koulab

購入型リサーチャー

ProsodyによるJabberサーバの構築

この記事はあやしいネットワーク関連 Advent Calendar 2018の3日目の記事です

あやしいネットワーク関連 Advent Calendar 2018 - Adventar

あやしい要素は今回はありません

Prosodyとは

Prosody is a modern XMPP communication server. It aims to be easy to set up and configure, and efficient with system resources. Additionally, for developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols.

Prosody is open-source software under the permissive MIT/X11 license.

https://prosody.im/

サーバを契約する

たまにIM/IRCを禁止しているところがあります お財布が痛くならない持続可能なプランにしましょう。prosodyは省メモリで動作します

インストール

CentOS7で構築します Ubuntu/Debianで構築したい場合はHOMEBREWSERVER.CLUBを参照

yum install epel-release
yum install prosody certbot lua-sec mercurial
cd /usr/src
hg clone https://hg.prosody.im/prosody-modules/ prosody-modules
cd /etc/prosody
cp prosody.cfg.lua prosody.cfg.lua.backup

Mariadb

ストレージはMariadbにします。 MariaDB - Setting up MariaDB Repositories - MariaDB

vi /etc/yum.repos.d/Mariadb.repo

# MariaDB 10.3 CentOS repository list - created 2018-12-03 14:33 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
sudo yum install MariaDB-server MariaDB-client

prosody用アカウント作成

service mariadb start
chkconfig mariadb on
mysql_secure_installation #リモートからの接続は拒否しておくこと
mysql -u root -p
CREATE USER prosody@'localhost' IDENTIFIED BY 'ここにprosody用データベースパスワード';
#パスワード生成 https://www.lastpass.com/ja/password-generator

ドメイン取得&DNS設定

実際に取得したドメインを例に説明します ドメインは適宜置き換えてください

ドメイン名: jabber.moe

設定したサブドメイン

  • dump.jabber.moe (HTTPファイルアップロードした際のURL)
  • proxy.jabber.moe (ファイル転送プロキシ用)
  • muc.jabber.moe (グループチャット用 multi-user-chat)

DNSレコード設定例

Type Name Content
A @ 127.0.0.1
A jp.jabber.moe 127.0.0.1
CNAME muc jp.jabber.moe
CNAME dump jp.jabber.moe
CNAME proxy jp.jabber.moe
TXT _acme-challenge ...略
TXT _acme-challenge.dump ..
TXT _acme-challenge.muc ..
TXT _acme-challenge.proxy ..
Type Name Priority Weight Port Content
SRV jabber.tcp 5 1 5222 jp.jabber.moe
SRV _xmpp-client 5 1 5222 jp.jabber.moe
SRV _xmpp-server 5 1 5269 jp.jabber.moe
SRV xmpps-client.tcp 5 1 5223 jp.jabber.moe

開放すべきポートは以下の通り

5000 ファイル転送
5222 クライアント→サーバへの通信 c2s
5269 サーバ→サーバへの通信 s2s
5280 Prosodyのhttpサーバとして利用されます
5281 Prosodyのhttpsサーバとして利用されます

80/443ポートが使える環境の場合 2018年現在、rsa-key-sizeは2048でも問題ないと思います

certbot certonly --manual -d jabber.moe --rsa-key-size 4096 -d muc.jabber.moe -d proxy.jabber.moe

80/443ポートが使えない環境の場合

使えない場合はDNSに_acme-challengeのTXTレコードが必要です

certbot certonly -d jabber.moe --rsa-key-size 4096 -d muc.jabber.moe -d proxy.jabber.moe --preferred-challenges dns

設定ファイル

vi /etc/prosody/prosody.cfg.lua

plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
interfaces = {"*"}
legacy_ssl_ports = { 5223 }
modules_enabled = {
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "register"; --Allows clients to register an account on your server
                "pep"; -- Enables users to publish their mood, activity, playing music and more
               "carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices
                "smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds
                "mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server
                "csi"; -- XEP-0352: Client State Indication
                "http"; -- mod_http needed for XEP-363
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                "blocklist"; -- XEP-0191  blocking of users
                --"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS. 
                -- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
                -- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have. 
                "omemo_all_access"; -- Allow for OMEMO E2E between contacts that haven't added each other
                "pep_vcard_avatar"; -- use XEP-0153: vCard-Based Avatars to see the avatars of clients that use XEP-0084: User Avatar and vice versa.
                "server_contact_info";
                "cloud_notify";
                "welcome";
};
admins = {"admin@jabber.moe"}
contact_info = {
 abuse = { "mailto:blackhatjabber@pm.me","xmpp:admin@jabber.moe"};
 admin = { "mailto:blackhatjabber@pm.me","xmpp:admin@jabber.moe"};
 feedback = { "mailto:blackhatjabber@pm.me","xmpp:admin@jabber.moe"};
 sales = { "mailto:blackhatjabber@pm.me","xmpp:admin@jabber.moe"};
 security = { "mailto:blackhatjabber@pm.me","xmpp:admin@jabber.moe"};
 support = { "mailto:blackhatjabber@pm.me","xmpp:admin@jabber.moe"};
};
welcome_message = "Administrator Jabber admin@jabber.moe Enjoy!"
allow_registration = true; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
ssl = {
        certificate = "/etc/prosody/certs/fullchain.pem";
        key = "/etc/prosody/certs/privkey.pem";
}
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security

s2s_secure_auth = false
pidfile = "/var/run/prosody/prosody.pid"

authentication = "internal_hashed"

storage = "sql" 

-- Make sure to change the password 
sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "ここにprosody用データベースパスワード", host = "localhost" }

log = {
        info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
        error = "/var/log/prosody/prosody.err";
        "*syslog";
}

VirtualHost "jabber.moe"

-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.jabber.moe" "http_upload"

---Set up a MUC (multi-user chat) room server on muc.jabber.moe
Component "muc.jabber.moe" "muc"
modules_enabled = {
 "mam_muc";
 "vcard_muc";
}

Component "proxy.jabber.moe" "proxy65"
 proxy65_ports = { 5000 }
 proxy65_interfaces = {"*"}

証明書アップデートを自動化

sudo crontab -e
0 4 0 * 0  /usr/bin/certbot renew --renew-hook "prosodyctl --root cert import /etc/letsencrypt/live" --quiet

起動

service prosody start
chkconfig prosody on

テストする

XMPP Compliance Tester 80%以上で合格といえるでしょう https://compliance.conversations.im/

コミュニティモジュールを見てみる

https://modules.prosody.im/index.html

Luaは読みやすいので、モジュールを入れる前に自分で読んでみましょう

この記事は以下の記事の一部翻訳・転載および補足です。

Configuring an XMPP server for secure, mobile instant messaging [https://homebrewserver.club/configuring-a-modern-xmpp-server.html

当記事はAttribution-ShareAlike 4.0 Internationalが適用されます