⚠️ This post is archived from my phlog in Gopherspace. Please read my post on the Gopher Protocol to get started!
XMPP allows you to host your own encrypted communication server, where you can talk to other people on their own servers. Think of email, but for instant messaging.
i have an invite-only xmpp server…
I think I like it more than IRC or Matrix because…
I’m chosing to use Prosody in Debian because…
I’m hosting my own XMPP server…
The setup I want is e2ee, offline…
- Basic setup
- Backups
- Caveats
- Coming soon
- Bonus: link to IRC
- Bonus: anonymous usage of chat room? but don’t allow c2c?
Basic setup
HOLD UP IT MAY BE BAD THAT I’M INSTALLING SOME OF THESE THINGS I THINK ARE DEPENDS, LIKE REGISTER_WEB!
plugins:
- https://modules.prosody.im/mod_invites_page
- https://prosody.im/doc/modules/mod_invites
- https://prosody.im/doc/modules/mod_invites_register
- https://prosody.im/doc/modules/mod_muc
sudo apt-get install prosody luarocks libjs-bootstrap4 libjs-jquery liblua5.4-dev -y
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_conversejs
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_invites_api
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_register_apps
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_register_web
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_invites_page
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_invites_register_web
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_http_libjs
sudo vi /etc/prosody/prosody.cfg.lua
Now that the config file should be open:
-
Change
VirtualHost
to your domain you want the XMPP service to be accessible through. -
add this to the end of the config and make sure the domain you use has a valid ssl cert for it (files expire after a week!) also note this important docs on how to change things like quotas, size limits, etc:
-
Component "upload.xmpp.someodd.zip" "http_file_share" http_file_share_size_limit = 25*1024*1024
-
-
edit
modules_enabled
:-
i’m thinking about uncommenting
http_openmetrics
-
offline
is auto-loaded! I love that. -
enable
mam
-
i enabled
websocket
for web client? -
note of the log locations. mine are
/var/log/prosody/prosody.log
/var/log/prosody/prosody.err
-
note the certificate location… mine just said
certs
, I believe that’s/etc/prosody/certs
-
there’s something about enabling statistics too
-
definitely set this:
admins = { "someodd@xmpp.someodd.zip" }
-
careful with registration:
- https://prosody.im/doc/creating_accounts – you may want to read this.
allow_registration = true
is supposedly dangerous.- “Servers with unrestricted registration are open to abuse and provide an easy method for spammers to get onto the XMPP network. If you do not control this, your server may be blocked by other servers on the network.”
- https://prosody.im/doc/public_servers
- create users, especially your admin account, using this:
sudo prosodyctl adduser someodd@xmpp.someodd.zip
- manage invites cli:
sudo prosodyctl mod_invites generate xmpp.someodd.zip
it’ll then give you a URL
- check out this module for invitation page: https://modules.prosody.im/mod_invites_page
- enable the
"invites_page"
module in/etc/prosody/prosody.cfg.lua
invites_page = "https://xmpp.someodd.zip/invites_page?{invite.token}"
in top level scope- create an invnite with
sudo prosodyctl mod_invites generate xmpp.someodd.zip
or you may be able to generate invites in your client
- enable the
- add
http_libjs
to modules
-
i decided to enable BOSH. I think this supposedly this helps with people who have unreliabel connectsions, or say are using XMPP from a phone.
-
enable chat groups:
-
i may want to set
restrict_room_creation = local
-
add these (use a real domain) (not sure if I need the
modules_enabled
bit:Component "conference.xmpp.someodd.zip" "muc" name = "Prosody Chatrooms" restrict_room_creation = "local" modules_enabled = { "muc_mam" }
-
-
A part of my enabled modules section looks like:
-- installed plugins
"http_libjs"; -- depend for invites_page
"invites_api"; -- depend for invites_page
"register_apps"; -- depend for invites_page
"register_web"; -- depend for invites_page?
"invites_register_web"; -- depend for invites_page?
"invites_page"; -- Adds a web page to create and manage invites
"conversejs"; -- Adds a web page chat
When you search rooms/groupchats in conversejs you search xmpp.someodd.zip
. In dino i created a room through conference.xmpp.someodd.zip
idk.
Setup SSL + Basic nginx
There’s an interesting bit in the config:
– For more information, including how to use ‘prosodyctl’ to auto-import certificates – (from e.g. Let’s Encrypt) see https://prosody.im/doc/certificates
This link is useful: https://prosody.im/doc/letsencrypt
Instructions on using LetsEncrypt and a basic nginx setup for the SSL setup. nginx for the ACME request and for a web interface (later).
You can check my #nginx tag for more info, but this config in /etc/nginx/sites-available/xmpp.someodd.zip.conf
(uncomment the SSL lines once we’ve set up LetsEncrypt):
server {
listen 8765;
#listen 8888 ssl;
server_name xmpp.someodd.zip;
root /var/www/xmpp.someodd.zip;
#ssl_certificate /etc/letsencrypt/live/xmpp.someodd.zip/cert.pem;
#ssl_certificate_key /etc/letsencrypt/live/xmpp.someodd.zip/privkey.pem;
location / {
proxy_pass http://127.0.0.1:5280;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN; # Security header
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/xmpp.someodd.zip;
}
}
Although maybe in future I’d want to redirect port 5281 and 5280 to just 443 and 80.
Then:
mkdir /var/www/xmpp.someodd.zip
sudo ln -s /etc/nginx/sites-available/xmpp.someodd.zip.conf /etc/nginx/sites-enabled/
sudo service nginx restart
sudo certbot certonly --webroot-path="/var/www/xmpp.someodd.zip" -d 'xmpp.someodd.zip'
Select web root. Now go back and uncomment those SSL-related lines in the nginx config above and restart nginx.
Now that we have the certificates, link them to the certificate directory defined in the prosody config make sure to do this for all prosody-related domains:
sudo prosodyctl --root cert import /etc/letsencrypt/live
Edit /etc/letsencrypt/renewal/xmpp.someodd.zip.conf
and add the following to renewalparams
:
renew_hook = /usr/bin/prosodyctl --root cert import /etc/letsencrypt/live
I will probably update this article later to use a system-wide notification about the service going down for maintenance. Test out renewing:
sudo certbot renew --dry-run --cert-name xmpp.someodd.zip
Do the above for conference.xmpp.someodd.zip
too!
Not done, just now do the same thing but for upload.xmpp.someodd.zip
.
here’s the general idea with the /etc/letsencrypt/renewal/xmpp.someodd.zip.conf
file, please note the renew_hook
which restarts prosody after renewal:
# renew_before_expiry = 30 days
version = 2.1.0
archive_dir = /etc/letsencrypt/archive/xmpp.someodd.zip
cert = /etc/letsencrypt/live/xmpp.someodd.zip/cert.pem
privkey = /etc/letsencrypt/live/xmpp.someodd.zip/privkey.pem
chain = /etc/letsencrypt/live/xmpp.someodd.zip/chain.pem
fullchain = /etc/letsencrypt/live/xmpp.someodd.zip/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = redacted
authenticator = webroot
webroot_path = /var/www/xmpp.someodd.zip,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
renew_hook = prosodyctl --root cert import /etc/letsencrypt/live
[[webroot_map]]
xmpp.someodd.zip = /var/www/xmpp.someodd.zip
I THINK YOU’LL WANT TO ALSO DO THAT FOR irc.xmpp.someodd.zip AND conference.xmpp.someodd.zip AND upload.xmpp.someodd.zip if you’re going to do biboumi/irc connection. except i don’t think you need the ssl or location / block for those.
don’t forget to uncomment/edit ssl_certificate* fields in nginx then restart nginx
Test what we have so far + firewall
sudo prosodyctl check
sudo systemctl restart prosody
sudo service nginx restart
sudo ufw allow 5222/tcp comment 'Allow XMPP client connections (c2s)'
sudo ufw allow 5269/tcp comment 'Allow XMPP server connections (s2s)'
sudo ufw allow 5280/tcp comment 'Allow HTTP connections (BOSH/WebSocket)'
sudo ufw allow 5281/tcp comment 'Allow HTTPS connections (Secure BOSH/WebSocket)'
Now you’ll want to do some forwarding on your router.
Try connecting with dino-im
. sudo apt-get install dino-im
using the user like someodd@xmpp.someodd.zip
.
This UFW/firewall config isn’t ideal because it exposes some web interface stuff on the weird port…
NOW TEST OUT THE INVITES PAGE MODULE (CURRENTLY BROKEN/cant figure out)
test out conversejs module: https://xmpp.someodd.zip/conversejs
handy commands:
sudo systemctl restart prosody
sudo prosodyctl check
Backups
Add /var/lib/prosody/
to backups.
Caveats
If someone can’t join your groups or IRC in XMPP you should be aware that a S2S error with SSL verification may be failing. You need to have separate letsencrypt setups for all the xmpp subdomains basically. For instance irc.xmpp.someodd.zip
and conference.xmpp.someodd.zip
.
Coming soon
- pubsub?
- maybe i need certs for irc.xmpp.someodd.zip and conference.xmpp.someodd.zip
- specific public, anonymous mucs, maybe.
- I want to make it so I can provide people a conversejs anonymous/public access to #main on my irc server
- It turns out I do have another question: if I enter a key/password for a channel and I have persistence turned on, I’m not going to have a nasty situation where others can now access the channel without the key/password, am I? Like, how about if someone uses the same generic name I used to access the password-protected channel?
- Public Statistics: https://prosody.im/doc/modules/mod_http_openmetrics – http_openmetrics is built in!
Bonus: link to IRC
First look at:
- https://doc.biboumi.louiz.org/admin.html#configuration
- https://prosody.im/doc/components#adding_an_external_component
We need to configure Prosody to add an external component. Edit the config /etc/prosody/prosody.cfg.lua
(put it in the components section):
Component "irc.xmpp.someodd.zip"
component_secret = "secret_password"
need to use a real domain by the way if you want people from other servers to use it.
sudo apt-get install biboumi
sudo mkdir -p /var/lib/biboumi/.config/biboumi/
sudo chown -R _biboumi:_biboumi /var/lib/biboumi/
sudo chmod -R 750 /var/lib/biboumi/
edit /etc/biboumi/biboumi.cfg
:
hostname=irc.xmpp.someodd.zip
password=secret_password
xmpp_server_ip=127.0.0.1
port=5347
admin=someodd@xmpp.someodd.zip
realname_customization=true
realname_from_jid=false
ca_file=
outgoing_bind=
log_level=3
fixed_irc_server=irc.someodd.zip
persistent_by_default=true
fixed_irc_server=irc.someodd.zip
makes it so only that server is accessible via the XMPP-IRC gateway.
maybe persistent_by_default
is a bad idea for security and I think a user can mark a connection as persistent on their end, so they don’t miss messages?
you’ll also want to enable mod_muc
for group chats maybe in the component?
sudo journalctl -xeu biboumi.service
- https://doc.biboumi.louiz.org/9.0/user.html
- https://doc.biboumi.louiz.org/admin.html
sudo service biboumi start
Add /var/lib/biboumi/.config/biboumi/
to backups.
also don’t forget to configure letsencrypt similar to how we configued xmpp.someodd.zip’s cert
like
renew_hook = prosodyctl --root cert import /etc/letsencrypt/live
Modify ngircd to allow many connections from localhost
You need to modify /etc/ngircd/ngircd.conf
to allow more than 10 connections per IP if you want more than 10 biboumi users to be active at once. So under [Limits]
change to MaxConnectionsIP = 0
. Other interesting settings in there too.
You can reload config by doing a HUP
:
kill -HUP $(pidof ngircd)
or as irc op use /quote REHASH
.
Bonus: anonymous usage of chat room? but don’t allow c2c?
…
See also
- https://metajack.im/2008/07/02/xmpp-is-better-with-bosh/
- https://doc.biboumi.louiz.org/9.0/user.html
- https://shadowkat.net/blog/30.html
- https://prosody.im/doc/modules/mod_muc
- https://joinjabber.org/
- https://prosody.im/doc/jingle#server_support – calling and video support
- https://compliance.conversations.im/
Original content in gopherspace: gopher://gopher.someodd.zip:70/0/phlog/xmpp-server.gopher.txt