From 5e90dd671926af0bd30ad90c68a51f6a2fbd2490 Mon Sep 17 00:00:00 2001 From: terminaldweller Date: Mon, 11 Jul 2022 20:22:42 +0430 Subject: updates --- terminaldweller.com/ejabberd/docker-compose.yaml | 22 ++++++--- terminaldweller.com/ejabberd/ejabberd.yml | 57 ++++++++++++++++-------- 2 files changed, 54 insertions(+), 25 deletions(-) (limited to 'terminaldweller.com/ejabberd') diff --git a/terminaldweller.com/ejabberd/docker-compose.yaml b/terminaldweller.com/ejabberd/docker-compose.yaml index 3e6de12..81c4c8d 100644 --- a/terminaldweller.com/ejabberd/docker-compose.yaml +++ b/terminaldweller.com/ejabberd/docker-compose.yaml @@ -5,25 +5,33 @@ services: networks: - ejabberdnet ports: - - "80:80" + #- "80:80" - "5222:5222" - - "127.0.0.1:5269:5269" + - "5223:5223" + #- "5269:5269" - "5280:5280" - "5443:5443" - - "1883:1883" - - "127.0.0.1:5080:5080" + #- "1883:1883" + #- "127.0.0.1:5080:5080" restart: unless-stopped volumes: - ./ejabberd.yml:/home/ejabberd/conf/ejabberd.yml - - ./acme:/var/lib/ejabberd/acme - - ./dh:/usr/local/etc/ejabberd + - /etc/letsencrypt/archive/chat.terminaldweller.com/:/opt/ejabberd/certs/ + - ./dh:/usr/local/etc/ejabberd/dh + - ./acme:/usr/local/etc/self_signed/ - confs_certs:/home/ejabberd/conf/ - mnesia_db:/home/ejabberd/database/ + - vault:/var/lib/ejabberd/ + environment: + - XMPP_DOMAIN=chat.terminaldweller.com + - ERLANG_NODE=ejabberd + #entrypoint: ["tail", "-f", "/dev/null"] networks: ejabberdnet: volumes: confs_certs: mnesia_db: + vault: # openssl dhparam -out dhparams.pem 4096 -# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive --dry-run +# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive # docker exec -it 6eebd16a2385 bin/ejabberdctl register admin chat.terminaldweller.com password diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml index 90d0207..11e4c57 100644 --- a/terminaldweller.com/ejabberd/ejabberd.yml +++ b/terminaldweller.com/ejabberd/ejabberd.yml @@ -1,47 +1,68 @@ hosts: - chat.terminaldweller.com -loglevel: 4 +auth_method: internal +auth_password_format: scram # pragma: allowlist secret +# anonymous_protocol: both +allow_multiple_connections: true +loglevel: 5 log_rotate_size: 10485760 log_rotate_count: 1 define_macro: - 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + 'TLS_CIPHERS': "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" 'TLS_OPTIONS': - - "no_sslv2, no_sslv3, no_tlsv1" - - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + - "no_sslv2" + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_3" + - "cipher_server_preference" + - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" - "no_compression" - 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 + 'DH_FILE': "/usr/local/etc/ejabberd/dh/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 -c2s_dhfile: 'DH_FILE' -s2s_dhfile: 'DH_FILE' +#c2s_dhfile: 'DH_FILE' +#s2s_dhfile: 'DH_FILE' c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' -#certfiles: -# - '/var/lib/ejabberd/acme/ejabberd.pem' +certfiles: + - /usr/local/etc/self_signed/ej2.pem + #- '/opt/ejabberd/certs/ejabberd.pem' + #- '/var/lib/ejabberd/acme/fullchain1.pem' + #- '/var/lib/ejabberd/acme/chain1.pem' + #- '/var/lib/ejabberd/acme/cert1.pem' + #- '/var/lib/ejabberd/acme/privkey1.pem' listen: - port: 5222 - ip: '::' + ip: '0.0.0.0' module: ejabberd_c2s - max_stanza_size: 262144 + max_stanza_size: 65536 shaper: c2s_shaper access: c2s starttls: true starttls_required: true - protocol_options: 'TLS_OPTIONS' - ciphers: 'TLS_CIPHERS' - dhfile: 'DH_FILE' + #protocol_options: 'TLS_OPTIONS' + #ciphers: 'TLS_CIPHERS' + #dhfile: 'DH_FILE' zlib: false tls_compression: false + - port: 5223 + ip: '0.0.0.0' + module: ejabberd_c2s + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + tls: true + tls_compression: false - port: 5269 - ip: '::' + ip: '0.0.0.0' module: ejabberd_s2s_in max_stanza_size: 524288 - port: 5443 - ip: '::' + ip: '0.0.0.0' module: ejabberd_http tls: true protocol_options: 'TLS_OPTIONS' @@ -56,12 +77,12 @@ listen: '/ws': ejabberd_http_ws '/oauth': ejabberd_oauth - port: 5080 - ip: '::' + ip: '0.0.0.0' module: ejabberd_http request_handlers: '/admin': ejabberd_web_admin - port: 1883 - ip: '::' + ip: '0.0.0.0' module: mod_mqtt backlog: 1000 - port: 3478 -- cgit v1.2.3