diff options
-rw-r--r-- | .newsboat/urls | 1 | ||||
-rw-r--r-- | terminaldweller.com/ejabberd/docker-compose.yaml | 22 | ||||
-rw-r--r-- | terminaldweller.com/ejabberd/ejabberd.yml | 57 | ||||
-rw-r--r-- | terminaldweller.com/haproxy/haproxy.cfg | 13 |
4 files changed, 68 insertions, 25 deletions
diff --git a/.newsboat/urls b/.newsboat/urls index fd81a24..dd06d10 100644 --- a/.newsboat/urls +++ b/.newsboat/urls @@ -4,6 +4,7 @@ https://www.cyberciti.biz/atom/atom.xml https://www.semicolonandsons.com/feed https://blog.terminaldweller.com/rss/feed https://suckless.org/atom.xml +https://microservices.io/feed.xml # (Youtube) # Horror diff --git a/terminaldweller.com/ejabberd/docker-compose.yaml b/terminaldweller.com/ejabberd/docker-compose.yaml index 3e6de12..81c4c8d 100644 --- a/terminaldweller.com/ejabberd/docker-compose.yaml +++ b/terminaldweller.com/ejabberd/docker-compose.yaml @@ -5,25 +5,33 @@ services: networks: - ejabberdnet ports: - - "80:80" + #- "80:80" - "5222:5222" - - "127.0.0.1:5269:5269" + - "5223:5223" + #- "5269:5269" - "5280:5280" - "5443:5443" - - "1883:1883" - - "127.0.0.1:5080:5080" + #- "1883:1883" + #- "127.0.0.1:5080:5080" restart: unless-stopped volumes: - ./ejabberd.yml:/home/ejabberd/conf/ejabberd.yml - - ./acme:/var/lib/ejabberd/acme - - ./dh:/usr/local/etc/ejabberd + - /etc/letsencrypt/archive/chat.terminaldweller.com/:/opt/ejabberd/certs/ + - ./dh:/usr/local/etc/ejabberd/dh + - ./acme:/usr/local/etc/self_signed/ - confs_certs:/home/ejabberd/conf/ - mnesia_db:/home/ejabberd/database/ + - vault:/var/lib/ejabberd/ + environment: + - XMPP_DOMAIN=chat.terminaldweller.com + - ERLANG_NODE=ejabberd + #entrypoint: ["tail", "-f", "/dev/null"] networks: ejabberdnet: volumes: confs_certs: mnesia_db: + vault: # openssl dhparam -out dhparams.pem 4096 -# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive --dry-run +# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive # docker exec -it 6eebd16a2385 bin/ejabberdctl register admin chat.terminaldweller.com password diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml index 90d0207..11e4c57 100644 --- a/terminaldweller.com/ejabberd/ejabberd.yml +++ b/terminaldweller.com/ejabberd/ejabberd.yml @@ -1,47 +1,68 @@ hosts: - chat.terminaldweller.com -loglevel: 4 +auth_method: internal +auth_password_format: scram # pragma: allowlist secret +# anonymous_protocol: both +allow_multiple_connections: true +loglevel: 5 log_rotate_size: 10485760 log_rotate_count: 1 define_macro: - 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + 'TLS_CIPHERS': "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" 'TLS_OPTIONS': - - "no_sslv2, no_sslv3, no_tlsv1" - - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + - "no_sslv2" + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_3" + - "cipher_server_preference" + - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" - "no_compression" - 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 + 'DH_FILE': "/usr/local/etc/ejabberd/dh/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 -c2s_dhfile: 'DH_FILE' -s2s_dhfile: 'DH_FILE' +#c2s_dhfile: 'DH_FILE' +#s2s_dhfile: 'DH_FILE' c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' -#certfiles: -# - '/var/lib/ejabberd/acme/ejabberd.pem' +certfiles: + - /usr/local/etc/self_signed/ej2.pem + #- '/opt/ejabberd/certs/ejabberd.pem' + #- '/var/lib/ejabberd/acme/fullchain1.pem' + #- '/var/lib/ejabberd/acme/chain1.pem' + #- '/var/lib/ejabberd/acme/cert1.pem' + #- '/var/lib/ejabberd/acme/privkey1.pem' listen: - port: 5222 - ip: '::' + ip: '0.0.0.0' module: ejabberd_c2s - max_stanza_size: 262144 + max_stanza_size: 65536 shaper: c2s_shaper access: c2s starttls: true starttls_required: true - protocol_options: 'TLS_OPTIONS' - ciphers: 'TLS_CIPHERS' - dhfile: 'DH_FILE' + #protocol_options: 'TLS_OPTIONS' + #ciphers: 'TLS_CIPHERS' + #dhfile: 'DH_FILE' zlib: false tls_compression: false + - port: 5223 + ip: '0.0.0.0' + module: ejabberd_c2s + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + tls: true + tls_compression: false - port: 5269 - ip: '::' + ip: '0.0.0.0' module: ejabberd_s2s_in max_stanza_size: 524288 - port: 5443 - ip: '::' + ip: '0.0.0.0' module: ejabberd_http tls: true protocol_options: 'TLS_OPTIONS' @@ -56,12 +77,12 @@ listen: '/ws': ejabberd_http_ws '/oauth': ejabberd_oauth - port: 5080 - ip: '::' + ip: '0.0.0.0' module: ejabberd_http request_handlers: '/admin': ejabberd_web_admin - port: 1883 - ip: '::' + ip: '0.0.0.0' module: mod_mqtt backlog: 1000 - port: 3478 diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg index ddc8b82..b21026d 100644 --- a/terminaldweller.com/haproxy/haproxy.cfg +++ b/terminaldweller.com/haproxy/haproxy.cfg @@ -123,6 +123,15 @@ frontend jabbber5222 mode http acl chat-host hdr_sub(host) -i chat.terminaldweller.com use_backend chat-backend-c2s if chat-host +frontend jabber5223 + bind *:5223 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl chat-host-s req.ssl_sni -i chat.terminaldweller.com + use_backend chat-auth-backend-s if chat-host-s frontend jabber5280 bind *:5280 mode http @@ -291,6 +300,10 @@ backend chat-backend-c2s mode http option forwardfor server chat-host 130.185.121.80:5222 +backend chat-auth-backend-s + mode tcp + option ssl-hello-chk + server chat-host 130.185.121.80:5223 #backend chat-cert-backend # mode http # server chat-cert-server 130.185.121.80:8880 |