deuill/coreos-home-server
1
0
Fork 0
mirror of https://github.com/deuill/coreos-home-server.git synced 2024-09-21 13:40:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

prosody: Enable C2S direct TLS, disable HTTPS

Browse Source 
Direct TLS connections for clients allow for faster connection
establishment, and disabling HTTPS in Prosody fixes use of components
which expect to be exposed via a reverse proxy (such as Nginx).
This commit is contained in:
Alex Palaistras 2022-03-22 22:24:50 +00:00
parent 8d0a76a4f7
commit ffea499b5f
2 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
service/prosody/container/config/prosody.cfg.lua
View File

@ -78,6 +78,9 @@ modules_enabled = {
-- to disable them then uncomment them here: -- to disable them then uncomment them here:
modules_disabled = {} modules_disabled = {}
-- Enable direct TLS connections for clients.
c2s_direct_tls_ports = {5223}
-- Force clients to use encrypted connections? This option will -- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption. -- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true c2s_require_encryption = true
@ -94,15 +97,13 @@ s2s_require_encryption = true
-- For more information see https://prosody.im/doc/s2s#security -- For more information see https://prosody.im/doc/s2s#security
s2s_secure_auth = true s2s_secure_auth = true
-- Some servers have invalid or self-signed certificates. You can list -- HTTP interface and port configuration.
-- remote domains here that will not be required to authenticate using http_ports = {5280}
-- certificates. They will be authenticated using DNS instead, even http_interfaces = {"*", "::"}
-- when s2s_secure_auth is enabled.
--s2s_insecure_domains = { "insecure.example" }
-- Even if you leave s2s_secure_auth disabled, you can still require valid -- Explicitly disable HTTPS, as we're intended to use a reverse proxy in front of Prosody.
-- certificates for some domains by specifying a list here. https_ports = {}
--s2s_secure_domains = { "jabber.org" } https_interfaces = {}
-- WebSockets configuration -- WebSockets configuration
consider_websocket_secure = true consider_websocket_secure = true
@ -126,11 +127,6 @@ sql = {
database = "/var/lib/prosody/prosody.sqlite", database = "/var/lib/prosody/prosody.sqlite",
} }
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
-- Archiving configuration -- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This -- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if -- is used to synchronize conversations between multiple clients, even if

2
service/prosody/systemd/prosody.service
View File

@ -11,7 +11,7 @@ Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \ ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \ --env-file %E/coreos-home-server/%N/%N.env \
--publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \ --publish 5222:5222 --publish 5223:5223 --publish 5269:5269 --publish 5347:5347 \
--volume %N:/var/lib/%N:z \ --volume %N:/var/lib/%N:z \
--volume prosody-conf:/etc/%N/conf.d:z \ --volume prosody-conf:/etc/%N/conf.d:z \
--volume letsencrypt:/etc/ssl/private:z \ --volume letsencrypt:/etc/ssl/private:z \