blob: 58a5595a769d23ceee5a968d67336334e6ece589 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
hosts:
- jabber.terminaldweller.com
auth_method: internal
auth_password_format: scram # pragma: allowlist secret
# anonymous_protocol: both
allow_multiple_connections: true
loglevel: 5
log_rotate_size: 10485760
log_rotate_count: 1
default_db: mnesia
define_macro:
'TLS_CIPHERS': "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA"
'TLS_OPTIONS':
- "no_sslv2"
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_1"
- "no_tlsv1_2"
- "cipher_server_preference"
- "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA"
- "no_compression"
'DH_FILE': "/usr/local/etc/ejabberd/dh/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096
c2s_dhfile: 'DH_FILE'
s2s_dhfile: 'DH_FILE'
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
certfiles:
# - /usr/local/etc/self_signed/ej2.pem
- /opt/ejabberd/certs/ejabberd.pem # cat privkey1.pem fullchain1.pem > ejabberd.pem
#- '/var/lib/ejabberd/acme/fullchain1.pem'
#- '/var/lib/ejabberd/acme/chain1.pem'
#- '/var/lib/ejabberd/acme/cert1.pem'
#- '/var/lib/ejabberd/acme/privkey1.pem'
listen:
- port: 5222
ip: '0.0.0.0'
module: ejabberd_c2s
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
starttls: true
starttls_required: true
protocol_options: 'TLS_OPTIONS'
ciphers: 'TLS_CIPHERS'
dhfile: 'DH_FILE'
zlib: false
tls_compression: false
- port: 5223
ip: '0.0.0.0'
module: ejabberd_c2s
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
protocol_options: 'TLS_OPTIONS'
ciphers: 'TLS_CIPHERS'
dhfile: 'DH_FILE'
tls: true
tls_compression: false
- port: 5269
ip: '0.0.0.0'
module: ejabberd_s2s_in
max_stanza_size: 524288
- port: 5270
ip: '0.0.0.0'
module: ejabberd_s2s_in
max_stanza_size: 524288
protocol_options: 'TLS_OPTIONS'
ciphers: 'TLS_CIPHERS'
dhfile: 'DH_FILE'
tls: true
- port: 5443
ip: '0.0.0.0'
module: ejabberd_http
tls: true
protocol_options: 'TLS_OPTIONS'
ciphers: 'TLS_CIPHERS'
dhfile: 'DH_FILE'
request_handlers:
#'/admin': ejabberd_web_admin
'/api': mod_http_api
'/bosh': mod_bosh
'/captcha': ejabberd_captcha
'/upload': mod_http_upload
'/ws': ejabberd_http_ws
'/oauth': ejabberd_oauth
#'/.well-known/host-meta': mod_host_meta
#'/.well-known/host-meta.json': mod_host_meta
- port: 443
ip: '0.0.0.0'
module: ejabberd_http
tls: true
protocol_options: 'TLS_OPTIONS'
ciphers: 'TLS_CIPHERS'
dhfile: 'DH_FILE'
request_handlers:
'/.well-known/host-meta': mod_host_meta
'/.well-known/host-meta.json': mod_host_meta
'/admin': ejabberd_web_admin
- port: 5080
ip: '0.0.0.0'
module: ejabberd_http
request_handlers:
'/admin': ejabberd_web_admin
- port: 1883
ip: '0.0.0.0'
module: mod_mqtt
backlog: 1000
- port: 3478
transport: udp
module: ejabberd_stun
use_turn: true
turn_min_port: 49152
turn_max_port: 65535
turn_ipv4_address: 0.0.0.0
- port: 5349
transport: tcp
module: ejabberd_stun
use_turn: true
tls: true
turn_min_port: 49152
turn_max_port: 65535
ip: 0.0.0.0
turn_ipv4_address: 0.0.0.0
- port: 80
module: ejabberd_http
tls: false
request_handlers:
/.well-known/acme-challenge: ejabberd_acme
s2s_use_starttls: optional
acl:
local:
user_regexp: ''
loopback:
ip:
- 127.0.0.0/8
- ::1/128
- ::FFFF:127.0.0.1/128
admin:
user:
- 'admin@jabber.terminaldweller.com'
access_rules:
local:
allow: local
c2s:
deny: blocked
allow: all
announce:
allow: admin
configure:
allow: admin
muc_create:
allow: admin
pubsub_createnode:
allow: admin
trusted_network:
allow: loopback
api_permissions:
'console commands':
from:
- ejabberd_ctl
who: all
what: '*'
'admin access':
who:
access:
allow:
acl: admin
oauth:
scope: 'ejabberd:admin'
access:
allow:
acl: admin
what:
- '*'
- '!stop'
- '!start'
'public commands':
who:
ip: 127.0.0.1/8
what:
- '*'
- connected_users_number
'web admin':
who:
- access:
- allow:
- acl: loopback
- acl: admin
- oauth:
- scope: 'sasl_auth'
- access:
- allow:
- acl: loopback
- acl: admin
what:
- '*'
- '!stop'
- '!start'
shaper:
normal: 1000
fast: 50000
shaper_rules:
max_user_sessions: 10000
max_user_offline_messages:
5000: admin
100: all
c2s_shaper:
none: admin
normal: all
s2s_shaper: fast
max_fsm_queue: 10000
acme:
# for auto ACME requests, we need this to be true
auto: false
contact:
- mailto:devi@terminaldweller.com
ca_url: https://acme-v02.api.letsencrypt.org/directory
oauth_expire: 31536000
oauth_access: all
modules:
mod_stun_disco:
credentials_lifetime: 12h
services:
- host: 0.0.0.0
port: 3478
type: stun
transport: udp
restricted: false
- host: 0.0.0.0
port: 3478
type: turn
transport: udp
restricted: true
- host: rtcdev.site
port: 5349
type: stun
transport: tcp
restricted: false
- host: rtcdev.site
port: 5349
type: turn
transport: tcp
restricted: true
mod_adhoc: {}
mod_admin_extra: {}
mod_announce:
access: announce
mod_avatar: {}
mod_blocking: {}
mod_bosh: {}
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {}
mod_disco:
server_info:
-
modules: all
name: "abuse-addresses"
urls: ["mailto:devi@terminaldweller.com"]
-
modules: [mod_host_meta]
name: "mod host meta location"
urls:
- https://jabber.terminaldweller.com:5443
mod_fail2ban: {}
mod_http_api: {}
mod_http_upload:
put_url: https://@HOST@:5443/upload
docroot: /var/www/upload
custom_headers:
"Access-Control-Allow-Origin": "https://@HOST@"
"Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
"Access-Control-Allow-Headers": "Content-Type"
mod_last: {}
mod_mam:
db_type: mnesia
assume_mam_usage: true
default: always
use_cache: true
mod_mqtt: {}
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
default_room_options:
allow_subscription: true
mam: true
mod_muc_admin: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: {}
mod_private: {}
mod_proxy65:
access: local
max_connections: 5
mod_pubsub:
access_createnode: pubsub_createnode
plugins:
- flat
- pep
force_node_config:
storage:bookmarks:
access_model: whitelist
mod_push: {}
mod_push_keepalive: {}
mod_register:
ip_access: trusted_network
mod_roster:
versioning: true
mod_sip: {}
mod_s2s_dialback: {}
mod_shared_roster: {}
mod_stream_mgmt:
resend_on_timeout: if_offline
mod_vcard: {}
mod_vcard_xupdate: {}
mod_version:
show_os: false
mod_host_meta:
bosh_service_url: "https://@HOST@:5443/bosh"
websocket_url: "wss://@HOST@:5443/ws"
|