diff --git a/.gitignore b/.gitignore index 180d26b..d54bd82 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ data/* certs/ -matterbrige/*.t* +extras/matterbridge/*.t* tests/certs/ tests/venv/ tests/__pycache__/ diff --git a/CHANGELOG.md b/CHANGELOG.md index b1cd14a..28cc967 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## v1.3.1 + +* Added optional Firewall module for testing + +### Breaking Change + +Switched from [http_upload](https://modules.prosody.im/mod_http_upload) to [http_file_share](https://prosody.im/doc/modules/mod_http_file_share). +This means that previous uploads will NOT work after upgrading. +ENV variable `HTTP_UPLOAD_FILE_SIZE_LIMIT` was removed. + +The new module uses the following variables: + +* HTTP_FILE_SHARE_SIZE_LIMIT +* HTTP_FILE_SHARE_DAILY_QUOTA + +See [readme.md](readme.md) for explanations and defaults. + ## v1.3.0 * Update to Debian Bookworm diff --git a/Dockerfile b/Dockerfile index 8e7216f..943b019 100644 --- a/Dockerfile +++ b/Dockerfile @@ -110,10 +110,12 @@ RUN download-prosody-modules.bash \ filter_chatstates `# disable "X is typing" type messages` \ smacks `# stream management (XEP-0198)` \ throttle_presence `# presence throttling in CSI` \ - http_upload `# file sharing (XEP-0363)` \ vcard_muc `# XEP-0153: vCard-Based Avatar (MUC)` \ + && docker-prosody-module-pre-install.bash \ + firewall `# anti-spam firewall` \ && rm -rf "/usr/src/prosody-modules" RUN echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf + USER prosody ENTRYPOINT ["/entrypoint.bash"] diff --git a/conf.d/01-modules.cfg.lua b/conf.d/01-modules.cfg.lua index 51f1a83..2ed2b67 100644 --- a/conf.d/01-modules.cfg.lua +++ b/conf.d/01-modules.cfg.lua @@ -1,6 +1,7 @@ plugin_paths = { "/usr/local/lib/prosody/custom-modules/" }; -modules_enabled = { +-- table of enabled modules +local mods_enabled = { -- Generally required "roster"; -- Allow users to have a roster. Recommended ;) "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. @@ -32,7 +33,7 @@ modules_enabled = { --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 -- HTTP modules - --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" --"http_files"; -- Serve static files from a directory over HTTP -- Other specific functionality @@ -47,6 +48,20 @@ modules_enabled = { "server_contact_info"; -- This module lets you advertise various contact addresses for your XMPP service via XEP-0157. }; +local enabled = os.getenv("ENABLE_FIREWALL") or "false" +local spam_blocklist = os.getenv("SPAM_BLOCKLIST") and "/usr/local/etc/prosody/firewall/" .. os.getenv("SPAM_BLOCKLIST") or "module:scripts/spam-blocklists.pfw" + +if(enabled == "true") +then + table.insert(mods_enabled, "firewall"); + + firewall_scripts = { + spam_blocklist; + } +end + +modules_enabled = mods_enabled; + -- These modules are auto-loaded, but should you want -- to disable them then uncomment them here: modules_disabled = { @@ -54,3 +69,4 @@ modules_disabled = { -- "c2s"; -- Handle client connections -- "s2s"; -- Handle server-to-server connections }; + diff --git a/conf.d/02-storage.cfg.lua b/conf.d/02-storage.cfg.lua index bd51cc4..9c49b4a 100644 --- a/conf.d/02-storage.cfg.lua +++ b/conf.d/02-storage.cfg.lua @@ -21,11 +21,13 @@ storage = { archive_expires_after = "1y" -- bandwith limits -limits = { - c2s = { - rate = "10kb/s"; - }; - s2sin = { - rate = "30kb/s"; - }; -} +--limits = { + --c2s = { + --rate = "10kb/s"; + --}; + --s2sin = { + --rate = "30kb/s"; + --}; +--} + +http_max_content_size = os.getenv("HTTP_MAX_CONTENT_SIZE") or 1024 * 1024 * 10 -- Default is 10MB diff --git a/conf.d/05-vhost.cfg.lua b/conf.d/05-vhost.cfg.lua index 5b035f2..e5c66ac 100644 --- a/conf.d/05-vhost.cfg.lua +++ b/conf.d/05-vhost.cfg.lua @@ -21,9 +21,12 @@ https_ssl = { VirtualHost (domain) --- Set up a http file upload because proxy65 is not working in muc -Component (domain_http_upload) "http_upload" - http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds +-- Set up a http file upload +Component (domain_http_upload) "http_file_share" + http_file_share_expires_after = 60 * 60 * 24 * 7 -- a week in seconds + local size_limit = os.getenv("HTTP_FILE_SHARE_SIZE_LIMIT") or 10 * 1024 * 1024 -- Default is 10MB + http_file_share_size_limit = size_limit + http_file_share_daily_quota = os.getenv("HTTP_FILE_SHARE_DAILY_QUOTA") or 10 * size_limit -- Default is 10x the size limit Component (domain_muc) "muc" name = "Prosody Chatrooms" diff --git a/docker-prosody-module-install.bash b/docker-prosody-module-install.bash index 3bd54b5..3d22532 100755 --- a/docker-prosody-module-install.bash +++ b/docker-prosody-module-install.bash @@ -43,7 +43,7 @@ for ext in $exts; do # Skip this if the modules should not be added to modules_enabled. if [ "$ext" != "http_upload" ] && [ "$ext" != "vcard_muc" ] ; then echo " - enabling within ${config}" - new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(modules_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/') + new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(mods_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/') echo "${new_config}" > "${config}" fi done diff --git a/docker-prosody-module-pre-install.bash b/docker-prosody-module-pre-install.bash new file mode 100755 index 0000000..386ad60 --- /dev/null +++ b/docker-prosody-module-pre-install.bash @@ -0,0 +1,42 @@ +#!/bin/bash +set -e + +source="/usr/src/prosody-modules" +target="/usr/local/lib/prosody/custom-modules" + +cd ${source} + +usage() { + echo "usage: $0 ext-name [ext-name ...]" + echo " ie: $0 carbons e2e_policy proxy65" + echo + echo 'Possible values for ext-name:' + find . -mindepth 1 -maxdepth 1 -type d | sort | sed s/\.\\/mod_//g | xargs +} + +exts= +for ext; do + if [ -z "mod_$ext" ]; then + continue + fi + if [ ! -d "mod_$ext" ]; then + echo >&2 "error: $PWD/mod_$ext does not exist" + echo >&2 + usage >&2 + exit 1 + fi + exts="$exts $ext" +done + +if [ -z "$exts" ]; then + usage >&2 + exit 1 +fi + +for ext in $exts; do + echo "Installing mod_${ext}" + + echo " - copying to ${target}" + cp -r "${source}/mod_${ext}" "${target}/" + +done diff --git a/extras/firewall/blacklist.txt b/extras/firewall/blacklist.txt new file mode 100644 index 0000000..f37ee0c --- /dev/null +++ b/extras/firewall/blacklist.txt @@ -0,0 +1,18 @@ +bashtel.ru +creep.im +darkengine.biz +default.rs +hiddenlizard.org +jabber.bitactive.com +jabber.cd +jabber.freenet.de +jabber.ipredator.se +jabber.npw.net +jabber.sampo.ru +labas.biz +otr.chat +paranoid.scarab.name +rassnet.org +safetyjabber.com +sj.ms +xmpp.bytesund.biz diff --git a/extras/firewall/custom-blocklist.pfw b/extras/firewall/custom-blocklist.pfw new file mode 100644 index 0000000..ec77009 --- /dev/null +++ b/extras/firewall/custom-blocklist.pfw @@ -0,0 +1,21 @@ +# This script depends on spam-blocking.pfw also being loaded +# Any traffic that is not explicitly blocked or allowed by other +# rules will be checked against the JabberSPAM server blocklist + +%LIST blocklist: file:/usr/local/etc/prosody/firewall/blacklist.txt +#%LIST blocklist: https://cdn.jsdelivr.net/gh/jabberspam/blacklist/blacklist.txt + +::user/spam_handle_unknown_custom + +CHECK LIST: blocklist contains $<@from|host> +BOUNCE=policy-violation (Your server is blocked due to spam) + +::user/spam_check_muc_invite_custom + +# Check the server we received the invitation from +CHECK LIST: blocklist contains $<@from|host> +BOUNCE=policy-violation (Your server is blocked due to spam) + +# Check the inviter's JID against the blocklist, too +CHECK LIST: blocklist contains $<{http://jabber.org/protocol/muc#user}x/invite@from|host> +BOUNCE=policy-violation (Your server is blocked due to spam) diff --git a/matterbridge/.gitkeep b/extras/matterbridge/.gitkeep similarity index 100% rename from matterbridge/.gitkeep rename to extras/matterbridge/.gitkeep diff --git a/matterbridge/matterbridge.toml b/matterbridge/matterbridge.toml deleted file mode 100644 index 3faf5b9..0000000 --- a/matterbridge/matterbridge.toml +++ /dev/null @@ -1,84 +0,0 @@ -#https://github.com/42wim/matterbridge - -################################################################### -#XMPP section - berriketak -################################################################### -[xmpp] -[xmpp.telegram_berriketak] -#Server="lainoa.eus:5222" -Server="server:5222" -#Jid="admin@lainoa.eus" -Jid="admin@lainoa.eus" -#Password="sagastarri996X" -Password="sagastarri996" -Muc="conference.lainoa.eus" -Nick="Admin" -SkipTLSVerify=true -#IgnoreNicks="ircspammer1 ircspammer2" -#RemoteNickFormat="[{NICK}] " -RemoteNickFormat="{TENGO}({PROTOCOL}) " -ShowJoinPart=false - -################################################################### -#telegram section - berriketak -################################################################### -[telegram] -[telegram.berriket_xmppBot] -Token="434963747:AAHRbJAw9oN30b9KdjWacnyYyHS22r056SM" #token berriket_xmppBot -MessageFormat="HTMLNick" -EditDisable=false -EditSuffix=" (edited)" -IgnoreNicks="spammer1 spammer2" -RemoteNickFormat="{NICK}: " -ShowJoinPart=false -UseInsecureURL=true -MediaConvertWebPToPNG=true -DisableWebPagePreview=false - -[tengo] -#RemoteNickFormat="remotenickformat.tengo" -RemoteNickFormat="/etc/matterbridge/nicks.tengo" -#InMessage="/etc/matterbridge/in.tengo" -OutMessage="/etc/matterbridge/out.tengo" - -################################################################### -#gateway section -################################################################### -[[gateway]] -name="gateway_berriketak" -enable=true - - [[gateway.inout]] - account="xmpp.telegram_berriketak" - channel="berriketak" - #channel="test" - - [[gateway.inout]] - account="telegram.berriket_xmppBot" - channel="-183435536" #Telegram berriketak taldearen ID-a - -[[gateway]] -name="test" -enable=true - - [[gateway.inout]] - account="xmpp.telegram_berriketak" - channel="test" - - [[gateway.inout]] - account="telegram.berriket_xmppBot" - #channel="-241666435" #Telegram xmpp_test taldearen ID-a - channel="-1001617641457" - -#[[gateway]] -#name="etxekok" -#enable=true - -# [[gateway.inout]] -# account="xmpp.telegram_berriketak" -# channel="etxekok" - -# [[gateway.inout]] -# account="telegram.berriket_xmppBot" -# channel="-523032" #Telegram etxekok taldearen ID-a - diff --git a/matterbridge/nicks.tengo b/matterbridge/nicks.tengo deleted file mode 100644 index f46f0e3..0000000 --- a/matterbridge/nicks.tengo +++ /dev/null @@ -1,5 +0,0 @@ -/*Customize nicks from X to XMPP*/ -result = nick -if(nick == "Nekane Nekane") { - result = "Amona Nekane" -} diff --git a/matterbridge/out.tengo b/matterbridge/out.tengo deleted file mode 100644 index c229207..0000000 --- a/matterbridge/out.tengo +++ /dev/null @@ -1,30 +0,0 @@ -text := import("text") -fmt := import("fmt") - -fmt.println(msgText) - -if(inProtocol == "telegram"){ - if text.index(msgText, "https") > 1 { - media_array := text.re_split(":", msgText, 2) - fmt.println(media_array) - if len(media_array) > 1 { - //TG desktop - media := text.trim_prefix(media_array[1]," ") - //msgText=media - bold := "**"+media+"**" - //link := "[link]("+media+")" - //msgText =link - msgText = text.re_replace("MEDIA", bold, msgText) - //msgText="![Tux, the Linux mascot]("+media+")" - //msgText=text.re_replace("matterbridge",msgText,"matterbridge (https://github.com/42wim/matterbridge)") - }else{ - //TG android - msgText="https:"+media_array[0] - } - - } -}else{ - //capitalize + bold - msgUsername = ""+text.title(msgUsername)+"" - msgText = msgText -} diff --git a/readme.md b/readme.md index 510d902..d3c1703 100644 --- a/readme.md +++ b/readme.md @@ -54,6 +54,7 @@ While Conversations got everything set-up out-of-the-box, Gajim was used with th * Secure by default * SSL certificate required * End-to-end encryption required (using [OMEMO](https://conversations.im/omemo/) or [OTR](https://en.wikipedia.org/wiki/Off-the-Record_Messaging)) + * Anti-spam filter (based on the pre-installed [Firewall](https://modules.prosody.im/mod_firewall) module) * Data storage * SQLite message store * Configured file upload and image sharing @@ -228,6 +229,9 @@ sudo chown 999:999 ./data | **DB_PORT** | Port on which the database is listening | *optional* | | | **DB_USERNAME** | The username to authenticate to the database | *optional* | | | **DB_PASSWORD** | The password to authenticate to the database | *optional* | | +| **HTTP_MAX_CONTENT_SIZE** | Max http content size in bytes | *optional* | 10485760 | +| **HTTP_FILE_SHARE_SIZE_LIMIT** | Max http file share size in bytes | *optional* | 10485760 | +| **HTTP_FILE_SHARE_DAILY_QUOTA** | Daily quota in bytes | *optional* | 10 times share size limit | | **E2E_POLICY_CHAT** | Policy for chat messages. Possible values: "none", "optional" and "required". | *optional* | "required" | | **E2E_POLICY_MUC** | Policy for MUC messages. Possible values: "none", "optional" and "required". | *optional* | "required" | | **E2E_POLICY_WHITELIST** | Make this module ignore messages sent to and from this JIDs or MUCs. | *optional* | "" | @@ -242,6 +246,8 @@ sudo chown 999:999 ./data | **SERVER_CONTACT_INFO_SECURITY** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:security@**DOMAIN**" | | **SERVER_CONTACT_INFO_SUPPORT** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:support@**DOMAIN**" | | **PROSODY_ADMINS** | Specify who is an administrator. List of adresses. Eg. "me@example.com", "admin@example.net" | *optional* | "" | +| **ENABLE_FIREWALL** | Enable Firewall module | *optional* | false | +| **SPAM_BLOCKLIST** | Blacklist to use with Firewall module. Eg. "custom-blocklist.pfw" | *optional* | | #### DNS @@ -262,7 +268,7 @@ There is a helper script that eases installing additional prosody modules: ```do It downloads the current [prosody-modules](https://hg.prosody.im/prosody-modules/) repository. The specified modules are copied and its name is added to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. -There is also ```docker-prosody-module-copy``` which copies the specified modules but does not add them to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. +There is also ```docker-prosody-module-pre-install.bash``` which downloads the specified modules but does not add them to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. In fact, this script is in charge of pre-installing the Firewall module. If you need additional configuration just overwrite the respective _cfg.lua_ file or add new ones. @@ -277,16 +283,16 @@ prosodyctl mod_storage_sql upgrade ## Matterbridge -To enable bridges using **Matterbridge** simply add the service in the docker-compose.yml file. Then you need to add _toml_ config file in ```matterbridge``` directory spedifying protocols and gateways. Check [documentation](https://github.com/42wim/matterbridge#readme). +To enable bridges using **Matterbridge** simply add the service in the docker-compose.yml file. Then you need to add _toml_ config file in ```matterbridge``` directory spedifying protocols and gateways. Check the [documentation](https://github.com/42wim/matterbridge#readme) for more information. ``` yaml matterbridge: image: 42wim/matterbridge:latest restart: unless-stopped volumes: - - ./matterbridge/matterbridge.toml:/etc/matterbridge/matterbridge.toml:ro - - ./matterbridge/nicks.tengo:/etc/matterbridge/nicks.tengo:ro - - ./matterbridge/out.tengo:/etc/matterbridge/out.tengo:ro + - ./extras/matterbridge/matterbridge.toml:/etc/matterbridge/matterbridge.toml:ro + - ./extras/matterbridge/nicks.tengo:/etc/matterbridge/nicks.tengo:ro + - ./extras/matterbridge/out.tengo:/etc/matterbridge/out.tengo:ro depends_on: - server