Prosody sur Debian Wheezy
N'hésitez pas à commenter la présente configuration si vous relevez une erreur.
Dépôts et installation
Ajouter le dépôt de Prosody dans un source.list particulier.
echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/prosody.list
Ajouter la clef d'authentification des paquets.
wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
Mettre à jour la base des programmes.
sudo apt-get update
Installer la version 0.9 de Prosody, le support pour une base de données en SQLite ainsi que quelques dépendances optionnelles pour gérer la charge ou la compression.
sudo apt-get install prosody-0.9 lua-socket-prosody lua-sec-prosody luarocks lua-event lua-zlib lua-dbi-sqlite3
Configuration
Éditer /etc/prosody/prosody.cfg.lua.
Compte administrateur
-- This is a (by default, empty) list of accounts that are admins -- for the server. Note that you must create the accounts separately -- (see http://prosody.im/doc/creating_accounts for info) -- Example: admins = { "user1@example.com", "user2@example.net" } admins = { "user@example.com" }
libevent
use_libevent = true;
Plugins
Copier le répertoire des modules dans /opt/prosody.
cd /opt; sudo hg clone http://prosody-modules.googlecode.com/hg/ prosody
Insérer le chemin vers le répertoire dans le fichier de configuration.
-- These paths are searched in the order specified, and before the default path
plugin_paths = { "/opt/prosody/" }
SQL
-- Select the storage backend to use. By default Prosody uses flat files -- in its configured data directory, but it also supports more backends -- through modules. An "sql" backend is included by default, but requires -- additional dependencies. See http://prosody.im/doc/storage for more info. storage = "sql" -- Default is "internal" -- For the "sql" backend, you can uncomment *one* of the below to configure: sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
Authentification backend
-- Select the authentication backend to use. The 'internal' providers -- use Prosody's configured data storage to store the authentication data. -- To allow Prosody to offer secure authentication mechanisms to clients, the -- default provider stores passwords in plaintext. If you do not trust your -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed -- for information about using the hashed backend. authentication = "internal_hashed"
Modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
"privacy"; -- Support privacy lists
"compression"; -- Stream compression (requires the lua-zlib package installed)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};
Components
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "conference.example.com" "muc"
restrict_room_creation = true
---Set up a VJUD service
Component "vjud.example.com" "vjud"
---Set up a PubSub server
Component "pubsub.example.com" "pubsub"
admins = { "example.com", "domaine.fr" }
autocreate_on_subscribe = true
autocreate_on_publish = true
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
Component "proxy.example.com" "proxy65"
proxy65_acl = { "example.com", "domaine.fr" }
BOSH
Activer le module.
modules_enabled = {
-- Other modules
"bosh"; -- Enable mod_bosh
}
Configurer le module.
-- BOSH configuration
bosh_ports = {
{
port = 5280;
path = "http-bind";
},
{
port = 5281;
path = "http-bind";
ssl = {
key = "/etc/prosody/certs/example.com.key";
certificate = "/etc/prosody/certs/example.com.crt";
}
}
}
cross\\_domain\\_bosh = true
Rendre le BOSH public avec NGinx.
server {
listen 80;
server_name bosh.example.com;
location / {
proxy_pass http://localhost:5280/http-bind;
proxy_buffering off;
tcp_nodelay on;
}
}
server {
listen 443 ssl;
server_name bosh.example.com;
ssl_stapling on;
ssl_trusted_certificate /etc/ssl/certs/cacert.org.pem;
ssl_certificate /etc/nginx/ssl/cacert/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/cacert/example.com.key;
location / {
proxy_pass https://localhost:5281/http-bind;
proxy_buffering off;
tcp_nodelay on;
}
}
Certificats
Je conseille d'utiliser un certificat CAcert, mais il est possible d'utiliser prosodyctl pour générer un certificat (comme d'utiliser une autorité de certification d'ailleurs). Voir la page Certificates pour plus de précision.
Attention, si vous utilisez un certificat émis par CAcert, il est conseillé d'ajouter le certificat racine à la celui du serveur.
cat /etc/ssl/certs/cacert.org.pem >> /etc/prosody/certs/example.com.crt
Attention, Prosody peut ne pas se lancer si les droits de lecture des certificats ne sont pas corrects. Solution barbare :
sudo chmod 600 /etc/prosody/certs/* sudo chown -R prosody:prosody /var/lib/prosody /etc/prosody
Virtual Hosts
VirtualHost "localhost"
VirtualHost "example.com"
ssl = {
key = "/etc/prosody/certs/example.com.key";
certificate = "/etc/prosody/certs/example.com.crt";
}
admins = { "user@example.com" }
VirtualHost "domaine.fr"
ssl = {
key = "/etc/prosody/certs/domaine.fr.key";
certificate = "/etc/prosody/certs/domaine.fr.crt";
}
admins = { "utilisateur@domaine.fr" }
VirtualHost "anonymous.example.com"
authentication = "anonymous"
allow_anonymous_multiresourcing = true
allow_anonymous_s2s = true
DNS
Comme on peut le voir ci-dessus, un serveur Prosody peut gérer plusieurs noms de domaine si la configuration DNS est adéquate. Dépendant de votre solution de gestion des noms, la solution qui suit peut varier. La mise à jour de la zone DNS n'est pas instantanée, il faudra très certainement attendre la diffusion de la mise à jour.
Nom de domaine utilisant le DNS de Gandi
anonymous 10800 IN A 1.2.3.4 bosh 10800 IN A 1.2.3.4 conference 10800 IN A 1.2.3.4 fqdn 10800 IN A 1.2.3.4 proxy 10800 IN A 1.2.3.4 pubsub 10800 IN A 1.2.3.4 vjud 10800 IN A 1.2.3.4 _jabber._tcp 86400 IN SRV 5 0 5269 fqdn.example.com. _jabber._tcp.anonymous 86400 IN SRV 5 0 5269 fqdn.example.com. _jabber._tcp.conference 10800 IN SRV 5 0 5269 fqdn.example.com. _jabber._tcp.proxy 10800 IN SRV 5 0 5269 fqdn.example.com. _jabber._tcp.pubsub 10800 IN SRV 5 0 5269 fqdn.example.com. _jabber._tcp.vjud 10800 IN SRV 5 0 5269 fqdn.example.com. _xmpp-client._tcp 86400 IN SRV 5 0 5222 fqdn.example.com. _xmpp-client._tcp.anonymous 86400 IN SRV 5 0 5222 fqdn.example.com. _xmpp-client._tcp.conference 10800 IN SRV 5 0 5222 fqdn.example.com. _xmpp-client._tcp.proxy 10800 IN SRV 5 0 5222 fqdn.example.com. _xmpp-client._tcp.pubsub 10800 IN SRV 5 0 5222 fqdn.example.com. _xmpp-client._tcp.vjud 10800 IN SRV 5 0 5222 fqdn.example.com. _xmpp-server._tcp 86400 IN SRV 5 0 5269 fqdn.example.com. _xmpp-server._tcp.anonymous 86400 IN SRV 5 0 5269 fqdn.example.com. _xmpp-server._tcp.conference 86400 IN SRV 5 0 5269 fqdn.example.com. _xmpp-server._tcp.proxy 10800 IN SRV 5 0 5269 fqdn.example.com. _xmpp-server._tcp.pubsub 86400 IN SRV 5 0 5269 fqdn.example.com. _xmpp-server._tcp.vjud 86400 IN SRV 5 0 5269 fqdn.example.com.
Nom de domaine « ailleurs »
_jabber._tcp.domaine.fr. 86400 IN SRV 5 0 5269 fqdn.example.com. _xmpp-client._tcp.domaine.fr. 10800 IN SRV 5 0 5222 fqdn.example.com. _xmpp-server._tcp.domaine.fr. 86400 IN SRV 5 0 5269 fqdn.example.com
Firewall
Les ports utilisés sont les ports 5222 (TCP & UDP), 5269 (TCP & UDP), 5280 (TCP & UDP) et 5000 (pour le proxy). Éditer la configuration du pare-feu en conséquence pour laisser le passage.
Ajout d'un utilisateur
prosodyctl adduser user@example.com prosodyctl adduser utilisateur@domaine.fr
Redémarrer et profiter
sudo service prosody restart
Il est possible de voir s'il y a des erreurs aisément :
sudo tail -f /var/log/prosody/prosody.err /var/log/prosody/prosody.log
Plus qu'à s'amuser avec buddycloud, Jappix, Movim, ...
Sources
- Prosody (wiki.debian-fr) ;
- Installing Prosody (Debian Wiki) ;
- Faire son serveur Jabber personnel en moins de 5 minutes (Cyrille BORNE et Associés) ;
- Mise en place de Prosody (Guest Blog) ;
- Migration sur Prosody (Hobbestigrou) ;
- Héberger un serveur Jabber simplement (rom1v) ;
- Un serveur Jabber en 5 minutes chronos sous Debian/Ubuntu (NicoLargo) ;
- Download Prosody ;
- Prosody package repository ;
- Prosody Depedencies ;
- Configuring Prosody ;
- DNS Configuration in Jabber/XMPP ;
- Chatrooms ;
- Certificates ;
- mod_compression ;
- mod_bosh ;
- libevent ;
- prosodyctl ;
- Setting up a BOSH server ;
- Setting up a BOSH server (Movim) ;
- XMPP Server (Jappix) ;
- BOSH Server (Jappix) ;
- buddycloud DNS (buddycloud) ;
- SRV Records (XMPP Wiki).
