this line to enable this host | ||
+ | |||
+ | -- Assign this host a certificate for TLS, otherwise it would use the one | ||
+ | -- set in the global section (if any). | ||
+ | -- Note that old-style SSL on port 5223 only supports one certificate, | ||
+ | -- use the global one. | ||
+ | ssl = { | ||
+ | key = "/ | ||
+ | certificate = "/ | ||
+ | |||
+ | -- We do not want SSL2 and SSL3, no compression, | ||
+ | options = { " | ||
+ | --options = { " | ||
+ | --options = { " | ||
+ | -- Only FS (Forward Secrecy) Ciphers | ||
+ | ciphers = " | ||
+ | dhparam = "/ | ||
+ | } | ||
+ | |||
+ | ------ Components ------ | ||
+ | -- You can specify components to add hosts that provide special services, | ||
+ | -- like multi-user conferences, | ||
+ | -- For more information on components, see http:// | ||
+ | |||
+ | -- Set up a MUC (multi-user chat) room server on conference.example.com: | ||
+ | --Component " | ||
+ | |||
+ | -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: | ||
+ | --Component " | ||
+ | |||
+ | ---Set up an external component (default component port is 5347) | ||
+ | --Component " | ||
+ | -- component_secret = " | ||
- | -- Prosody XMPP Server Configuration | ||
- | -- | ||
- | -- Information on configuring Prosody can be found on our | ||
- | -- website at http:// | ||
- | -- | ||
- | -- Tip: You can check that the syntax of this file is correct | ||
- | -- when you have finished by running: luac -p prosody.cfg.lua | ||
- | -- If there are any errors, it will let you know what and where | ||
- | -- they are, otherwise it will keep quiet. | ||
- | -- | ||
- | -- Good luck, and happy Jabbering! | ||
- | |||
- | |||
- | ---------- Server-wide settings ---------- | ||
- | -- Settings in this section apply to the whole server and are the default settings | ||
- | -- for any virtual hosts | ||
- | |||
- | -- This is a (by default, empty) list of accounts that are admins | ||
- | -- for the server. Note that you must create the accounts separately | ||
- | -- (see http:// | ||
- | -- Example: admins = { " | ||
- | admins = {} | ||
- | |||
- | -- Enable use of libevent for better performance under high load | ||
- | -- For more information see: http:// | ||
- | --use_libevent = true; | ||
- | |||
- | -- This is the list of modules Prosody will load on startup. | ||
- | -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. | ||
- | -- Documentation on modules can be found at: http:// | ||
- | modules_enabled = { | ||
- | |||
- | -- Generally required | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | |||
- | -- Not essential, but recommended | ||
- | " | ||
- | " | ||
- | |||
- | -- These are commented by default as they have a performance impact | ||
- | --" | ||
- | --" | ||
- | |||
- | -- Nice to have | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | |||
- | -- Admin interfaces | ||
- | " | ||
- | --" | ||
- | |||
- | -- HTTP modules | ||
- | --" | ||
- | --" | ||
- | |||
- | -- Other specific functionality | ||
- | --" | ||
- | --" | ||
- | --" | ||
- | --" | ||
- | --" | ||
- | --" | ||
- | }; | ||
- | |||
- | -- These modules are auto-loaded, | ||
- | -- to disable them then uncomment them here: | ||
- | modules_disabled = { | ||
- | -- " | ||
- | -- " | ||
- | -- " | ||
- | }; | ||
- | |||
- | -- Disable account creation by default, for security | ||
- | -- For more information see http:// | ||
- | allow_registration = true; | ||
- | whitelist_registration_only = true; | ||
- | registration_whitelist_starts_with = { ' | ||
- | registration_hosts = {' | ||
- | |||
- | |||
- | daemonize = true; | ||
- | -- Required for init scripts and prosodyctl | ||
- | pidfile = "/ | ||
- | |||
- | -- These are the SSL/ | ||
- | -- to use SSL/TLS, you may comment or remove this | ||
- | ssl = { | ||
- | key = "/ | ||
- | certificate = "/ | ||
- | } | ||
- | |||
- | -- Force clients to use encrypted connections? | ||
- | -- prevent clients from authenticating unless they are using encryption. | ||
- | |||
- | c2s_require_encryption = true | ||
- | |||
- | -- Force certificate authentication for server-to-server connections? | ||
- | -- This provides ideal security, but requires servers you communicate | ||
- | -- with to support encryption AND present valid, trusted certificates. | ||
- | -- NOTE: Your version of LuaSec must support certificate verification! | ||
- | -- For more information see http:// | ||
- | |||
- | s2s_require_encryption = true | ||
- | s2s_secure_auth = false | ||
- | |||
- | -- Many servers don't support encryption or have invalid or self-signed | ||
- | -- certificates. You can list domains here that will not be required to | ||
- | -- authenticate using certificates. They will be authenticated using DNS. | ||
- | |||
- | s2s_insecure_domains = { " | ||
- | |||
- | -- Even if you leave s2s_secure_auth disabled, you can still require valid | ||
- | -- certificates for some domains by specifying a list here. | ||
- | |||
- | s2s_secure_domains = { " | ||
- | |||
- | -- Select the authentication backend to use. The ' | ||
- | -- use Prosody' | ||
- | -- To allow Prosody to offer secure authentication mechanisms to clients, the | ||
- | -- default provider stores passwords in plaintext. If you do not trust your | ||
- | -- server please see http:// | ||
- | -- for information about using the hashed backend. | ||
- | |||
- | --authentication = " | ||
- | |||
- | -- we want passwords to be hashed on disk! | ||
- | authentication = " | ||
- | |||
- | -- Select the storage backend to use. By default Prosody uses flat files | ||
- | -- in its configured data directory, but it also supports more backends | ||
- | -- through modules. An " | ||
- | -- additional dependencies. See http:// | ||
- | |||
- | --storage = " | ||
- | |||
- | -- For the " | ||
- | --sql = { driver = " | ||
- | --sql = { driver = " | ||
- | --sql = { driver = " | ||
- | |||
- | -- Logging configuration | ||
- | -- For advanced logging see http:// | ||
- | log = { | ||
- | info = "/ | ||
- | error = "/ | ||
- | -- Syslog: | ||
- | { levels = { " | ||
- | -- " | ||
- | } | ||
- | |||
- | ----------- Virtual hosts ----------- | ||
- | -- You need to add a VirtualHost entry for each domain you wish Prosody to serve. | ||
- | -- Settings under each VirtualHost entry apply *only* to that host. | ||
- | |||
- | VirtualHost " | ||
- | |||
- | -- Section for host | ||
- | |||
- | VirtualHost "hier der domain name" | ||
- | --enabled = false -- Remove this line to enable this host | ||
- | |||
- | -- Assign this host a certificate for TLS, otherwise it would use the one | ||
- | -- set in the global section (if any). | ||
- | -- Note that old-style SSL on port 5223 only supports one certificate, | ||
- | -- use the global one. | ||
- | ssl = { | ||
- | key = "/ | ||
- | certificate = "/ | ||
- | |||
- | -- We do not want SSL2 and SSL3, no compression, | ||
- | options = { " | ||
- | --options = { " | ||
- | --options = { " | ||
- | -- Only FS (Forward Secrecy) Ciphers | ||
- | ciphers = " | ||
- | dhparam = "/ | ||
- | } | ||
- | |||
- | ------ Components ------ | ||
- | -- You can specify components to add hosts that provide special services, | ||
- | -- like multi-user conferences, | ||
- | -- For more information on components, see http:// | ||
- | |||
- | -- Set up a MUC (multi-user chat) room server on conference.example.com: | ||
- | --Component " | ||
- | |||
- | -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: | ||
- | --Component " | ||
- | |||
- | ---Set up an external component (default component port is 5347) | ||
- | --Component " | ||
- | -- component_secret = " | ||
</ | </ | ||
Zeile 315: | Zeile 318: | ||
===== Abschluss ===== | ===== Abschluss ===== | ||
- | Anschließend | + | Abschließend |
service prosody restart | service prosody restart | ||