Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| bce1639d25 | |||
| 0de34e5f74 | |||
| 4857ee42e9 | |||
| da5371f30f | |||
| 73838d1aa5 | |||
| 917824e3a9 | |||
| c55a135d24 | |||
| 38674d073b | |||
| cedeabd6a8 | |||
| 95b4b5da6e | |||
| e7fa66e938 |
15
CHANGELOG.md
15
CHANGELOG.md
@ -1,5 +1,20 @@
|
||||
# Changelog
|
||||
|
||||
## Unreleased 2024-05-05
|
||||
|
||||
### Adjust config
|
||||
|
||||
* Replace deprecated legacy_ssl with c2s_direct_tls.
|
||||
* Removed use_libevent = true. This means the default is now used which is epoll.
|
||||
|
||||
### Test
|
||||
|
||||
Added a test to check that no deprecated config settings are used.
|
||||
|
||||
## v1.3.2
|
||||
|
||||
* Added Firewall module with optional custom blacklist
|
||||
|
||||
## v1.3.1
|
||||
|
||||
* Added optional Firewall module for testing
|
||||
|
||||
11
Dockerfile
11
Dockerfile
@ -102,17 +102,16 @@ COPY *.bash /usr/local/bin/
|
||||
|
||||
RUN download-prosody-modules.bash \
|
||||
&& docker-prosody-module-install.bash \
|
||||
bookmarks `# XEP-0411: Bookmarks Conversion` \
|
||||
carbons `# message carbons (XEP-0280)` \
|
||||
#bookmarks `# XEP-0411: Bookmarks Conversion` \
|
||||
#carbons `# message carbons (XEP-0280)` \
|
||||
cloud_notify `# XEP-0357: Push Notifications` \
|
||||
csi `# client state indication (XEP-0352)` \
|
||||
#csi `# client state indication (XEP-0352)` \
|
||||
e2e_policy `# require end-2-end encryption` \
|
||||
filter_chatstates `# disable "X is typing" type messages` \
|
||||
smacks `# stream management (XEP-0198)` \
|
||||
#smacks `# stream management (XEP-0198)` \
|
||||
throttle_presence `# presence throttling in CSI` \
|
||||
vcard_muc `# XEP-0153: vCard-Based Avatar (MUC)` \
|
||||
&& docker-prosody-module-pre-install.bash \
|
||||
firewall `# anti-spam firewall` \
|
||||
firewall `# anti-spam firewall` \
|
||||
&& rm -rf "/usr/src/prosody-modules"
|
||||
RUN echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf
|
||||
|
||||
|
||||
@ -1,7 +1,8 @@
|
||||
plugin_paths = { "/usr/local/lib/prosody/custom-modules/" };
|
||||
|
||||
-- table of enabled modules
|
||||
local mods_enabled = {
|
||||
-- local mods_enabled = {
|
||||
modules_enabled = {
|
||||
-- Generally required
|
||||
"roster"; -- Allow users to have a roster. Recommended ;)
|
||||
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
|
||||
@ -48,19 +49,7 @@ local mods_enabled = {
|
||||
"server_contact_info"; -- This module lets you advertise various contact addresses for your XMPP service via XEP-0157.
|
||||
};
|
||||
|
||||
local enabled = os.getenv("ENABLE_FIREWALL") or "false"
|
||||
local spam_blocklist = os.getenv("SPAM_BLOCKLIST") and "/usr/local/etc/prosody/firewall/" .. os.getenv("SPAM_BLOCKLIST") or "module:scripts/spam-blocklists.pfw"
|
||||
|
||||
if(enabled == "true")
|
||||
then
|
||||
table.insert(mods_enabled, "firewall");
|
||||
|
||||
firewall_scripts = {
|
||||
spam_blocklist;
|
||||
}
|
||||
end
|
||||
|
||||
modules_enabled = mods_enabled;
|
||||
-- modules_enabled = mods_enabled;
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
@ -69,4 +58,3 @@ modules_disabled = {
|
||||
-- "c2s"; -- Handle client connections
|
||||
-- "s2s"; -- Handle server-to-server connections
|
||||
};
|
||||
|
||||
|
||||
@ -6,11 +6,11 @@ local domain_pubsub = os.getenv("DOMAIN_PUBSUB")
|
||||
|
||||
-- XEP-0368: SRV records for XMPP over TLS
|
||||
-- https://compliance.conversations.im/test/xep0368/
|
||||
legacy_ssl_ssl = {
|
||||
certificate = "certs/" .. domain .. "/fullchain.pem";
|
||||
c2s_direct_tls_ssl = {
|
||||
certificate = "certs/" .. domain .. "/fullchain.pem";
|
||||
key = "certs/" .. domain .. "/privkey.pem";
|
||||
}
|
||||
legacy_ssl_ports = { 5223 }
|
||||
c2s_direct_tls_ports = { 5223 }
|
||||
|
||||
-- https://prosody.im/doc/certificates#service_certificates
|
||||
-- https://prosody.im/doc/ports#ssl_configuration
|
||||
|
||||
@ -43,7 +43,13 @@ for ext in $exts; do
|
||||
# Skip this if the modules should not be added to modules_enabled.
|
||||
if [ "$ext" != "http_upload" ] && [ "$ext" != "vcard_muc" ] ; then
|
||||
echo " - enabling within ${config}"
|
||||
new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(mods_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/')
|
||||
new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(modules_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/')
|
||||
echo "${new_config}" > "${config}"
|
||||
fi
|
||||
# firewall module configuration
|
||||
if [ "$ext" == "firewall" ] ; then
|
||||
echo " - setting up mod_${ext}"
|
||||
new_config=$(cat "${config}" | echo -e "\nlocal spam_blocklist = os.getenv(\"SPAM_BLOCKLIST\") and \"/usr/local/etc/prosody/firewall/\" .. os.getenv(\"SPAM_BLOCKLIST\") or \"module:scripts/spam-blocklists.pfw\"\n\nfirewall_scripts = {\n\t\"module:scripts/spam-blocking.pfw\";\n\tspam_blocklist;\n};")
|
||||
echo "${new_config}" >> "${config}"
|
||||
fi
|
||||
done
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
source="/usr/src/prosody-modules"
|
||||
target="/usr/local/lib/prosody/custom-modules"
|
||||
|
||||
cd ${source}
|
||||
|
||||
usage() {
|
||||
echo "usage: $0 ext-name [ext-name ...]"
|
||||
echo " ie: $0 carbons e2e_policy proxy65"
|
||||
echo
|
||||
echo 'Possible values for ext-name:'
|
||||
find . -mindepth 1 -maxdepth 1 -type d | sort | sed s/\.\\/mod_//g | xargs
|
||||
}
|
||||
|
||||
exts=
|
||||
for ext; do
|
||||
if [ -z "mod_$ext" ]; then
|
||||
continue
|
||||
fi
|
||||
if [ ! -d "mod_$ext" ]; then
|
||||
echo >&2 "error: $PWD/mod_$ext does not exist"
|
||||
echo >&2
|
||||
usage >&2
|
||||
exit 1
|
||||
fi
|
||||
exts="$exts $ext"
|
||||
done
|
||||
|
||||
if [ -z "$exts" ]; then
|
||||
usage >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for ext in $exts; do
|
||||
echo "Installing mod_${ext}"
|
||||
|
||||
echo " - copying to ${target}"
|
||||
cp -r "${source}/mod_${ext}" "${target}/"
|
||||
|
||||
done
|
||||
@ -2,13 +2,16 @@ bashtel.ru
|
||||
creep.im
|
||||
darkengine.biz
|
||||
default.rs
|
||||
exploit.im
|
||||
hiddenlizard.org
|
||||
jabber.bitactive.com
|
||||
jabber.cd
|
||||
jabber.cz
|
||||
jabber.freenet.de
|
||||
jabber.ipredator.se
|
||||
jabber.npw.net
|
||||
jabber.sampo.ru
|
||||
jabbim.pl
|
||||
labas.biz
|
||||
otr.chat
|
||||
paranoid.scarab.name
|
||||
|
||||
@ -1,14 +1,12 @@
|
||||
-- see example config at https://hg.prosody.im/-1.9/file/0.9.10/prosody.cfg.lua.dist
|
||||
-- easily extendable by putting into different config files within conf.d folder
|
||||
|
||||
local stringy = require "stringy"
|
||||
local stringy = require "stringy"
|
||||
|
||||
admins = stringy.split(os.getenv("PROSODY_ADMINS"), ", ");
|
||||
|
||||
pidfile = "/var/run/prosody/prosody.pid"
|
||||
|
||||
use_libevent = true; -- improves performance
|
||||
|
||||
allow_registration = os.getenv("ALLOW_REGISTRATION");
|
||||
|
||||
c2s_require_encryption = os.getenv("C2S_REQUIRE_ENCRYPTION");
|
||||
|
||||
19
readme.md
19
readme.md
@ -1,14 +1,5 @@
|
||||
# Prosody XMPP Docker image
|
||||
|
||||
|
||||
|
||||
[](https://microbadger.com/images/sarasmiseth/prosody:latest)
|
||||
[](https://microbadger.com/images/sarasmiseth/prosody:latest)
|
||||
[](https://hub.docker.com/r/sarasmiseth/prosody/)
|
||||
[](https://hub.docker.com/r/sarasmiseth/prosody/)
|
||||
[](https://github.com/SaraSmiseth/prosody/issues)
|
||||
[](https://github.com/SaraSmiseth/prosody/pulls)
|
||||
|
||||
This docker image forked from [SaraSmiseth](https://github.com/SaraSmiseth)'s [repository](https://github.com/SaraSmiseth/prosody) provides you with a configured [Prosody](https://prosody.im/) XMPP server. Includes the _prosody-migrator_ tool for data migrations between different database types and there is also an option to create a bridges between the XMPP server and the most popular messaging services like Telegram or Matrix, via [Matterbridge](https://github.com/42wim/matterbridge). The image is based on `debian:bookworm-slim`.
|
||||
The server was tested using the Android App [Conversations](https://conversations.im/) and the Desktop client [Gajim](https://gajim.org).
|
||||
Multiple [architectures](https://hub.docker.com/r/sarasmiseth/prosody/tags) are supported. I use it on my raspberry pi 4.
|
||||
@ -54,7 +45,7 @@ While Conversations got everything set-up out-of-the-box, Gajim was used with th
|
||||
* Secure by default
|
||||
* SSL certificate required
|
||||
* End-to-end encryption required (using [OMEMO](https://conversations.im/omemo/) or [OTR](https://en.wikipedia.org/wiki/Off-the-Record_Messaging))
|
||||
* Anti-spam filter (based on the pre-installed [Firewall](https://modules.prosody.im/mod_firewall) module)
|
||||
* Anti-spam filter (based on [Firewall](https://modules.prosody.im/mod_firewall) module)
|
||||
* Data storage
|
||||
* SQLite message store
|
||||
* Configured file upload and image sharing
|
||||
@ -158,7 +149,7 @@ docker build -t prosody/xmpp .
|
||||
Next I recommend using a ```docker-compose.yml``` file:
|
||||
|
||||
```yaml
|
||||
version: '3.7'
|
||||
version: '3.9'
|
||||
|
||||
services:
|
||||
server:
|
||||
@ -246,7 +237,6 @@ sudo chown 999:999 ./data
|
||||
| **SERVER_CONTACT_INFO_SECURITY** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:security@**DOMAIN**" |
|
||||
| **SERVER_CONTACT_INFO_SUPPORT** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:support@**DOMAIN**" |
|
||||
| **PROSODY_ADMINS** | Specify who is an administrator. List of adresses. Eg. "me@example.com", "admin@example.net" | *optional* | "" |
|
||||
| **ENABLE_FIREWALL** | Enable Firewall module | *optional* | false |
|
||||
| **SPAM_BLOCKLIST** | Blacklist to use with Firewall module. Eg. "custom-blocklist.pfw" | *optional* | |
|
||||
|
||||
#### DNS
|
||||
@ -272,6 +262,11 @@ There is also ```docker-prosody-module-pre-install.bash``` which downloads the s
|
||||
|
||||
If you need additional configuration just overwrite the respective _cfg.lua_ file or add new ones.
|
||||
|
||||
#### Firewall module
|
||||
By default, the Firewall module obtains the list of spamming used known domains through the CDN service provided by [cdn.jsdelivr.net](https://cdn.jsdelivr.net/) at https://cdn.jsdelivr.net/gh/jabberspam/blacklist/blacklist.txt , but additionally a custom blacklist can be used through the ```SPAM_BLOCKLIST``` environment variable.
|
||||
|
||||
If you need more sophisticated rules, please refer to the module [documentation](https://modules.prosody.im/mod_firewall).
|
||||
|
||||
### Upgrade
|
||||
|
||||
When migrating from prosody 0.10, you need to update the database once:
|
||||
|
||||
1
tests/bats/bats-assert
Submodule
1
tests/bats/bats-assert
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f
|
||||
1
tests/bats/bats-core
Submodule
1
tests/bats/bats-core
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit a751f3d3da4b7db830612322a068a18379c78d09
|
||||
1
tests/bats/bats-support
Submodule
1
tests/bats/bats-support
Submodule
@ -0,0 +1 @@
|
||||
Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556
|
||||
@ -1,8 +1,6 @@
|
||||
version: "3.9"
|
||||
|
||||
services:
|
||||
prosody:
|
||||
image: prosody
|
||||
image: prosody/xmpp:latest
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "5000:5000"
|
||||
@ -19,7 +17,7 @@ services:
|
||||
- ./certs:/usr/local/etc/prosody/certs
|
||||
|
||||
prosody_postgres:
|
||||
image: prosody
|
||||
image: prosody/xmpp:latest
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "5000:5000"
|
||||
@ -53,7 +51,7 @@ services:
|
||||
POSTGRES_PASSWORD: prosody
|
||||
|
||||
prosody_ldap:
|
||||
image: prosody
|
||||
image: prosody/xmpp:latest
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "5000:5000"
|
||||
|
||||
@ -57,8 +57,8 @@ load 'bats/bats-assert/load'
|
||||
assert_output
|
||||
}
|
||||
|
||||
@test "Should activate legacy_ssl" {
|
||||
run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"Activated service 'legacy_ssl' on (\[::\]:5223|\[\*\]:5223), (\[::\]:5223|\[\*\]:5223)\""
|
||||
@test "Should activate c2s_direct_tls" {
|
||||
run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"Activated service 'c2s_direct_tls' on (\[::\]:5223|\[\*\]:5223), (\[::\]:5223|\[\*\]:5223)\""
|
||||
assert_success
|
||||
assert_output
|
||||
}
|
||||
@ -82,7 +82,17 @@ load 'bats/bats-assert/load'
|
||||
}
|
||||
|
||||
@test "Should show upload URL" {
|
||||
run bash -c "sudo docker-compose logs $batsContainerName | grep \"URL: <https:\/\/upload.example.com:5281\/upload> - Ensure this can be reached by users\""
|
||||
run bash -c "sudo docker-compose logs $batsContainerName | grep \"Serving 'file_share' at https:\/\/upload.example.com:5281\/file_share\""
|
||||
assert_success
|
||||
assert_output
|
||||
}
|
||||
|
||||
@test "Should not use deprecated config" {
|
||||
run bash -c "sudo docker-compose exec $batsContainerName /bin/bash -c \"/entrypoint.bash check\" | grep 'deprecated' -A 3"
|
||||
assert_failure
|
||||
}
|
||||
|
||||
@test "Should not have warnings in log" {
|
||||
run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"warn\""
|
||||
assert_failure
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user