prosody-0.11.4 on OpenBSD 6.7
Simply :
# pkg_add prosody
Ports 5222 (for client to server - c2s) and 5269 (for server to server - s2s) are required so do not forget to open it on your pf.conf
.
Obtaining your certificate is already well described by Roman Zotolarev here.
You will obtain :
/etc/ssl/mydomain.com.fullchain.pem
)/etc/ssl/private/mydomain.com.key
)The user or group _prosody
must be able to read these keys, but acme-client will return warnings if the private key is readable by anyone else than root. So choose the folder where you can copy it and make it safely available for _prosody
(configuration files and others certs are stored in /etc/prosody/
).
If you have followed Roman Zotolarev's tutorial (link above), you have probably set up automatic renewal with crontab. You can just add two cp
commands so that useful keys for prosody would be updated too.
crontab
0 0 * * * acme-client mydomain.com && rcctl reload httpd && cp /etc/ssl/mydomain.com.fullchain.pem /path_to_your_keys/mydomain.com.fullchain.pem && cp /etc/ssl/private/mydomain.com.key /path_to_your_keys/mydomain.com.key
Configuration is usually stored in /etc/prosody/prosody.cfg.lua
.
Below an example of a basic and secure configuration :
prosody.cfg.lua example
-- Set it to the XMPP admin account on the server
admins = { "admin@mydomain.com" }
-- Drop privileges
prosody_user = "_prosody"
prosody_group = "_prosody"
-- Enable POSIX-only options
daemonize = true
pidfile = "/var/prosody/prosody.pid"
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"carbons"; -- Keep multiple clients in sync
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
"private"; -- Private XML storage (for room bookmarks, etc.)
"blocklist"; -- Allow users to block communications with other users
"vcard4"; -- User profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
}
allow_registration = false
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
authentication = "internal_hashed"
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = {
info = "/var/prosody/prosody.log"; -- Check the path and file permissions for _prosody
error = "/var/prosody/prosody.err"; -- Check the path and file permissions for _prosody
}
certificates = "certs"
VirtualHost "mydomain.com" -- Change it to your domain
ssl = {
-- Normal options
key = "/path_to_your_keys/mydomain.com.key";
certificate = "/path_to_your_keys/mydomain.com.fullchain.pem";
}
To obtain a more secure SSL configuration, I add protocol = "tlsv1_1+";
to allow only TLS V1.1 and superior.
To be able to use EDH-based cipher, I generate the needed DH key with
# openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048
Be sure that this file is readable by _prosody
. Then add dhparam = "/etc/prosody/certs/dh-2048.pem"
.
I add the following line to select enabled ciphers (see official openssl doc if needed) :
in prosody.cfg.lua
ciphers = "HIGH+kEDH:HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
That will allow :
Also we explicitly disable :
All that modify the ssl section of prosody.cfg.lua as:
in prosody.cfg.lua
VirtualHost "mydomain.com"
ssl = {
-- Normal options
key = "/path_to_your_keys/mydomain.com.key";
certificate = "/path_to_your_keys/mydomain.com.fullchain.pem";
-- Advanced options
protocol = "tlsv1_1+";
dhparam = "/etc/prosody/certs/dh-2048.pem";
ciphers = "HIGH+kEDH:HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true };
}
You can start your XMPP server with :
# prosodyctl start
You can add you first user with :
# prosodyctl adduser admin@mydomain.com
Should you have any comment on this page, get in touch !