From ffea499b5fa2a369f3494fe2ed25486e215acbba Mon Sep 17 00:00:00 2001 From: Alex Palaistras Date: Tue, 22 Mar 2022 22:24:50 +0000 Subject: [PATCH] prosody: Enable C2S direct TLS, disable HTTPS Direct TLS connections for clients allow for faster connection establishment, and disabling HTTPS in Prosody fixes use of components which expect to be exposed via a reverse proxy (such as Nginx). --- .../prosody/container/config/prosody.cfg.lua | 22 ++++++++----------- service/prosody/systemd/prosody.service | 2 +- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/service/prosody/container/config/prosody.cfg.lua b/service/prosody/container/config/prosody.cfg.lua index 81cf3e6..60b242f 100644 --- a/service/prosody/container/config/prosody.cfg.lua +++ b/service/prosody/container/config/prosody.cfg.lua @@ -78,6 +78,9 @@ modules_enabled = { -- to disable them then uncomment them here: modules_disabled = {} +-- Enable direct TLS connections for clients. +c2s_direct_tls_ports = {5223} + -- Force clients to use encrypted connections? This option will -- prevent clients from authenticating unless they are using encryption. c2s_require_encryption = true @@ -94,15 +97,13 @@ s2s_require_encryption = true -- For more information see https://prosody.im/doc/s2s#security s2s_secure_auth = true --- Some servers have invalid or self-signed certificates. You can list --- remote domains here that will not be required to authenticate using --- certificates. They will be authenticated using DNS instead, even --- when s2s_secure_auth is enabled. ---s2s_insecure_domains = { "insecure.example" } +-- HTTP interface and port configuration. +http_ports = {5280} +http_interfaces = {"*", "::"} --- Even if you leave s2s_secure_auth disabled, you can still require valid --- certificates for some domains by specifying a list here. ---s2s_secure_domains = { "jabber.org" } +-- Explicitly disable HTTPS, as we're intended to use a reverse proxy in front of Prosody. +https_ports = {} +https_interfaces = {} -- WebSockets configuration consider_websocket_secure = true @@ -126,11 +127,6 @@ sql = { database = "/var/lib/prosody/prosody.sqlite", } --- For the "sql" backend, you can uncomment *one* of the below to configure: ---sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. ---sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } ---sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } - -- Archiving configuration -- If mod_mam is enabled, Prosody will store a copy of every message. This -- is used to synchronize conversations between multiple clients, even if diff --git a/service/prosody/systemd/prosody.service b/service/prosody/systemd/prosody.service index 86b128f..6309aac 100644 --- a/service/prosody/systemd/prosody.service +++ b/service/prosody/systemd/prosody.service @@ -11,7 +11,7 @@ Restart=on-failure Environment=PODMAN_SYSTEMD_UNIT=%n ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \ --env-file %E/coreos-home-server/%N/%N.env \ - --publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \ + --publish 5222:5222 --publish 5223:5223 --publish 5269:5269 --publish 5347:5347 \ --volume %N:/var/lib/%N:z \ --volume prosody-conf:/etc/%N/conf.d:z \ --volume letsencrypt:/etc/ssl/private:z \