Prosody sur Debian Wheezy/Jessie

N'hésitez pas à commenter la présente configuration si vous relevez une erreur.

Dépôts et installation

Ajouter le dépôt de Prosody dans un source.list particulier.

echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/prosody.list

Ajouter la clef d'authentification des paquets.

wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -

Mettre à jour la base des programmes.

sudo apt-get update

Installer la version 0.9 de Prosody, le support pour une base de données en SQLite ainsi que quelques dépendances optionnelles pour gérer la charge ou la compression.

sudo apt-get install prosody lua-socket-prosody lua-sec-prosody luarocks lua-event lua-zlib lua-dbi-sqlite3

Configuration

Éditer /etc/prosody/prosody.cfg.lua.

Compte administrateur

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "user@example.com" }

libevent

use_libevent = true;

Plugins

Copier le répertoire des modules dans /opt/prosody par exemple.

cd /opt;
sudo hg clone http://prosody-modules.googlecode.com/hg/ prosody

Insérer le chemin vers le répertoire dans le fichier de configuration.

-- These paths are searched in the order specified, and before the default path
plugin_paths = { "/opt/prosody/" }

SQL

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.

Authentification backend

Passer à hashed pour plus de sécurité.

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "internal_hashed"

Modules

Quelques modules pour un meilleur support de Conversations, client XMPP pour Android.

-- For Conversations
            "bidi"; -- XEP-0288: Bidirectional Server-to-Server Connections
            "smacks"; -- XEP-0198: Reliability and fast reconnects for XMPP
            "carbons"; -- XEP-0280: Message Carbons
            "csi"; -- XEP-0352: Client State Indication support
            "blocking"; -- XEP-0191: Simple Communications Blocking support
            --"mam"; -- XEP-0313: Message Archive Management, needs prosody-0.10

Components

---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "conference.example.com" "muc"
        restrict_room_creation = true

---Set up a VJUD service
Component "vjud.example.com" "vjud"

---Set up a PubSub server
Component "pubsub.example.com" "pubsub"
        modules_enabled = {
            "pubsub_eventsource";
            "pubsub_hub";
            }
        admins = { "example.com", "domaine.fr" }
        autocreate_on_subscribe = true
        autocreate_on_publish = true

-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
Component "proxy.example.com" "proxy65"
        proxy65_acl = { "example.com", "domaine.fr" }

BOSH

Activer le module.

modules_enabled = {
        -- Other modules
        "bosh"; -- Enable mod_bosh
    }

Configurer le module.

-- Use if proxying HTTPS->HTTP on the server side
cross_domain_bosh = true
-- Allow access from scripts on any site with no proxy (requires a modern browser)
consider_bosh_secure = true

Activer un service BOSH

---Set up a BOSH service
Component "bosh.example.com" "http"
    modules_enabled = { "bosh" }

Rendre le BOSH public avec NGinx.

server {
        listen 80;
        server_name bosh.example.com;
        return 301 https://bosh.example.com$request_uri;
}

server {
        listen 443 ssl spdy;
        server_name bosh.example.com;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        ssl_trusted_certificate /usr/local/share/ca-certificates/cacert.org/root.crt;
        ssl_certificate         /etc/nginx/ssl/cacert/server.pem;
        ssl_certificate_key     /etc/nginx/ssl/cacert/privatekey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        access_log /var/log/nginx/prosody.access.log;
        error_log /var/log/nginx/prosody.error.log;

        location / {
                proxy_buffering off;
                tcp_nodelay on;
                proxy_set_header Host $host;
                proxy_pass http://localhost:5280/http-bind;
        }
}

Certificats

Je conseille d'utiliser un certificat CAcert, mais il est possible d'utiliser prosodyctl pour générer un certificat (comme d'utiliser une autorité de certification d'ailleurs). Voir la page Certificates pour plus de précision.

Attention, si vous utilisez  un certificat émis par CAcert, il est conseillé d'ajouter le certificat racine à la celui du serveur.

cat /etc/ssl/certs/cacert.org.pem >> /etc/prosody/certs/example.com.crt

Attention, Prosody peut ne pas se lancer si les droits de lecture des certificats ne sont pas corrects. Solution barbare :

sudo chmod 600 /etc/prosody/certs/*
sudo chown -R prosody:prosody /var/lib/prosody /etc/prosody

Virtual Hosts

------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/

Include "conf.d/*.cfg.lua"

À la fin du fichier de configuration principal, les lignes précédentes permettent d'avoir une gestion fine des hôtes virtuels gérés par le serveur : enregistrer les fichiers dans conf.avail, lier dans conf.d ceux utilisés.

VirtualHost "example.com"
        ssl = {
                key = "/etc/prosody/certs/example.com.key";
                certificate = "/etc/prosody/certs/example.com.crt";
                cafile = "/usr/local/share/ca-certificates/cacert.org/root.crt";
                dhparam = "/etc/prosody/certs/dh-2048.pem";
                }
VirtualHost "anonymous.example.com"
        authentication = "anonymous"
        allow_anonymous_multiresourcing = true
        allow_anonymous_s2s = true

DNS

Comme on peut le voir ci-dessus, un serveur Prosody peut gérer plusieurs noms de domaine si la configuration DNS est adéquate. Dépendant de votre solution de gestion des noms, la solution qui suit peut varier. La mise à jour de la zone DNS n'est pas instantanée, il faudra très certainement attendre la diffusion de la mise à jour.

Version longue

anonymous 10800 IN A 1.2.3.4
bosh 10800 IN A 1.2.3.4
conference 10800 IN A 1.2.3.4
fqdn 10800 IN A 1.2.3.4
proxy 10800 IN A 1.2.3.4
pubsub 10800 IN A 1.2.3.4
vjud 10800 IN A 1.2.3.4

_jabber._tcp 86400 IN SRV 5 0 5269 fqdn.example.com.
_jabber._tcp.anonymous 86400 IN SRV 5 0 5269 fqdn.example.com.
_jabber._tcp.conference 10800 IN SRV 5 0 5269 fqdn.example.com.
_jabber._tcp.proxy 10800 IN SRV 5 0 5269 fqdn.example.com.
_jabber._tcp.pubsub 10800 IN SRV 5 0 5269 fqdn.example.com.
_jabber._tcp.vjud 10800 IN SRV 5 0 5269 fqdn.example.com.

_xmpp-client._tcp 86400 IN SRV 5 0 5222 fqdn.example.com.
_xmpp-client._tcp.anonymous 86400 IN SRV 5 0 5222 fqdn.example.com.
_xmpp-client._tcp.conference 10800 IN SRV 5 0 5222 fqdn.example.com.
_xmpp-client._tcp.proxy 10800 IN SRV 5 0 5222 fqdn.example.com.
_xmpp-client._tcp.pubsub 10800 IN SRV 5 0 5222 fqdn.example.com.
_xmpp-client._tcp.vjud 10800 IN SRV 5 0 5222 fqdn.example.com.

_xmpp-server._tcp 86400 IN SRV 5 0 5269 fqdn.example.com.
_xmpp-server._tcp.anonymous 86400 IN SRV 5 0 5269 fqdn.example.com.
_xmpp-server._tcp.conference 86400 IN SRV 5 0 5269 fqdn.example.com.
_xmpp-server._tcp.proxy 10800 IN SRV 5 0 5269 fqdn.example.com.
_xmpp-server._tcp.pubsub 86400 IN SRV 5 0 5269 fqdn.example.com.
_xmpp-server._tcp.vjud 86400 IN SRV 5 0 5269 fqdn.example.com.

Version courte

_jabber._tcp.domaine.fr. 86400 IN SRV 5 0 5269 fqdn.example.com.
_xmpp-client._tcp.domaine.fr. 10800 IN SRV 5 0 5222 fqdn.example.com.
_xmpp-server._tcp.domaine.fr. 86400 IN SRV 5 0 5269 fqdn.example.com

Firewall

Les ports utilisés sont les ports 5222, 5269, 5280 et 5000 (pour le proxy). Éditer la configuration du pare-feu en conséquence pour laisser le passage ouvert.

Ajout d'un utilisateur

sudo prosodyctl adduser user@example.com
sudo prosodyctl adduser utilisateur@domaine.fr

Redémarrer et profiter

sudo service prosody restart

Il est possible de voir s'il y a des erreurs aisément :

sudo tail -f /var/log/prosody/prosody.err /var/log/prosody/prosody.log

Plus qu'à s'amuser avec buddycloud, Jappix, Movim, ...

Sources

Vus : 434
Publié par PostBlue : 59