Open Source

XEP-0156 reparieren

Von

6. Januar 2022

14803

Mein XMPP-Server ist vor einiger Zeit mal wieder durch den Complience-Test gefallen, da das Modul XEP-0156 schlapp gemacht hatte. Nun konnte ich die freien Tage über den Jahreswechsel nutzen und den Fehler fixen. Damit die Konfiguration nicht verloren geht, möchte ich diese hier kurz festhalten.

Zur Ausstattung

Mein XMPP-Server läuft unter Prosody 0.11.10 auf Debian 11 Bullseye. Als Webserver wird Apache2 eingesetzt.

Konfiguration

So sieht der VirtualHost aus:

<VirtualHost *:80>

        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

        ServerAdmin info@intux.de
        DocumentRoot /var/www/html/intux

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
	CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	ServerName intux.de
	ServerAlias www.intux.de
	RewriteCond %{SERVER_NAME} =intux.de [OR]
	RewriteCond %{SERVER_NAME} =www.intux.de
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

	Protocols h2 h2c http/1.1

<Location /http-bind>
        Order allow,deny
        Allow from all
</Location>

<Location ~ "/\.well-known/host-meta(\.json)?">
    Header set Access-Control-Allow-Origin "*"
</Location>

        RewriteEngine On
	RewriteRule ^/http-bind$ http://intux.de:5280/http-bind [P,L]

	ServerAdmin info@intux.de
        DocumentRoot /var/www/html/intux
        Header always set Strict-Transport-Security "max-age=31536000"
        Header set Access-Control-Allow-Origin "*"
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	Include /etc/letsencrypt/options-ssl-apache.conf
	ServerName intux.de
	ServerAlias www.intux.de

	SSLCertificateFile /etc/letsencrypt/live/intux.de-0003/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/intux.de-0003/privkey.pem
</VirtualHost>
</IfModule>

<IfModule mod_proxy.c>
    <IfModule mod_proxy_wstunnel.c>
    ProxyTimeout 900
    <Location "/xmpp-websocket">
        ProxyPreserveHost On
        ProxyPass "ws://localhost:5280/xmpp-websocket"
    </Location>
    </IfModule>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

ServerAdmin info@intux.de

DocumentRoot /var/www/html/intux

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ServerName intux.de

ServerAlias www.intux.de

RewriteCond %{SERVER_NAME} =intux.de [OR]

RewriteCond %{SERVER_NAME} =www.intux.de

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

Protocols h2 h2c http/1.1

Order allow,deny

Allow from all

</Location>

Header set Access-Control-Allow-Origin "*"

</Location>

RewriteEngine On

RewriteRule ^/http-bind$ http://intux.de:5280/http-bind [P,L]

ServerAdmin info@intux.de

DocumentRoot /var/www/html/intux

Header always set Strict-Transport-Security "max-age=31536000"

Header set Access-Control-Allow-Origin "*"

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Include /etc/letsencrypt/options-ssl-apache.conf

ServerName intux.de

ServerAlias www.intux.de

SSLCertificateFile /etc/letsencrypt/live/intux.de-0003/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/intux.de-0003/privkey.pem

</VirtualHost>

</IfModule>

ProxyTimeout 900

ProxyPreserveHost On

ProxyPass "ws://localhost:5280/xmpp-websocket"

</Location>

</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Hier die host-meta:

<?xml version='1.0' encoding='utf-8'?>
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
  <Link rel="urn:xmpp:alt-connections:xbosh"
        href="https://intux.de/http-bind" />
  <Link rel="urn:xmpp:alt-connections:websocket"
        href="wss://intux.de:443/xmpp-websocket" />
</XRD>

<?xml version='1.0' encoding='utf-8'?>

<Link rel="urn:xmpp:alt-connections:xbosh"

href="https://intux.de/http-bind" />

<Link rel="urn:xmpp:alt-connections:websocket"

href="wss://intux.de:443/xmpp-websocket" />

</XRD>

Die Konfiguration der prosody.cfg.lua:

pidfile = "/var/run/prosody/prosody.pid"

storage = "sql"

sql = {
    driver = "MySQL";
    database = "prosody";
    host = "localhost";
    username = "bn";
    password = "pw";
}

plugin_paths = { "/usr/lib/prosody/prosody-modules" }

admins = {"intux@intux.de" }
modules_enabled = {
	"roster";
	"saslauth";
 	"tls";
	"dialback";
	"disco";
	"private";
	"blocklist";
	"version";
	"uptime";
	"time";
	"ping";
	"posix";
	"pep";
	"register";
	"admin_adhoc";
	"motd";
	"welcome";
	"proxy65";
	"watchregistrations";
	"register_web";
	"admin_web";
	"http_upload_external";
	"mam";
	"csi";
	"carbons";
	"smacks";
	"lastlog";
	"cloud_notify";
	"omemo_all_access";
	"server_contact_info";
	"profile";
	"vcard_legacy";
	"pep_vcard_avatar";
	"websocket";
	"bookmarks";
	"bosh";
	"http_altconnect";
	"turncredentials";
}

log = {
 debug = "/var/log/prosody/prosody.log";
 error = "/var/log/prosody/prosody.err";
}

legacy_ssl_ports = { 5223 }

default_archive_policy = false;
archive_expires_after = "1m";

c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
s2s_secure_domains = { "trashserver.net", "jabber.de", "jabber.org", "xmpp.org" }
s2s_insecure_domains = {}

http_upload_external_base_url = "https://upload.intux.de/upload/"
http_upload_external_secret = "prosody2016."
http_upload_external_file_size_limit = 10000000

proxy65_ports = { 5212 }

authentication = "internal_hashed"

turncredentials_host = "cloud.intux.de"
turncredentials_secret = "18c5a842b57336a16c97255c4fc1aeb5336e3b6a9254b6bd148d789d8a740779"
turncredentials_port = 5349

consider_websocket_secure = true;
cross_domain_websocket = true;
consider_bosh_secure = true;
cross_domain_bosh = true;

allow_registration = true
min_seconds_between_registrations = 300
registration_blacklist = { "83.218.198.86", "109.185.243.100", "93.114.0.93", "93.114.11.136", "92.114.216.80" }

ssl = {
	protocol = "tlsv1_2";
        key = "/etc/prosody/certs/privkey.pem";
        certificate = "/etc/prosody/certs/fullchain.pem";

        dhparam = "/etc/prosody/certs/dh-4096.pem";

        ciphers = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128";

        options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }

}

contact_info = {
  abuse = { "mailto:abuse@intux.de", "xmpp:intux@intux.de" };
  admin = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  feedback = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  sales = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  security = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
  support = { "xmpp:admin@intux.de", "xmpp:intux@intux.de" };
}

VirtualHost "intux.de"

Component "proxy.intux.de" "proxy65"

	proxy65_acl = { "intux.de" }

Component "conference.intux.de" "muc"
        name = "intux.de Chatrooms"
        restrict_room_creation = false
        max_history_messages = 500
        modules_enabled = {
                "mam_muc",
		"vcard_muc",
        }
        muc_log_by_default = false

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

pidfile = "/var/run/prosody/prosody.pid"

storage = "sql"

sql = {

driver = "MySQL";

database = "prosody";

host = "localhost";

username = "bn";

password = "pw";

}

plugin_paths = { "/usr/lib/prosody/prosody-modules" }

admins = {"intux@intux.de" }

modules_enabled = {

"roster";

"saslauth";

"tls";

"dialback";

"disco";

"private";

"blocklist";

"version";

"uptime";

"time";

"ping";

"posix";

"pep";

"register";

"admin_adhoc";

"motd";

"welcome";

"proxy65";

"watchregistrations";

"register_web";

"admin_web";

"http_upload_external";

"mam";

"csi";

"carbons";

"smacks";

"lastlog";

"cloud_notify";

"omemo_all_access";

"server_contact_info";

"profile";

"vcard_legacy";

"pep_vcard_avatar";

"websocket";

"bookmarks";

"bosh";

"http_altconnect";

"turncredentials";

}

log = {

debug = "/var/log/prosody/prosody.log";

error = "/var/log/prosody/prosody.err";

}

legacy_ssl_ports = { 5223 }

default_archive_policy = false;

archive_expires_after = "1m";

c2s_require_encryption = true

s2s_require_encryption = true

s2s_secure_auth = true

s2s_secure_domains = { "trashserver.net", "jabber.de", "jabber.org", "xmpp.org" }

s2s_insecure_domains = {}

http_upload_external_base_url = "https://upload.intux.de/upload/"

http_upload_external_secret = "prosody2016."

http_upload_external_file_size_limit = 10000000

proxy65_ports = { 5212 }

authentication = "internal_hashed"

turncredentials_host = "cloud.intux.de"

turncredentials_secret = "18c5a842b57336a16c97255c4fc1aeb5336e3b6a9254b6bd148d789d8a740779"

turncredentials_port = 5349

consider_websocket_secure = true;

cross_domain_websocket = true;

consider_bosh_secure = true;

cross_domain_bosh = true;

allow_registration = true

min_seconds_between_registrations = 300

registration_blacklist = { "83.218.198.86", "109.185.243.100", "93.114.0.93", "93.114.11.136", "92.114.216.80" }

ssl = {

protocol = "tlsv1_2";

key = "/etc/prosody/certs/privkey.pem";

certificate = "/etc/prosody/certs/fullchain.pem";

dhparam = "/etc/prosody/certs/dh-4096.pem";

ciphers = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128";

options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }

}

contact_info = {

abuse = { "mailto:abuse@intux.de", "xmpp:intux@intux.de" };

admin = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };

feedback = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };

sales = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };

security = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };

support = { "xmpp:admin@intux.de", "xmpp:intux@intux.de" };

}

VirtualHost "intux.de"

Component "proxy.intux.de" "proxy65"

proxy65_acl = { "intux.de" }

Component "conference.intux.de" "muc"

name = "intux.de Chatrooms"

restrict_room_creation = false

max_history_messages = 500

modules_enabled = {

"mam_muc",

"vcard_muc",

}

muc_log_by_default = false

Compliance status for intux.de 100%. 😀

XEP-0156 reparieren

Zur Ausstattung

Konfiguration

Kommentieren Sie den Artikel Antwort abbrechen

Wetter

Bücher

WordPress 6 Schnelleinstieg

Nextcloud Schnelleinstieg

WordPress 6 – Das umfassende Handbuch

Linux Mint 20 – Praxiswissen für Ein- und Umsteiger

Raspberry Pi – Das umfassende Handbuch

Redaktionstipp

Raspberry Pi OS Bullseye -> Bookworm

Bruteforce-Einträge in Nextcloud-Datenbank löschen

PHP8.2-fpm für Nextcloud 28

Beliebte Beiträge

Nextcloud auf Uberspace

Dateien kopieren via SSH

Raspberry Pi mit Windows PC direkt verbinden

Inhaber und Autor

Beliebte Kategorie