Prosody - Jabber / XMPP server for Debian

The Debian Jessie repositories have an acceptable version of 0.9.7. We set it up with the add-on to work with mysql:

  # aptitude install prosody 

Next, you need to decide which database to use: mysql or sqlite.

SQLite is more compact and undemanding to resources. It is a file on the server where tables with information are stored. It is easy to copy, nothing is needed except the sqlite3 library. Such a database will be the best solution if you set up a jabber for yourself (and a dozen users in addition :).

  # aptitude install lua-dbi-sqlite3 

MySQL is better suited when you plan to host many-many user accounts on the server and constantly add, delete, edit, etc. For such a database, you also need the appropriate component.

  # aptitude install lua-dbi-mysql 

SSL certificate preparation

Using self-signed certificates is not at all kosher. :) There is no confidence in them. Therefore, you need to get a free certificate from StartSSL.com . There is a good instruction on this .

Suppose you received a certificate. Now you have the ssl.crt certificate file and the ssl.key key. The key must first be decrypted. Of course, you can use and not decrypted, but you have to specify the password in the Prosody config, set the appropriate access rights, and so on ...

  # openssl rsa -in ssl.key -out ssl.key 

During decryption, you will need to specify the key password.

In addition to your certificate and key, you need a certificate "Class 1 Intermediate Server CA". Download it:

  # wget https://startssl.com/certs/sca.server1.crt 

We merge into one file (example.com is recorded as an example, replace it with your domain name ):

  # cat ssl.crt ssl.key sca.server1.crt> /etc/prosody/certs/example.com.pem 

The certificate will be saved in the / etc / prosody / certs / folder.

In addition, you need to create a key for the Diffie-Hellman protocol . It will also be used in the virtual host settings, providing the ability to use Forward Secrecy.

  openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048 

Set permissions that allow only reading of certificates on behalf of the prosody user.

  # chown prosody: prosody /etc/prosody/certs/*.pem
 # chmod 0400 /etc/prosody/certs/*.pem

This completes the preparation of certificates.

Creating MySQL Database

You can either create a database and a user through the console, or through the phpmyadmin control panel or similar.

Prosody setup

The setup process is simple. Everything is well documented (albeit in English), and the structure of the configuration files is simple.

You can easily create virtual hosts, assign them special parameters, and so on. Almost an analogy with Apache and nginx. :)

The main parameters of the configuration file /etc/prosody/prosody.cfg.lua, the values ​​of which we will need to edit.

  allow_registration = true; 

Enables user registration using client programs. Pidgin, for example. The default is false . Do not enable if you do not need to allow registration.

  authentication = "internal_hashed" 

Enables user password hashing. The default value is internal_plain, which is not entirely secure - store the passwords in the database in the clear.

Specify storage type - sql database:

  storage = "sql"

If you selected sqlite as the storage, then uncomment the line:

  sql = {driver = "SQLite3", database = "prosody.sqlite"} 

If mysql:

  sql = {driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost"}

Do not forget to specify the sql_manage_tables = true parameter below, so that Prosody automatically populates the database with tables.

The prosody values ​​in the database and username parameters should be replaced with the database name and user name, respectively. You also need to specify a password for the password option, replacing the secret phrase. Host is left unchanged if the MySQL server is installed on the same machine as Prosody.

Virtual hosts in Prosody

The next configuration item for Prosody is to create a configuration for virtual hosts. Suppose we have one domain. We find the following line and replace example.com with the name of your domain.

  VirtualHost "example.com"

Comment out the line:

  enabled = false

This is followed by the ssl settings for a specific virtual host. You need to specify the path to the certificate and other additional options.

Since we previously exported the certificate and key into one file, the path needs to be specified only to one file.

The first three lines are paths to keys / certificates. respectively.

  ssl = {
   key = "/etc/prosody/certs/example.com.pem";
   certificate = "/etc/prosody/certs/example.com.pem";
   dhparam = "/etc/prosody/certs/dh-2048.pem";
   options = {"no_sslv3", "no_sslv2", "no_ticket", "no_compression", "single_dh_use", "single_ecdh_use"};
   ciphers = "ECDH: DH:! ADH:! AECDH:! SEED:! DES:! 3DES:! RC4:! NULL";
 } 

The fourth line is responsible for the ssl options and disables ssl versions 2 and 3. The fifth indicates which ciphers are allowed to be used.

The last two parameters for a virtual host that require encryption when connecting clients and servers. They must be specified after the item ssl = {...}.

  c2s_require_encryption = true
 s2s_require_encryption = true

This completes the Prosody configuration.

Create and delete users

If you have not enabled the possibility of self-registration of users using the client, then you can add new users via the console with a simple command: prosodyctl adduser name@example.com . When adding, you will need to specify a password twice.

Administration rights can also be given to any user. Specify the login of the required user in the admins = {} parameter of the configuration file. For example:

  admins = {"user1@example.com", "user2@example.net"}

Deleting a user account is done with the command: prosodyctl deluser name@example.com , where name@example.com needs to be replaced with the jabber ID of the existing user.

Error messages

Check the following error message in the Prosody error log (/var/log/prosody/prosody.err):

  certmanager error SSL / TLS: Failed to load '/etc/prosody/certs/example.com.pem': 
 Reason: bad end line (for example.com)

In this case, you need to check the certificate file for the presence of such lines:

  ----- END CERTIFICATE ---------- BEGIN RSA PRIVATE KEY -----

This is wrong and you need to separate them so that they look like this:

  ----- END CERTIFICATE -----
 ----- BEGIN RSA PRIVATE KEY -----

DNS records for Jabber

For each domain, you need to register the corresponding records in the DNS (although it is not necessary if you do not need to communicate with users of another domain).

  _xmpp-client._tcp IN SRV 5 0 5222 xmpp.example.com.
 _xmpp-server._tcp IN SRV 5 0 5269 xmpp.example.com.

Where 5 is a priority, 0 is weight, and 5222 and 5269 are ports for client-to-server and server-to-server communication types, respectively.

The following is the domain name pointing to the server with jabber installed. This can be the same server on which the site is running, or any other.

Iptables rules

If incoming connections are blocked by default on your server, you should create iptables rules that allow connections to the jabber server via tcp for the necessary ports:

  # iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
 # iptables -A INPUT -p tcp --dport 5269 -j ACCEPT 

Enable compression in Prosody

Sometimes it may be necessary to enable compression to save client or server traffic. To do this, install the lua-zlib package:

  # aptitude install lua-zlib 

Find the modules_enabled parameters group at the very beginning of the configuration file and uncomment the line:

  "compression";  - Stream compression (Debian: requires lua-zlib module to work) 

And set the compression level from 1 to 9 by the parameter that you need to register after the modules_enabled group.

  compression_level = 5 

Testing

The correctness of the encryption settings can be checked at https://xmpp.net . There is a test for both client-to-server connections and server-to-server connections.