Kris's blog

Posted Fr 09 Oktober 2020

Quickly setup your own jabber server

When you read this texty, you will be able to set up your own jabber server (XMPP) using Prosody. For you it will be few minutes, for me it was few hours.

Why have a private jabber server? You won't relay on any corporate message communicator. You will controll your and your familly privacy, have controll of your data (well, that depends on how well you secure stuff).

I, for starters, used xmpp sever as a notification platform. Some automated script done stuff and when it succeded or failed it sent me a message (with a link to quickly respond). Later on, I extended it on my private communication channel.

Here I will use Prosody , a simple (but powerful) xmpp server written in lua.

Below you will find the configuration for a simple setup with file storage and multiuser chat.

Installation and config

You will need: - a domain, - two subdomains (for upload and conferences/muc), - SSL certificates for this domain and subdomains (I use Letsencrypt - you have to have cert for each domain and its subdomain).

Docker stuff you will find in this repository , it's a bit more complicated than this setup, but still easy to run.

I use Letsencrypt for SSL certs. You will need to make 3 certificates(LE doesn't have wildcard certs): - one for your main domain, - one for subdomain where file upload will be placed - and one for multi chat service.

I use those example domains through all the text here:

MAIN_DOMAIN.COM
UPLOAD.MAIN_DOMAIN.COM
MUC.MAIN_DOMAIN.COM

I have encountered those errors, when I was trying to have file upload:

java.io.IOException: Cleartext HTTP traffic to * not permitted

No key present in SSL/TLS configuration for https port 5281

They are cause by not imported certs. There is a ugly walkaround.

You have to run the import certificates command:

prosodyctl --root cert import /etc/letsencrypt/DIRECT_PATH_TO_FOLDERS_WITH_CERTS

then, copy the certificates to /etc/prosody/certs . That's all, your server will work and it will only need as much config as in listing below.

Ports used by prosody

So you don't forget to unblock them on your firewall:

5222
5269
5347
5280
5281

Checking the installation

When everything runs ok, you should be able to enter those URLs:

http://MAIN_DOMAIN.COM:5280/http-bind
https://MAIN_DOMAIN.COM:5281/http-bind

http://UPLOAD.MAIN_DOMAIN.COM:5280/upload
https://UPLOAD.MAIN_DOMAIN.COM:5281/upload

Mobile client and usefull links to config everything

For mobile client I use Xabber: https://www.xabber.com/

Prosody prosody code prosody docer

http server ports hashing passwords libevent - handling big loads logging advanced logging

important stuff for open servers backups

core modules other modules authentication migrate data between data stores

Usefull materials (I thank the authors): config 1 config 2

Easiest config to run the server with file upload capabilities:

daemonize = false;

---------- Server-wide settings ----------
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }

plugin_paths = { "/usr/lib/prosody/modules-community" }

modules_enabled = {

        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
                "offline";

        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards

        -- Nice to have
                --"version"; -- Replies to server version requests
                --"uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                --"register"; -- Allow users to register on this server using a client and change passwords
                "carbons";
       -- Admin interfaces
                --"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

        -- HTTP modules
                "http";
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                "http_files"; -- Serve static files from a directory over HTTP
                "http_upload";

        -- Other specific functionality
                "groups"; -- Shared roster support
                --"announce"; -- Send announcement to all online users
                --"welcome"; -- Welcome users who register accounts
                --"watchregistrations"; -- Alert admins of registrations
                --"motd"; -- Send a message to users when they log in
                --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
        -- Mine
                -- "muc";-- multiuser chat
                -- "muc_mam"; -- multichannerl archiving
                "message";};


-- Disable account creation by default, for security
allow_registration = false;

c2s_require_encryption = true
s2s_secure_auth = true

-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/prosody.pid"

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

-- IMPORTANT
authentication = "internal_hashed"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost"

-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
-- levels: debug, info, warn, error 
log = {
    {levels = {min = "info"}, to = "console"};
}

groups_file = "/etc/prosody/sharedgroups.txt"


---- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

-- THIS IS NECCESARY HERE, it's certificate to your main domain
https_key = "/etc/prosody/certs/MAIN_DOMAIN.COM.key";
https_certificate = "/etc/prosody/certs/MAIN_DOMAIN.COIN.crt";

VirtualHost "MAIN_DOMAIN.COM"
-- Certificate is set AUTOMATICALY and in the GLOBAL CONFIG SECTION

------ Components ------
-- For more information on components, see http://prosody.im/doc/components
Component "UPLOAD.MAIN_DOMAIN.COM" "http_upload"
-- Certificate is set AUTOMATICALY and in the GLOBAL CONFIG SECTION
        http_files_dir = "/var/www"

---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "MUC.MAIN_DOMAIN.COM" "muc"
-- Certificate is set AUTOMATICALY and in the GLOBAL CONFIG SECTION
Category: devops server jabber prosody XMPP