Setting up a Prosody XMPP chat server
Firewall
The following ports have to be opened in your firewall:
5000/tcp # SOCKS5 Bytestreams (XEP-0065) 5222/tcp # XMPP Client-to-Server 5269/tcp # XMPP Server-to-Server
Prosody
Prosody (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.
Installation
sudo apt install prosody
Configuration
admins = { "user1@quietlife.nl" } modules_enabled = { -- Generally required "roster"; -- Allow users to have a roster. Recommended ;) "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. "tls"; -- Add support for secure TLS on c2s/s2s connections "dialback"; -- s2s dialback support "disco"; -- Service discovery -- Not essential, but recommended "private"; -- Private XML storage (for room bookmarks, etc.) "vcard"; -- Allow users to set vCards -- Nice to have "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "pep"; -- Enables users to publish their mood, activity, playing music and more --"register"; -- Allow users to register on this server using a client and change passwords -- Admin interfaces "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 -- HTTP modules --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" --"http_files"; -- Serve static files from a directory over HTTP -- Other specific functionality "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. }; allow_registration = false; ssl = { key = "/etc/prosody/certs/localhost.key"; certificate = "/etc/prosody/certs/localhost.crt"; } -- Use strong ciphers options = { "no_sslv2", "no_sslv3", "no_tlsv1", "no_tlsv1_1", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use"; } c2s_require_encryption = true s2s_secure_auth = true authentication = "internal_hashed"
Virtual hosts
Create a virtual host configuration:
- /etc/prosody/conf.avail/quietlife.nl.cfg.lua
VirtualHost "quietlife.nl" ssl = { key = "/etc/prosody/certs/quietlife.nl/privkey.pem"; certificate = "/etc/prosody/certs/quietlife.nl/fullchain.pem"; } Component "conference.quietlife.nl" "muc" Component "proxy.quietlife.nl" "proxy65"
Enable the configuration:
sudo ln -s /etc/prosody/conf.avail/quietlife.nl.cfg.lua /etc/prosody/conf.d/quietlife.nl.cfg.lua
SSL certificates
Copy your SSL certificates to a directory Prosody can read:
sudo mkdir -p /etc/prosody/certs/quietlife.nl sudo cp /etc/letsencrypt/live/quietlife.nl/fullchain.pem /etc/prosody/certs/quietlife.nl/fullchain.pem sudo cp /etc/letsencrypt/live/quietlife.nl/privkey.pem /etc/prosody/certs/quietlife.nl/privkey.pem
Set strict permissions:
sudo chown -R root:prosody /etc/prosody/certs/quietlife.nl/ sudo chmod 750 /etc/prosody/certs/quietlife.nl/
Add users
sudo prosodyctl adduser user1@quietlife.nl sudo prosodyctl adduser user2@quietlife.nl ...
Starting everything up
sudo systemctl restart prosody.service
SSL certificate renewal
Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from /etc/ssl/ or /etc/letsencrypt/. So certificates have to be copied to the /etc/prosody/ directory. If you use Let's Encrypt, this means that you have to renew those copies every three months.
This can be automated with a script you run as root:
#!/bin/bash cp /etc/letsencrypt/live/quietlife.nl/fullchain.pem /etc/prosody/certs/quietlife.nl/fullchain.pem cp /etc/letsencrypt/live/quietlife.nl/privkey.pem /etc/prosody/certs/quietlife.nl/privkey.pem chown -R root:prosody /etc/prosody/certs/quietlife.nl/ chmod 750 /etc/prosody/certs/quietlife.nl/ systemctl restart prosody.service