bats

.gitignore

@@ -1,6 +1,6 @@
 data/*
 certs/
-matterbrige/*.t*
+extras/matterbridge/*.t*
 tests/certs/
 tests/venv/
 tests/__pycache__/

CHANGELOG.md

@@ -1,5 +1,37 @@
 # Changelog
 
+## Unreleased 2024-05-05
+
+### Adjust config
+
+* Replace deprecated legacy_ssl with c2s_direct_tls.
+* Removed use_libevent = true. This means the default is now used which is epoll.
+
+### Test
+
+Added a test to check that no deprecated config settings are used.
+
+## v1.3.2
+
+* Added Firewall module with optional custom blacklist
+
+## v1.3.1
+
+* Added optional Firewall module for testing
+
+### Breaking Change
+
+Switched from [http_upload](https://modules.prosody.im/mod_http_upload) to [http_file_share](https://prosody.im/doc/modules/mod_http_file_share).
+This means that previous uploads will NOT work after upgrading.
+ENV variable `HTTP_UPLOAD_FILE_SIZE_LIMIT` was removed.
+
+The new module uses the following variables:
+
+* HTTP_FILE_SHARE_SIZE_LIMIT
+* HTTP_FILE_SHARE_DAILY_QUOTA
+
+See [readme.md](readme.md) for explanations and defaults.
+
 ## v1.3.0
 
 * Update to Debian Bookworm

Dockerfile

@@ -102,18 +102,19 @@ COPY *.bash /usr/local/bin/
 
 RUN download-prosody-modules.bash \
  && docker-prosody-module-install.bash \
-        bookmarks `# XEP-0411: Bookmarks Conversion` \
+        #bookmarks `# XEP-0411: Bookmarks Conversion` \
-        carbons `# message carbons (XEP-0280)` \
+        #carbons `# message carbons (XEP-0280)` \
         cloud_notify `# XEP-0357: Push Notifications` \
-        csi `# client state indication (XEP-0352)` \
+        #csi `# client state indication (XEP-0352)` \
         e2e_policy `# require end-2-end encryption` \
         filter_chatstates `# disable "X is typing" type messages` \
-        smacks `# stream management (XEP-0198)` \
+        #smacks `# stream management (XEP-0198)` \
         throttle_presence `# presence throttling in CSI` \
-        http_upload `# file sharing (XEP-0363)` \
         vcard_muc `# XEP-0153: vCard-Based Avatar (MUC)` \
+	    firewall `# anti-spam firewall` \
  && rm -rf "/usr/src/prosody-modules"
 RUN echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf
+
 USER prosody
 
 ENTRYPOINT ["/entrypoint.bash"]

conf.d/01-modules.cfg.lua

@@ -1,5 +1,7 @@
 plugin_paths = { "/usr/local/lib/prosody/custom-modules/" };
 
+-- table of enabled modules
+-- local mods_enabled = {
 modules_enabled = {
     -- Generally required
     "roster"; -- Allow users to have a roster. Recommended ;)
@@ -32,7 +34,7 @@ modules_enabled = {
     --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
 
     -- HTTP modules
-    --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+    "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
     --"http_files"; -- Serve static files from a directory over HTTP
 
     -- Other specific functionality
@@ -47,6 +49,8 @@ modules_enabled = {
     "server_contact_info"; -- This module lets you advertise various contact addresses for your XMPP service via XEP-0157.
 };
 
+-- modules_enabled = mods_enabled;
+
 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
 modules_disabled = {

conf.d/02-storage.cfg.lua

@@ -21,11 +21,13 @@ storage = {
 archive_expires_after = "1y"
 
 -- bandwith limits
-limits = {
+--limits = {
-    c2s = {
+    --c2s = {
-        rate = "10kb/s";
+        --rate = "10kb/s";
-    };
+    --};
-    s2sin = {
+    --s2sin = {
-        rate = "30kb/s";
+        --rate = "30kb/s";
-    };
+    --};
-}
+--}
+
+http_max_content_size = os.getenv("HTTP_MAX_CONTENT_SIZE") or 1024 * 1024 * 10 -- Default is 10MB

conf.d/05-vhost.cfg.lua

@@ -6,11 +6,11 @@ local domain_pubsub = os.getenv("DOMAIN_PUBSUB")
 
 -- XEP-0368: SRV records for XMPP over TLS
 -- https://compliance.conversations.im/test/xep0368/
-legacy_ssl_ssl = {
+c2s_direct_tls_ssl = {
-	certificate = "certs/" .. domain .. "/fullchain.pem";
+    certificate = "certs/" .. domain .. "/fullchain.pem";
 	key = "certs/" .. domain .. "/privkey.pem";
 }
-legacy_ssl_ports = { 5223 }
+c2s_direct_tls_ports = { 5223 }
 
 -- https://prosody.im/doc/certificates#service_certificates
 -- https://prosody.im/doc/ports#ssl_configuration
@@ -21,9 +21,12 @@ https_ssl = {
 
 VirtualHost (domain)
 
--- Set up a http file upload because proxy65 is not working in muc
+-- Set up a http file upload 
-Component (domain_http_upload) "http_upload"
+Component (domain_http_upload) "http_file_share"
-	http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
+	http_file_share_expires_after = 60 * 60 * 24 * 7 -- a week in seconds
+	local size_limit = os.getenv("HTTP_FILE_SHARE_SIZE_LIMIT") or 10 * 1024 * 1024 -- Default is 10MB
+	http_file_share_size_limit = size_limit
+	http_file_share_daily_quota = os.getenv("HTTP_FILE_SHARE_DAILY_QUOTA") or 10 * size_limit -- Default is 10x the size limit
 
 Component (domain_muc) "muc"
 	name = "Prosody Chatrooms"

docker-prosody-module-install.bash

@@ -46,4 +46,10 @@ for ext in $exts; do
 		new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(modules_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/')
 		echo "${new_config}" > "${config}"
 	fi
+	# firewall module configuration
+    	if [ "$ext" == "firewall" ] ; then
+        	echo " - setting up mod_${ext}"
+        	new_config=$(cat "${config}" | echo -e "\nlocal spam_blocklist = os.getenv(\"SPAM_BLOCKLIST\") and \"/usr/local/etc/prosody/firewall/\" .. os.getenv(\"SPAM_BLOCKLIST\") or \"module:scripts/spam-blocklists.pfw\"\n\nfirewall_scripts = {\n\t\"module:scripts/spam-blocking.pfw\";\n\tspam_blocklist;\n};")
+        	echo "${new_config}" >> "${config}"
+    	fi
 done

extras/firewall/blacklist.txt

@@ -0,0 +1,21 @@
+bashtel.ru
+creep.im
+darkengine.biz
+default.rs
+exploit.im
+hiddenlizard.org
+jabber.bitactive.com
+jabber.cd
+jabber.cz
+jabber.freenet.de
+jabber.ipredator.se
+jabber.npw.net
+jabber.sampo.ru
+jabbim.pl
+labas.biz
+otr.chat
+paranoid.scarab.name
+rassnet.org
+safetyjabber.com
+sj.ms
+xmpp.bytesund.biz

extras/firewall/custom-blocklist.pfw

@@ -0,0 +1,21 @@
+# This script depends on spam-blocking.pfw also being loaded
+# Any traffic that is not explicitly blocked or allowed by other
+# rules will be checked against the JabberSPAM server blocklist
+
+%LIST blocklist: file:/usr/local/etc/prosody/firewall/blacklist.txt
+#%LIST blocklist: https://cdn.jsdelivr.net/gh/jabberspam/blacklist/blacklist.txt
+
+::user/spam_handle_unknown_custom
+
+CHECK LIST: blocklist contains $<@from|host>
+BOUNCE=policy-violation (Your server is blocked due to spam)
+
+::user/spam_check_muc_invite_custom
+
+# Check the server we received the invitation from
+CHECK LIST: blocklist contains $<@from|host>
+BOUNCE=policy-violation (Your server is blocked due to spam)
+
+# Check the inviter's JID against the blocklist, too
+CHECK LIST: blocklist contains $<{http://jabber.org/protocol/muc#user}x/invite@from|host>
+BOUNCE=policy-violation (Your server is blocked due to spam)

matterbridge/matterbridge.toml

@@ -1,84 +0,0 @@
-#https://github.com/42wim/matterbridge
-
-###################################################################
-#XMPP section - berriketak
-###################################################################
-[xmpp]
-[xmpp.telegram_berriketak]
-#Server="lainoa.eus:5222"
-Server="server:5222"
-#Jid="admin@lainoa.eus"
-Jid="admin@lainoa.eus"
-#Password="sagastarri996X"
-Password="sagastarri996"
-Muc="conference.lainoa.eus"
-Nick="Admin"
-SkipTLSVerify=true
-#IgnoreNicks="ircspammer1 ircspammer2"
-#RemoteNickFormat="[{NICK}] "
-RemoteNickFormat="{TENGO}({PROTOCOL}) "
-ShowJoinPart=false
-
-###################################################################
-#telegram section - berriketak
-###################################################################
-[telegram]
-[telegram.berriket_xmppBot]
-Token="434963747:AAHRbJAw9oN30b9KdjWacnyYyHS22r056SM" #token berriket_xmppBot
-MessageFormat="HTMLNick"
-EditDisable=false
-EditSuffix=" (edited)"
-IgnoreNicks="spammer1 spammer2"
-RemoteNickFormat="{NICK}: "
-ShowJoinPart=false
-UseInsecureURL=true
-MediaConvertWebPToPNG=true
-DisableWebPagePreview=false
-
-[tengo]
-#RemoteNickFormat="remotenickformat.tengo"
-RemoteNickFormat="/etc/matterbridge/nicks.tengo"
-#InMessage="/etc/matterbridge/in.tengo"
-OutMessage="/etc/matterbridge/out.tengo"
-
-###################################################################
-#gateway section
-###################################################################
-[[gateway]]
-name="gateway_berriketak"
-enable=true
-
-	[[gateway.inout]]
-	account="xmpp.telegram_berriketak"
-	channel="berriketak"
-        #channel="test"
-
-	[[gateway.inout]]
-	account="telegram.berriket_xmppBot"
-	channel="-183435536" #Telegram berriketak taldearen ID-a
-
-[[gateway]]
-name="test"
-enable=true
-
-        [[gateway.inout]]
-        account="xmpp.telegram_berriketak"
-        channel="test"
-
-        [[gateway.inout]]
-        account="telegram.berriket_xmppBot"
-        #channel="-241666435" #Telegram xmpp_test taldearen ID-a
-	channel="-1001617641457"
-
-#[[gateway]]
-#name="etxekok"
-#enable=true
-
-#        [[gateway.inout]]
-#        account="xmpp.telegram_berriketak"
-#        channel="etxekok"
-
-#        [[gateway.inout]]
-#        account="telegram.berriket_xmppBot"
-#        channel="-523032" #Telegram etxekok taldearen ID-a
-

matterbridge/nicks.tengo

@@ -1,5 +0,0 @@
-/*Customize nicks from X to XMPP*/
-result = nick
-if(nick == "Nekane Nekane") {
-   result = "Amona Nekane"
-}

matterbridge/out.tengo

@@ -1,30 +0,0 @@
-text := import("text")
-fmt := import("fmt")
-
-fmt.println(msgText)
-
-if(inProtocol == "telegram"){
-	if text.index(msgText, "https") > 1 {
-		media_array := text.re_split(":", msgText, 2)
-		fmt.println(media_array)    
-		if len(media_array) > 1 {
-			//TG desktop
-			media := text.trim_prefix(media_array[1]," ")
-			//msgText=media
-			bold := "**"+media+"**"
-			//link := "[link]("+media+")"
-			//msgText =link
-			msgText = text.re_replace("MEDIA", bold, msgText)
-			//msgText="![Tux, the Linux mascot]("+media+")"
-			//msgText=text.re_replace("matterbridge",msgText,"matterbridge (https://github.com/42wim/matterbridge)")
-		}else{
-			//TG android
-			msgText="https:"+media_array[0]
-		}
-
-	}
-}else{
-	//capitalize + bold
-        msgUsername = "<strong>"+text.title(msgUsername)+"</strong>"
-	msgText = msgText
-}

prosody.cfg.lua

@@ -7,8 +7,6 @@ admins = stringy.split(os.getenv("PROSODY_ADMINS"), ", ");
 
 pidfile = "/var/run/prosody/prosody.pid"
 
-use_libevent = true; -- improves performance
-
 allow_registration = os.getenv("ALLOW_REGISTRATION");
 
 c2s_require_encryption = os.getenv("C2S_REQUIRE_ENCRYPTION");

readme.md

@@ -1,14 +1,5 @@
 # Prosody XMPP Docker image
 
-![Docker](https://github.com/SaraSmiseth/prosody/workflows/Docker/badge.svg?branch=dev)
-![Git repository size](https://img.shields.io/github/repo-size/SaraSmiseth/prosody)
-[![Docker image](https://images.microbadger.com/badges/image/sarasmiseth/prosody:latest.svg)](https://microbadger.com/images/sarasmiseth/prosody:latest)
-[![Docker version](https://images.microbadger.com/badges/version/sarasmiseth/prosody.svg)](https://microbadger.com/images/sarasmiseth/prosody:latest)
-[![Docker pulls](https://img.shields.io/docker/pulls/sarasmiseth/prosody.svg)](https://hub.docker.com/r/sarasmiseth/prosody/)
-[![Docker stars](https://img.shields.io/docker/stars/sarasmiseth/prosody.svg)](https://hub.docker.com/r/sarasmiseth/prosody/)
-[![Github open issues](https://img.shields.io/github/issues-raw/SaraSmiseth/prosody)](https://github.com/SaraSmiseth/prosody/issues)
-[![Github open pull requests](https://img.shields.io/github/issues-pr-raw/SaraSmiseth/prosody)](https://github.com/SaraSmiseth/prosody/pulls)
-
 This docker image forked from [SaraSmiseth](https://github.com/SaraSmiseth)'s [repository](https://github.com/SaraSmiseth/prosody) provides you with a configured [Prosody](https://prosody.im/) XMPP server. Includes the _prosody-migrator_ tool for data migrations between different database types and there is also an option to create a bridges between the XMPP server and the most popular messaging services like Telegram or Matrix, via [Matterbridge](https://github.com/42wim/matterbridge). The image is based on `debian:bookworm-slim`.
 The server was tested using the Android App [Conversations](https://conversations.im/) and the Desktop client [Gajim](https://gajim.org).
 Multiple [architectures](https://hub.docker.com/r/sarasmiseth/prosody/tags) are supported. I use it on my raspberry pi 4.
@@ -54,6 +45,7 @@ While Conversations got everything set-up out-of-the-box, Gajim was used with th
 * Secure by default
   * SSL certificate required
   * End-to-end encryption required (using [OMEMO](https://conversations.im/omemo/) or [OTR](https://en.wikipedia.org/wiki/Off-the-Record_Messaging))
+  * Anti-spam filter (based on [Firewall](https://modules.prosody.im/mod_firewall) module)
 * Data storage
   * SQLite message store
   * Configured file upload and image sharing
@@ -157,7 +149,7 @@ docker build -t prosody/xmpp .
 Next I recommend using a ```docker-compose.yml``` file:
 
 ```yaml
-version: '3.7'
+version: '3.9'
 
 services:
   server:
@@ -228,6 +220,9 @@ sudo chown 999:999 ./data
 | **DB_PORT**                      | Port on which the database is listening                                                                              | *optional*                                   |                            |
 | **DB_USERNAME**                  | The username to authenticate to the database                                                                         | *optional*                                   |                            |
 | **DB_PASSWORD**                  | The password to authenticate to the database                                                                         | *optional*                                   |                            |
+| **HTTP_MAX_CONTENT_SIZE**        | Max http content size in bytes                                                                                       | *optional*                                   | 10485760                   |
+| **HTTP_FILE_SHARE_SIZE_LIMIT**   | Max http file share size in bytes                                                                                    | *optional*                                   | 10485760                   |
+| **HTTP_FILE_SHARE_DAILY_QUOTA**  | Daily quota in bytes                                                                                                 | *optional*                                   | 10 times share size limit  |
 | **E2E_POLICY_CHAT**              | Policy for chat messages. Possible values: "none", "optional" and "required".                                        | *optional*                                   | "required"                 |
 | **E2E_POLICY_MUC**               | Policy for MUC messages. Possible values: "none", "optional" and "required".                                         | *optional*                                   | "required"                 |
 | **E2E_POLICY_WHITELIST**         | Make this module ignore messages sent to and from this JIDs or MUCs.                                                 | *optional*                                   | ""                         |
@@ -242,6 +237,7 @@ sudo chown 999:999 ./data
 | **SERVER_CONTACT_INFO_SECURITY** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional*                                   | "xmpp:security@**DOMAIN**" |
 | **SERVER_CONTACT_INFO_SUPPORT**  | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional*                                   | "xmpp:support@**DOMAIN**"  |
 | **PROSODY_ADMINS**               | Specify who is an administrator. List of adresses. Eg. "me@example.com", "admin@example.net"                         | *optional*                                   | ""                         |
+| **SPAM_BLOCKLIST**               | Blacklist to use with Firewall module. Eg. "custom-blocklist.pfw"                                                    | *optional*                                   |                       |
 
 #### DNS
 
@@ -262,10 +258,15 @@ There is a helper script that eases installing additional prosody modules: ```do
 
 It downloads the current [prosody-modules](https://hg.prosody.im/prosody-modules/) repository. The specified modules are copied and its name is added to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```.
 
-There is also ```docker-prosody-module-copy``` which copies the specified modules but does not add them to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```.
+There is also ```docker-prosody-module-pre-install.bash``` which downloads the specified modules but does not add them to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. In fact, this script is in charge of pre-installing the Firewall module.
 
 If you need additional configuration just overwrite the respective _cfg.lua_ file or add new ones.
 
+#### Firewall module
+By default, the Firewall module obtains the list of spamming used known domains through the CDN service provided by [cdn.jsdelivr.net](https://cdn.jsdelivr.net/) at https://cdn.jsdelivr.net/gh/jabberspam/blacklist/blacklist.txt , but additionally a custom blacklist can be used through the ```SPAM_BLOCKLIST``` environment variable.
+
+If you need more sophisticated rules, please refer to the module [documentation](https://modules.prosody.im/mod_firewall).
+
 ### Upgrade
 
 When migrating from prosody 0.10, you need to update the database once:
@@ -277,16 +278,16 @@ prosodyctl mod_storage_sql upgrade
 
 ## Matterbridge
 
-To enable bridges using **Matterbridge** simply add the service in the docker-compose.yml file. Then you need to add _toml_ config file in ```matterbridge``` directory spedifying protocols and gateways. Check [documentation](https://github.com/42wim/matterbridge#readme).
+To enable bridges using **Matterbridge** simply add the service in the docker-compose.yml file. Then you need to add _toml_ config file in ```matterbridge``` directory spedifying protocols and gateways. Check the [documentation](https://github.com/42wim/matterbridge#readme) for more information.
 
 ``` yaml
   matterbridge:
     image: 42wim/matterbridge:latest
     restart: unless-stopped
     volumes:
-    - ./matterbridge/matterbridge.toml:/etc/matterbridge/matterbridge.toml:ro
+    - ./extras/matterbridge/matterbridge.toml:/etc/matterbridge/matterbridge.toml:ro
-    - ./matterbridge/nicks.tengo:/etc/matterbridge/nicks.tengo:ro
+    - ./extras/matterbridge/nicks.tengo:/etc/matterbridge/nicks.tengo:ro
-    - ./matterbridge/out.tengo:/etc/matterbridge/out.tengo:ro
+    - ./extras/matterbridge/out.tengo:/etc/matterbridge/out.tengo:ro
     depends_on:
       - server
 

tests/bats/bats-assert

@@ -0,0 +1 @@
+Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f

tests/bats/bats-core

@@ -0,0 +1 @@
+Subproject commit a751f3d3da4b7db830612322a068a18379c78d09

tests/bats/bats-support

@@ -0,0 +1 @@
+Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556

tests/docker-compose.yml

@@ -1,8 +1,6 @@
-version: "3.9"
-
 services:
   prosody:
-    image: prosody
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"
@@ -19,7 +17,7 @@ services:
       - ./certs:/usr/local/etc/prosody/certs
 
   prosody_postgres:
-    image: prosody
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"
@@ -53,7 +51,7 @@ services:
       POSTGRES_PASSWORD: prosody
 
   prosody_ldap:
-    image: prosody
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"

tests/tests.bats

@@ -57,8 +57,8 @@ load 'bats/bats-assert/load'
   assert_output
 }
 
-@test "Should activate legacy_ssl" {
+@test "Should activate c2s_direct_tls" {
-  run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"Activated service 'legacy_ssl' on (\[::\]:5223|\[\*\]:5223), (\[::\]:5223|\[\*\]:5223)\""
+  run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"Activated service 'c2s_direct_tls' on (\[::\]:5223|\[\*\]:5223), (\[::\]:5223|\[\*\]:5223)\""
   assert_success
   assert_output
 }
@@ -82,7 +82,17 @@ load 'bats/bats-assert/load'
 }
 
 @test "Should show upload URL" {
-  run bash -c "sudo docker-compose logs $batsContainerName | grep \"URL: <https:\/\/upload.example.com:5281\/upload> - Ensure this can be reached by users\""
+  run bash -c "sudo docker-compose logs $batsContainerName | grep \"Serving 'file_share' at https:\/\/upload.example.com:5281\/file_share\""
   assert_success
   assert_output
 }
+
+@test "Should not use deprecated config" {
+  run bash -c "sudo docker-compose exec $batsContainerName /bin/bash -c \"/entrypoint.bash check\" | grep 'deprecated' -A 3"
+  assert_failure
+}
+
+@test "Should not have warnings in log" {
+  run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"warn\""
+  assert_failure
+}