aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.newsboat/urls1
-rw-r--r--terminaldweller.com/ejabberd/docker-compose.yaml22
-rw-r--r--terminaldweller.com/ejabberd/ejabberd.yml57
-rw-r--r--terminaldweller.com/haproxy/haproxy.cfg13
4 files changed, 68 insertions, 25 deletions
diff --git a/.newsboat/urls b/.newsboat/urls
index fd81a24..dd06d10 100644
--- a/.newsboat/urls
+++ b/.newsboat/urls
@@ -4,6 +4,7 @@ https://www.cyberciti.biz/atom/atom.xml
https://www.semicolonandsons.com/feed
https://blog.terminaldweller.com/rss/feed
https://suckless.org/atom.xml
+https://microservices.io/feed.xml
# (Youtube)
# Horror
diff --git a/terminaldweller.com/ejabberd/docker-compose.yaml b/terminaldweller.com/ejabberd/docker-compose.yaml
index 3e6de12..81c4c8d 100644
--- a/terminaldweller.com/ejabberd/docker-compose.yaml
+++ b/terminaldweller.com/ejabberd/docker-compose.yaml
@@ -5,25 +5,33 @@ services:
networks:
- ejabberdnet
ports:
- - "80:80"
+ #- "80:80"
- "5222:5222"
- - "127.0.0.1:5269:5269"
+ - "5223:5223"
+ #- "5269:5269"
- "5280:5280"
- "5443:5443"
- - "1883:1883"
- - "127.0.0.1:5080:5080"
+ #- "1883:1883"
+ #- "127.0.0.1:5080:5080"
restart: unless-stopped
volumes:
- ./ejabberd.yml:/home/ejabberd/conf/ejabberd.yml
- - ./acme:/var/lib/ejabberd/acme
- - ./dh:/usr/local/etc/ejabberd
+ - /etc/letsencrypt/archive/chat.terminaldweller.com/:/opt/ejabberd/certs/
+ - ./dh:/usr/local/etc/ejabberd/dh
+ - ./acme:/usr/local/etc/self_signed/
- confs_certs:/home/ejabberd/conf/
- mnesia_db:/home/ejabberd/database/
+ - vault:/var/lib/ejabberd/
+ environment:
+ - XMPP_DOMAIN=chat.terminaldweller.com
+ - ERLANG_NODE=ejabberd
+ #entrypoint: ["tail", "-f", "/dev/null"]
networks:
ejabberdnet:
volumes:
confs_certs:
mnesia_db:
+ vault:
# openssl dhparam -out dhparams.pem 4096
-# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive --dry-run
+# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive
# docker exec -it 6eebd16a2385 bin/ejabberdctl register admin chat.terminaldweller.com password
diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml
index 90d0207..11e4c57 100644
--- a/terminaldweller.com/ejabberd/ejabberd.yml
+++ b/terminaldweller.com/ejabberd/ejabberd.yml
@@ -1,47 +1,68 @@
hosts:
- chat.terminaldweller.com
-loglevel: 4
+auth_method: internal
+auth_password_format: scram # pragma: allowlist secret
+# anonymous_protocol: both
+allow_multiple_connections: true
+loglevel: 5
log_rotate_size: 10485760
log_rotate_count: 1
define_macro:
- 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+ 'TLS_CIPHERS': "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA"
'TLS_OPTIONS':
- - "no_sslv2, no_sslv3, no_tlsv1"
- - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+ - "no_sslv2"
+ - "no_sslv3"
+ - "no_tlsv1"
+ - "no_tlsv1_3"
+ - "cipher_server_preference"
+ - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA"
- "no_compression"
- 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096
+ 'DH_FILE': "/usr/local/etc/ejabberd/dh/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096
-c2s_dhfile: 'DH_FILE'
-s2s_dhfile: 'DH_FILE'
+#c2s_dhfile: 'DH_FILE'
+#s2s_dhfile: 'DH_FILE'
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
-#certfiles:
-# - '/var/lib/ejabberd/acme/ejabberd.pem'
+certfiles:
+ - /usr/local/etc/self_signed/ej2.pem
+ #- '/opt/ejabberd/certs/ejabberd.pem'
+ #- '/var/lib/ejabberd/acme/fullchain1.pem'
+ #- '/var/lib/ejabberd/acme/chain1.pem'
+ #- '/var/lib/ejabberd/acme/cert1.pem'
+ #- '/var/lib/ejabberd/acme/privkey1.pem'
listen:
- port: 5222
- ip: '::'
+ ip: '0.0.0.0'
module: ejabberd_c2s
- max_stanza_size: 262144
+ max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
starttls: true
starttls_required: true
- protocol_options: 'TLS_OPTIONS'
- ciphers: 'TLS_CIPHERS'
- dhfile: 'DH_FILE'
+ #protocol_options: 'TLS_OPTIONS'
+ #ciphers: 'TLS_CIPHERS'
+ #dhfile: 'DH_FILE'
zlib: false
tls_compression: false
+ - port: 5223
+ ip: '0.0.0.0'
+ module: ejabberd_c2s
+ max_stanza_size: 65536
+ shaper: c2s_shaper
+ access: c2s
+ tls: true
+ tls_compression: false
- port: 5269
- ip: '::'
+ ip: '0.0.0.0'
module: ejabberd_s2s_in
max_stanza_size: 524288
- port: 5443
- ip: '::'
+ ip: '0.0.0.0'
module: ejabberd_http
tls: true
protocol_options: 'TLS_OPTIONS'
@@ -56,12 +77,12 @@ listen:
'/ws': ejabberd_http_ws
'/oauth': ejabberd_oauth
- port: 5080
- ip: '::'
+ ip: '0.0.0.0'
module: ejabberd_http
request_handlers:
'/admin': ejabberd_web_admin
- port: 1883
- ip: '::'
+ ip: '0.0.0.0'
module: mod_mqtt
backlog: 1000
- port: 3478
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index ddc8b82..b21026d 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -123,6 +123,15 @@ frontend jabbber5222
mode http
acl chat-host hdr_sub(host) -i chat.terminaldweller.com
use_backend chat-backend-c2s if chat-host
+frontend jabber5223
+ bind *:5223
+ timeout client 60s
+ mode tcp
+ tcp-request inspect-delay 5s
+ tcp-request content accept if { req.ssl_hello_type 1 }
+ tcp-request content reject
+ acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
+ use_backend chat-auth-backend-s if chat-host-s
frontend jabber5280
bind *:5280
mode http
@@ -291,6 +300,10 @@ backend chat-backend-c2s
mode http
option forwardfor
server chat-host 130.185.121.80:5222
+backend chat-auth-backend-s
+ mode tcp
+ option ssl-hello-chk
+ server chat-host 130.185.121.80:5223
#backend chat-cert-backend
# mode http
# server chat-cert-server 130.185.121.80:8880