diff options
Diffstat (limited to '')
| -rw-r--r-- | terminaldweller.com/ejabberd/docker-compose.yaml | 9 | ||||
| -rw-r--r-- | terminaldweller.com/ejabberd/ejabberd.yml | 42 | ||||
| -rw-r--r-- | terminaldweller.com/haproxy/haproxy.cfg | 196 |
3 files changed, 220 insertions, 27 deletions
diff --git a/terminaldweller.com/ejabberd/docker-compose.yaml b/terminaldweller.com/ejabberd/docker-compose.yaml index cafe707..9b93896 100644 --- a/terminaldweller.com/ejabberd/docker-compose.yaml +++ b/terminaldweller.com/ejabberd/docker-compose.yaml @@ -5,14 +5,19 @@ services: networks: - ejabberdnet ports: + - "80:80" - "5222:5222" - "127.0.0.1:5269:5269" - "5280:5280" - - "127.0.0.1:5443:5443" + - "5443:5443" - "127.0.0.1:1883:1883" - - "5080:5080" + - "127.0.0.1:5080:5080" restart: unless-stopped volumes: - ./ejabberd.yml:/home/ejabberd/conf/ejabberd.yml + - ./acme:/var/lib/ejabberd/acme + - ./dh:/usr/local/etc/ejabberd networks: ejabberdnet: +# openssl dhparam -out dhparams.pem 4096 +# sudo certbot certonly --standalone --email devi@terminaldweller.com --non-interactive --agree-tos -d chat.terminaldweller.com --preferred-challenges http diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml index 6257515..87eb940 100644 --- a/terminaldweller.com/ejabberd/ejabberd.yml +++ b/terminaldweller.com/ejabberd/ejabberd.yml @@ -3,9 +3,26 @@ hosts: loglevel: 4 log_rotate_size: 10485760 -log_rotate_date: '' log_rotate_count: 1 -log_rate_limit: 100 + +define_macro: + 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + 'TLS_OPTIONS': + - "no_sslv2, no_sslv3, no_tlsv1" + - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + - "no_compression" + 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 + +c2s_dhfile: 'DH_FILE' +s2s_dhfile: 'DH_FILE' +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +certfiles: + - '/var/lib/ejabberd/acme/ejabberd.pem' + +auth_password_format: scram listen: - port: 5222 @@ -14,7 +31,13 @@ listen: max_stanza_size: 262144 shaper: c2s_shaper access: c2s + starttls: true starttls_required: true + protocol_options: 'TLS_OPTIONS' + ciphers: 'TLS_CIPHERS' + dhfile: 'DH_FILE' + zlib: false + tls_compression: false - port: 5269 ip: '::' module: ejabberd_s2s_in @@ -22,6 +45,10 @@ listen: - port: 5443 ip: '::' module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + ciphers: 'TLS_CIPHERS' + dhfile: 'DH_FILE' request_handlers: '/admin': ejabberd_web_admin '/api': mod_http_api @@ -45,7 +72,7 @@ listen: use_turn: true turn_min_port: 49152 turn_max_port: 65535 - turn_ip: 0.0.0.0 + turn_ipv4_address: 0.0.0.0 - port: 5349 transport: tcp module: ejabberd_stun @@ -54,8 +81,8 @@ listen: turn_min_port: 49152 turn_max_port: 65535 ip: 0.0.0.0 - turn_ip: 0.0.0.0 - - port: 5280 + turn_ipv4_address: 0.0.0.0 + - port: 80 module: ejabberd_http tls: false request_handlers: @@ -73,7 +100,7 @@ acl: - ::FFFF:127.0.0.1/128 admin: user: - - 'admin@localhost' + - 'admin@chat.terminaldweller.com' access_rules: local: @@ -152,8 +179,9 @@ shaper_rules: max_fsm_queue: 10000 acme: + auto: false contact: 'mailto:devi@terminaldweller.com' - ca_url: 'https://acme-v01.api.letsencrypt.org' + ca_url: 'https://acme-staging-v02.api.letsencrypt.org' oauth_expire: 31536000 oauth_access: all diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg index f1c288e..f406de4 100644 --- a/terminaldweller.com/haproxy/haproxy.cfg +++ b/terminaldweller.com/haproxy/haproxy.cfg @@ -14,64 +14,224 @@ resolvers docker_resolver nameserver dns 127.0.0.11:53 #Frontends -frontend front +frontend http bind *:80 - bind *:443 - mode tcp - timeout client 60s + mode http #ACLs acl letsencrypt-acl path_beg /.well-known/acme-challenge/ acl blog-host hdr_sub(host) -i blog.terminaldweller.com acl mail-host hdr_sub(host) -i mail.terminaldweller.com - acl mail-host-s req.ssl_sni -i mail.terminaldweller.com acl api-host hdr_sub(host) -i api.terminaldweller.com acl chat-host hdr_sub(host) -i chat.terminaldweller.com - acl chat-host-s req.ssl_sni -i chat.terminaldweller.com - #Consitions - use_backend certbot-backend if letsencrypt-acl + #Conditions + #use_backend chat-cert-backend if letsencrypt-acl chat-host + use_backend blog-backend-cert if letsencrypt-acl blog-host + use_backend api-backend-cert if letsencrypt-acl api-host + use_backend certbot-backend if letsencrypt-acl !chat-host !blog-host !api-host use_backend blog-backend if blog-host use_backend mail-backend if mail-host - use_backend mail-backend-s if mail-host-s use_backend api-backend if api-host - use_backend chat-backend-s if chat-host-s + #use_backend chat-backend if chat-host default_backend blog-backend +frontend https + bind *:443 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + #ACLs + acl mail-host-s req.ssl_sni -i mail.terminaldweller.com + #acl chat-host-s req.ssl_sni -i chat.terminaldweller.com + acl blog-host-s req.ssl_sni -i blog.terminaldweller.com + acl api-host-s req.ssl_sni -i api.terminaldweller.com + #Conditions + use_backend mail-backend-s if mail-host-s + #use_backend chat-backend-s if chat-host-s + use_backend blog-backend-s if blog-host-s + use_backend api-backend-s if api-host-s + +frontend jabber5222 + bind *:5222 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl chat-host-s req.ssl_sni -i chat.terminaldweller.com + use_backend chat-backend-c2s if chat-host-s +frontend jabber5280 + bind *:5280 + mode http + acl chat-host hdr_sub(host) -i chat.terminaldweller.com + use_backend chat-backend-admin if chat-host +frontend jabber5443 + bind *:5443 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl chat-host-s req.ssl_sni -i chat.terminaldweller.com + use_backend chat-backend-s if chat-host-s + +frontend mail-imap + bind *:143 + mode http + acl mail-host hdr_sub(host) -i mail.terminaldweller.com + use_backend mail-backend-imap if mail-host +frontend mail-imaps + bind *:993 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl mail-host-s req.ssl_sni -i mail.terminaldweller.com + use_backend mail-backend-imaps if mail-host-s +frontend mail-pop3 + bind *:110 + mode http + acl mail-host hdr_sub(host) -i mail.terminalweller.com + use_backend mail-backend-pop3 if mail-host +frontend mail-pop3s + bind *:995 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl mail-host-s req.ssl_sni -i mail.terminaldweller.com + use_backend mail-backend-pop3s if mail-host-s +frontend mail-smtp + bind *:25 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl mail-host req.ssl_sni -i mail.terminaldweller.com + use_backend mail-backend-smtp if mail-host +frontend mail-smtps + bind *:465 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl mail-host-s req.ssl_sni -i mail.terminaldweller.com + use_backend mail-backend-smtps if mail-host-s +frontend mail-submission + bind *:587 + timeout client 60s + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req.ssl_hello_type 1 } + tcp-request content reject + acl mail-host-s req.ssl_sni -i mail.terminaldweller.com + use_backend mail-backend-submission if mail-host-s + + #Backends backend certbot-backend + mode http server nginx nginx:80 resolvers docker_resolver check init-addr none backend blog-backend mode http option forwardfor server blog-host 192.99.102.52:9000 check +backend blog-backend-cert + mode http + option forwardfor + server blog-host 192.99.102.52:80 +backend blog-backend-s + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server blog-host 192.99.102.52:9000 check backend mail-backend mode http option forwardfor - server mail-host 185.126.202.69:80 check - + server mail-host 185.126.202.69:80 backend mail-backend-s timeout server 60s timeout client 60s mode tcp + option ssl-hello-chk + server mail-host 185.126.202.69:443 check +backend mail-backend-imap + mode http + option forwardfor + server mail-host 185.126.202.69:143 check +backend mail-backend-imaps + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server mail-host 185.126.202.69:993 check +backend mail-backend-pop3 + mode http option forwardfor + server mail-host 185.126.202.69:110 check +backend mail-backend-pop3s + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server mail-host 185.126.202.69:995 check +backend mail-backend-smtp + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server mail-host 185.126.202.69:25 check +backend mail-backend-smtps + timeout server 60s + timeout client 60s + mode tcp option ssl-hello-chk - server mail-host-s 185.126.202.69:443 check + server mail-host 185.126.202.69:465 check +backend mail-backend-submission + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server mail-host 185.126.202.69:587 backend api-backend mode http option forwardfor server api-host 192.99.102.52:8008 check - -backend chat-backend +backend api-backend-s + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server api-host 192.99.102.52:8008 +backend api-backend-cert mode http option forwardfor - server chat-host 87.236.209.206:5280 check + server api-host 192.99.102.52:80 +backend chat-backend-admin + mode http + server chat-host 130.185.121.80:5280 check backend chat-backend-s timeout server 60s timeout client 60s mode tcp - option forwardfor option ssl-hello-chk - server chat-host-s 87.236.209.206:5280 check + server chat-host 130.185.121.80:5443 +backend chat-backend-c2s + timeout server 60s + timeout client 60s + mode tcp + option ssl-hello-chk + server chat-host 130.185.121.80:5222 +backend chat-cert-backend + mode http + server chat-cert-server 130.185.121.80:80 |