diff options
author | Jonas Smedegaard <dr@jones.dk> | 2017-01-18 17:32:45 +0100 |
---|---|---|
committer | Jonas Smedegaard <dr@jones.dk> | 2017-01-18 17:33:29 +0100 |
commit | ccfe0921edb6d81ccf53135654fd364eea679140 (patch) | |
tree | bf3e9e97afad41b7437ed0be1cd1d1a82eecd9be /ejabberd/config.d | |
parent | 8d7a52d331eee26c44ee8ac68a72b0b2fe0a0750 (diff) |
Add ejabberd tweaks as snippets.
Diffstat (limited to 'ejabberd/config.d')
-rw-r--r-- | ejabberd/config.d/sip-sips.yml | 32 | ||||
-rw-r--r-- | ejabberd/config.d/sips.yml | 21 | ||||
-rw-r--r-- | ejabberd/config.d/stun-turns.yml | 36 | ||||
-rw-r--r-- | ejabberd/config.d/stuns-turns.yml | 25 | ||||
-rw-r--r-- | ejabberd/config.d/xmpp-auth-pam.yml | 14 | ||||
-rw-r--r-- | ejabberd/config.d/xmpp-c2s.yml | 61 | ||||
-rw-r--r-- | ejabberd/config.d/xmpp-muc.yml | 29 | ||||
-rw-r--r-- | ejabberd/config.d/xmpp-muclog.yml | 18 | ||||
-rw-r--r-- | ejabberd/config.d/xmpp-s2s.yml | 22 |
9 files changed, 258 insertions, 0 deletions
diff --git a/ejabberd/config.d/sip-sips.yml b/ejabberd/config.d/sip-sips.yml new file mode 100644 index 0000000..70edfb6 --- /dev/null +++ b/ejabberd/config.d/sip-sips.yml @@ -0,0 +1,32 @@ +# SIP services (insecure + secure) +# +# * _tls proto (in DNS below) is nonstandard but maybe used in the wild +# +# Sample DNS entries: +# @ IN NAPTR 10 0 "s" "SIPS+D2T" "" _sips._tcp +# @ IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp +# @ IN NAPTR 30 0 "s" "SIP+D2T" "" _sip._tcp +# sip IN A 192.0.2.1 +# _sip._udp IN SRV 0 0 5060 sip +# _sip._tcp IN SRV 0 0 5060 sip +# _sips._tcp IN SRV 0 0 5061 sip +# _sip._tls IN SRV 0 0 5061 sip +# +# Depends: erlang-p1-sip + +listen: + - + port: 5060 + transport: udp + module: ejabberd_sip + - + port: 5060 + module: ejabberd_sip + - + port: 5061 + module: ejabberd_sip + tls: true + certfile: 'CERT_PATH' + +modules: + mod_sip: {} diff --git a/ejabberd/config.d/sips.yml b/ejabberd/config.d/sips.yml new file mode 100644 index 0000000..c397f05 --- /dev/null +++ b/ejabberd/config.d/sips.yml @@ -0,0 +1,21 @@ +# SIP service (secure) +# +# * _tls proto (in DNS below) is nonstandard but maybe used in the wild +# +# Sample DNS entries: +# @ IN NAPTR 10 0 "s" "SIPS+D2T" "" _sips._tcp +# sip IN A 192.0.2.1 +# _sips._tcp IN SRV 0 0 5061 sip +# _sip._tls IN SRV 0 0 5061 sip +# +# Depends: erlang-p1-sip + +listen: + - + port: 5061 + module: ejabberd_sip + tls: true + certfile: 'CERT_PATH' + +modules: + mod_sip: {} diff --git a/ejabberd/config.d/stun-turns.yml b/ejabberd/config.d/stun-turns.yml new file mode 100644 index 0000000..eeef731 --- /dev/null +++ b/ejabberd/config.d/stun-turns.yml @@ -0,0 +1,36 @@ +# STUN/TURN services (insecure STUN + secure authenticated STUN/TURN) +# +# * TURN_IP must be the public IP of the listening port +# * TURN relay requires authentication +# * _tls proto (in DNS below) is nonstandard but maybe used in the wild +# * stuns service (in DNS below) is legacy but maybe used in the wild +# +# Sample DNS entries: +# @ IN NAPTR 10 0 "s" "RELAY:turn.tls" "" stun +# stun IN A 192.0.2.1 +# _stun._udp IN SRV 0 0 3478 stun +# _stun._tcp IN SRV 0 0 3478 stun +# _stuns._tcp IN SRV 0 0 5349 stun +# _stun._tls IN SRV 0 0 5349 stun +# _turns._tcp IN SRV 0 0 5349 stun +# _turn._tls IN SRV 0 0 5349 stun +# +# Depends: erlang-p1-stun + +listen: + - + port: 3478 + transport: udp + module: ejabberd_stun + use_turn: false + - + port: 3478 + module: ejabberd_stun + use_turn: false + - + port: 5349 + module: ejabberd_stun + tls: true + certfile: 'CERT_PATH' + auth_type: user + turn_ip: 'TURN_IP' diff --git a/ejabberd/config.d/stuns-turns.yml b/ejabberd/config.d/stuns-turns.yml new file mode 100644 index 0000000..a8e5e7a --- /dev/null +++ b/ejabberd/config.d/stuns-turns.yml @@ -0,0 +1,25 @@ +# STUN/TURN services (secure authenticated) +# +# * TURN_IP must be the public IP of the listening port +# * TURN relay requires authentication +# * _tls proto (in DNS below) is nonstandard but maybe used in the wild +# * stuns service (in DNS below) is legacy but maybe used in the wild +# +# Sample DNS entries: +# @ IN NAPTR 10 0 "s" "RELAY:turn.tls" "" stun +# stun IN A 192.0.2.1 +# _stuns._tcp IN SRV 0 0 5349 stun +# _stun._tls IN SRV 0 0 5349 stun +# _turns._tcp IN SRV 0 0 5349 stun +# _turn._tls IN SRV 0 0 5349 stun +# +# Depends: erlang-p1-stun + +listen: + - + port: 5349 + module: ejabberd_stun + tls: true + certfile: 'CERT_PATH' + auth_type: user + turn_ip: 'TURN_IP' diff --git a/ejabberd/config.d/xmpp-auth-pam.yml b/ejabberd/config.d/xmpp-auth-pam.yml new file mode 100644 index 0000000..b10936f --- /dev/null +++ b/ejabberd/config.d/xmpp-auth-pam.yml @@ -0,0 +1,14 @@ +# XMPP client service (secure) +# +# Depends: erlang-p1-pam + +auth_method: pam +auth_password_format: plain + +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +access_rules: + register: + - deny diff --git a/ejabberd/config.d/xmpp-c2s.yml b/ejabberd/config.d/xmpp-c2s.yml new file mode 100644 index 0000000..29d0163 --- /dev/null +++ b/ejabberd/config.d/xmpp-c2s.yml @@ -0,0 +1,61 @@ +# XMPP client service (secure) +# +# * Custom Diffie-Hellman params needs to be created ahead, e.g. with +# /etc/local-COMMON/ejabberd/mkdhparams.sh +# +# Sample DNS entries: +# xmpp IN A 192.0.2.1 +# _xmpp-client._tcp IN SRV 0 0 5222 xmpp +# _xmppconnect IN TXT "_xmpp-client-xbosh=https://chat.example.org/http-bind" +# _xmppconnect IN TXT "_xmpp-client-websocket=wss://chat.example.org/xmpp-websocket" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + certfile: 'CERT_PATH' + starttls_required: true + protocol_options: 'TLS_OPTIONS' + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + zlib: true + tls_compression: false + dhfile: 'DH_PATH' + ciphers: 'TLS_CIPHERS' + resend_on_timeout: if_offline + +modules: + mod_admin_extra: [] + mod_adhoc: [] + mod_announce: + access: announce + mod_caps: [] + mod_disco: [] + mod_http_bind: [] + mod_last: [] + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: [] + mod_privacy: [] + mod_private: [] + mod_pubsub: + access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: true + plugins: + - "flat" + - "hometree" + - "pep" + mod_roster: + versioning: true + mod_shared_roster: [] + mod_stats: [] + mod_time: [] + mod_vcard: [] + mod_version: [] + mod_mam: [] + mod_blocking: [] + mod_client_state: [] + mod_carboncopy: [] diff --git a/ejabberd/config.d/xmpp-muc.yml b/ejabberd/config.d/xmpp-muc.yml new file mode 100644 index 0000000..637255b --- /dev/null +++ b/ejabberd/config.d/xmpp-muc.yml @@ -0,0 +1,29 @@ +# XMPP MUC service +# +# Sample DNS entries: +# conference IN CNAME xmpp + +acl: + admin: + user: + - "@localhost" + local: + user_regexp: "" + +access_rules: + local: + - allow: local + muc_admin: + - allow: admin + muc_create: + - allow: local + +modules: + mod_muc: + host: "conference.@HOST@" + access: + - allow + access_admin: muc_admin + access_create: muc_create + access_persistent: muc_create + mod_muc_admin: {} diff --git a/ejabberd/config.d/xmpp-muclog.yml b/ejabberd/config.d/xmpp-muclog.yml new file mode 100644 index 0000000..2403a82 --- /dev/null +++ b/ejabberd/config.d/xmpp-muclog.yml @@ -0,0 +1,18 @@ +# XMPP MUC service (publicly logged) +# +# * logfiles are not created public readable - fix with this cronjob: +# /etc/local-COMMON/ejabberd/cron.hourly/local-ejabberd-muc-publish +# +# Example Apache2 snippet: +# Alias /logs /var/www/vhosts/www-ejabberd/conference +# <Location /logs> +# Options Indexes +# DirectoryIndex index.html +# </Location> +# +# Depends: ejabberd-mod-muc-log-http + +modules: + mod_muc_log: + outdir: "/var/lib/ejabberd/logs" + mod_muc_log_http: {} diff --git a/ejabberd/config.d/xmpp-s2s.yml b/ejabberd/config.d/xmpp-s2s.yml new file mode 100644 index 0000000..a08bfc3 --- /dev/null +++ b/ejabberd/config.d/xmpp-s2s.yml @@ -0,0 +1,22 @@ +# XMPP server-to-server service (optionally secure) +# +# * Custom Diffie-Hellman params needs to be created ahead, e.g. with +# /etc/local-COMMON/ejabberd/mkdhparams.sh +# +# Sample DNS entries: +# xmpp IN A 192.0.2.1 +# _xmpp-server._tcp IN SRV 0 0 5222 xmpp + +listen: + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + +s2s_use_starttls: optional +s2s_certfile: 'CERT_PATH' +s2s_dhfile: 'DH_PATH' +s2s_ciphers: 'TLS_CIPHERS' +s2s_protocol_options: + - "no_sslv2" + - "no_sslv3" |