XEP-0156 reparieren

0
927
Student Laptop Stressed Avatar  - HaticeEROL / Pixabay
HaticeEROL / Pixabay

Mein XMPP-Server ist vor einiger Zeit mal wieder durch den Complience-Test gefallen, da das Modul XEP-0156 schlapp gemacht hatte. Nun konnte ich die freien Tage über den Jahreswechsel nutzen und den Fehler fixen. Damit die Konfiguration nicht verloren geht, möchte ich diese hier kurz festhalten.

Zur Ausstattung

Mein XMPP-Server läuft unter Prosody 0.11.10 auf Debian 11 Bullseye. Als Webserver wird Apache2 eingesetzt.

Konfiguration

So sieht der VirtualHost aus:

<VirtualHost *:80>

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

ServerAdmin info@intux.de
DocumentRoot /var/www/html/intux

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ServerName intux.de
ServerAlias www.intux.de
RewriteCond %{SERVER_NAME} =intux.de [OR]
RewriteCond %{SERVER_NAME} =www.intux.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

Protocols h2 h2c http/1.1

<Location /http-bind>
Order allow,deny
Allow from all
</Location>

<Location ~ "/\.well-known/host-meta(\.json)?">
Header set Access-Control-Allow-Origin "*"
</Location>

RewriteEngine On
RewriteRule ^/http-bind$ http://intux.de:5280/http-bind [P,L]

ServerAdmin info@intux.de
DocumentRoot /var/www/html/intux
Header always set Strict-Transport-Security "max-age=31536000"
Header set Access-Control-Allow-Origin "*"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
CustomLog /var/log/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Include /etc/letsencrypt/options-ssl-apache.conf
ServerName intux.de
ServerAlias www.intux.de

SSLCertificateFile /etc/letsencrypt/live/intux.de-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intux.de-0003/privkey.pem
</VirtualHost>
</IfModule>

<IfModule mod_proxy.c>
<IfModule mod_proxy_wstunnel.c>
ProxyTimeout 900
<Location "/xmpp-websocket"> </Location>
</IfModule>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Hier die host-meta:

 GNU nano 5.4 /var/www/html/intux/.well-known/host-meta 
<?xml version='1.0' encoding='utf-8'?>
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
<Link rel="urn:xmpp:alt-connections:xbosh"
href="https://intux.de/http-bind" />
<Link rel="urn:xmpp:alt-connections:websocket"
href="wss://intux.de:443/xmpp-websocket" />
</XRD>

Die Konfiguration der prosody.cfg.lua:

pidfile = "/var/run/prosody/prosody.pid"

storage = "sql"

sql = {
driver = "MySQL";
database = "prosody";
host = "localhost";
username = "bn";
password = "pw";
}

plugin_paths = { "/usr/lib/prosody/prosody-modules" }

admins = {"intux@intux.de" }
modules_enabled = {
"roster";
"saslauth";
"tls";
"dialback";
"disco";
"private";
"blocklist";
"version";
"uptime";
"time";
"ping";
"posix";
"pep";
"register";
"admin_adhoc";
"motd";
"welcome";
"proxy65";
"watchregistrations";
"register_web";
"admin_web";
"http_upload_external";
"mam";
"csi";
"carbons";
"smacks";
"lastlog";
"cloud_notify";
"omemo_all_access";
"server_contact_info";
"profile";
"vcard_legacy";
"pep_vcard_avatar";
"websocket";
"bookmarks";
"bosh";
"http_altconnect";
"turncredentials";
}
log = {
debug = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
}

legacy_ssl_ports = { 5223 }

default_archive_policy = false;
archive_expires_after = "1m";

c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
s2s_secure_domains = { "trashserver.net", "jabber.de", "jabber.org", "xmpp.org" }
s2s_insecure_domains = {}

http_upload_external_base_url = "https://upload.intux.de/upload/"
http_upload_external_secret = "mysecret"
http_upload_external_file_size_limit = 10000000

proxy65_ports = { 5212 }

authentication = "internal_hashed"

turncredentials_host = "cloud.intux.de"
turncredentials_secret = "mysecret"
turncredentials_port = 5349

consider_websocket_secure = true;
cross_domain_websocket = true;
consider_bosh_secure = true;
cross_domain_bosh = true;

allow_registration = true
min_seconds_between_registrations = 300
registration_blacklist = { "83.218.198.86", "109.185.243.100", "93.114.0.93", "93.114.11.136", "92.114.216.80" }

ssl = {
protocol = "tlsv1_2";
key = "/etc/prosody/certs/privkey.pem";
certificate = "/etc/prosody/certs/fullchain.pem";

dhparam = "/etc/prosody/certs/dh-4096.pem";

ciphers = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES>

options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }

}

contact_info = {
abuse = { "mailto:abuse@intux.de", "xmpp:intux@intux.de" };
admin = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
feedback = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
sales = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
security = { "mailto:admin@intux.de", "xmpp:intux@intux.de" };
support = { "xmpp:admin@intux.de", "xmpp:intux@intux.de" };
}

VirtualHost "intux.de"

Component "proxy.intux.de" "proxy65"

proxy65_acl = { "intux.de" }

Component "conference.intux.de" "muc"
name = "intux.de Chatrooms"
restrict_room_creation = false
max_history_messages = 500
modules_enabled = {
"mam_muc",
"vcard_muc",
}
muc_log_by_default = false

Compliance status for intux.de 100%. 😀

Kommentieren Sie den Artikel

Bitte bestätige diesen Kommentar!
Bitte den Namen hier eingeben

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.