Samir Parikh / Blog


Originally published on 29 September 2021

Contents

About a month ago, I published my second iteration on how to stand up an XMPP server running Prosody. Since then, I’ve been playing around with my configuration and have finally had the courage to put the implementation into Production. This post contains the final process and configuration I used. I’m posting it here in pretty much raw form as I’ve already documented much of the context in previous posts. The main differences between my last iteration and this one is that in the final Production implementation, I elected to go with the nightly-build (trunk) version of Prosody as it has some additional features already included. In addition, this version of my post includes steps on how to enable a number of community modules which helps improve the quality of the XMPP experience. If you have any questions or comments, you can now reach me at samir@parikh.im.

Prepare Environment

$ sudo apt update
$ sudo apt upgrade
$ sudo apt dist-upgrade

Create DNS Records

@                           A        3600                   vps.ip.address
rooms                       A        3600                   vps.ip.address
proxy                       A        3600                   vps.ip.address
xmpp                        A        3600                   vps.ip.address
_xmpp-client._tcp           SRV     18000    5   1  5222    xmpp.example.com
_xmpps-client._tcp          SRV     18000   10   1  5223    xmpp.example.com
_xmpp-server._tcp           SRV     18000    5   0  5269    xmpp.example.com
_xmpp-server._tcp.rooms     SRV     18000   10  10  5269    xmpp.example.com

Open Firewall ports

300 SSH                       22    TCP     Any     Any     Allow
320 HTTP                      80    TCP     Any     Any     Allow
340 HTTPS                    443    TCP     Any     Any     Allow
350 Client-to-Server        5222    TCP     Any     Any     Allow
360 Client-to-Server_TLS    5223    TCP     Any     Any     Allow
370 Server-to-Server        5269    TCP     Any     Any     Allow
380 Prosody_HTTP_Server     5280    TCP     Any     Any     Allow
390 Prosody_HTTPS_Server    5281    TCP     Any     Any     Allow

Install Prosody

$ echo deb http://packages.prosody.im/debian $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list
$ wget https://prosody.im/files/prosody-debian-packages.key -O- | sudo apt-key add -
$ sudo apt update
$ sudo apt install prosody-trunk gnupg git mercurial lua-dbi-sqlite3 lua-event certbot

$ sudo systemctl stop prosody.service
$ sudo prosodyctl status
Prosody is not running

Enable Community Modules

$ sudo hg clone https://hg.prosody.im/prosody-modules/ /opt/prosody-modules
$ sudo chown root:prosody -R /opt/prosody-modules/
$ sudo mkdir /opt/prosody-modules-enabled/ && cd /opt/prosody-modules-enabled/

$ sudo ln -s ../prosody-modules/mod_auto_answer_disco_info/
$ sudo ln -s ../prosody-modules/mod_bob/
$ sudo ln -s ../prosody-modules/mod_bookmarks/
$ sudo ln -s ../prosody-modules/mod_cache_c2s_caps/
$ sudo ln -s ../prosody-modules/mod_checkcerts/
$ sudo ln -s ../prosody-modules/mod_cloud_notify/
$ sudo ln -s ../prosody-modules/mod_csi_battery_saver/
$ sudo ln -s ../prosody-modules/mod_debug_omemo/
$ sudo ln -s ../prosody-modules/mod_http_avatar/
$ sudo ln -s ../prosody-modules/mod_http_pep_avatar/
$ sudo ln -s ../prosody-modules/mod_idlecompat/
$ sudo ln -s ../prosody-modules/mod_muc_limits/
$ sudo ln -s ../prosody-modules/mod_muc_mam_hints/
$ sudo ln -s ../prosody-modules/mod_presence_cache/
$ sudo ln -s ../prosody-modules/mod_pubsub_feeds/
$ sudo ln -s ../prosody-modules/mod_pubsub_text_interface/
$ sudo ln -s ../prosody-modules/mod_smacks/
$ sudo ln -s ../prosody-modules/mod_strict_https/
$ sudo ln -s ../prosody-modules/mod_vcard_muc/
$ sudo ln -s ../prosody-modules/mod_vjud/
$ sudo ln -s ../prosody-modules/mod_watchuntrusted/
$ sudo ln -s ../prosody-modules/mod_webpresence/

Get TLS certificates

$ sudo certbot certonly --standalone --agree-tos -m me@email.com -d example.com
$ sudo certbot certonly --standalone --agree-tos -m me@email.com -d xmpp.example.com
$ sudo certbot certonly --standalone --agree-tos -m me@email.com -d rooms.example.com
$ sudo certbot certonly --standalone --agree-tos -m me@email.com -d proxy.example.com

Update Prosody configuration

Make changes to /etc/prosody/prosody.cfg.lua:

-- Prosody XMPP Server Configuration
--
-- Information on configuring Prosody can be found on our
-- website at https://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
--     prosodyctl check config
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- Good luck, and happy Jabbering!


---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "admin@example.com" }
contact_info = {
    abuse = { "mailto:me@email.com", "xmpp:support@example.com" };
    admin = { "mailto:me@email.com", "xmpp:support@example.com" };
    security = { "mailto:me@email.com" };
    support = { "mailto:me@email.com", "xmpp:support@example.com" };
};

-- Prosody includes several alternative modules for keeping track of network connections.
-- For more information see: https://prosody.im/doc/network_backend
--network_backend = "epoll"

-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
plugin_paths = { "/opt/prosody-modules-enabled" }

-- Single directory for custom prosody plugins and/or Lua libraries installation
-- This path takes priority over plugin_paths, when prosody is searching for modules
--installer_plugin_path = ""

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {

    -- Generally required
        "roster"; -- Allow users to have a roster. Recommended ;)
        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
        "tls"; -- Add support for secure TLS on c2s/s2s connections
        "dialback"; -- s2s dialback support
        "disco"; -- Service discovery

    -- Not essential, but recommended
        "carbons"; -- Keep multiple clients in sync
        "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
        "private"; -- Private XML storage (for room bookmarks, etc.)
        "blocklist"; -- Allow users to block communications with other users
        "vcard4"; -- User profiles (stored in PEP)
        "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
        "limits"; -- Enable bandwidth limiting for XMPP connections

    -- Nice to have
        "version"; -- Replies to server version requests
        "uptime"; -- Report how long server has been running
        "time"; -- Let others know the time here on this server
        "ping"; -- Replies to XMPP pings with pongs
        "register"; -- Allow users to register on this server using a client and change passwords
        "mam"; -- Store messages in an archive and allow users to access it
        --"csi_simple"; -- Simple Mobile optimizations

    -- Admin interfaces
        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
        --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

    -- HTTP modules
        "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
        "websocket"; -- XMPP over WebSockets
        --"http_files"; -- Serve static files from a directory over HTTP

    -- Other specific functionality
        --"groups"; -- Shared roster support
        "server_contact_info"; -- Publish contact information for this service
        "announce"; -- Send announcement to all online users
        --"welcome"; -- Welcome users who register accounts
        "watchregistrations"; -- Alert admins of registrations
        "motd"; -- Send a message to users when they log in
        "legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
        --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
    -- User added
        "http_pep_avatar"; -- This module serves avatars from local users who have published XEP-0084: User Avatar via PEP.
                "cloud_notify"; -- Support for XEP-0357 Push Notifications
                "smacks"; --  XEP-0198: Reliability and fast reconnects for XMPP
                "bookmarks"; -- This module fetches users’ bookmarks from Private XML and pushes them to PEP on login, and then redirects any Private XML query to PEP.
        "http_avatar"; -- serves avatars from local users
        "strict_https"; -- force https on web
        "offline"; -- Store offline messages
        "csi"; -- https://modules.prosody.im/mod_csi.html
            "csi_battery_saver"; -- Use less battery on mobile phones
            "presence_cache"; -- stores a timestamp of the latest presence received from users contacts
            "checkcerts"; -- Inform admins before certificates expire
        "net_multiplex";
        "idlecompat";
        "auto_answer_disco_info";
        "webpresence";
        "watchuntrusted"; -- notify on unencrypted s2s
        "s2s_bidi"; -- This module implements XEP-0288: Bidirectional Server-to-Server Connections. It allows servers to use a single connection for sending stanzas to each other, instead of two connections (one for stanzas in each direction).
        "debug_omemo"; -- view advanced information about OMEMO-encrypted messages
                "admin_shell"; -- Enable mod_admin_shell
}

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
    -- "offline"; -- Store offline messages
    -- "c2s"; -- Handle client connections
    -- "s2s"; -- Handle server-to-server connections
    -- "posix"; -- POSIX functionality, sends server to background, etc.
}

-- Module configuration
-- mod_disco
disco_items = {
    { "example.com", "Prosody XMPP Server" };
    { "rooms.example.com", "example.com chatrooms" };
    { "proxy.example.com" };
    { "xmpp.example.com" };
}

-- mod_bosh --
bosh_max_inactivity = 60
consider_bosh_secure = true

-- mod_websocket --
consider_websocket_secure = true

-- mod_smacks --
smacks_hibernation_time = 600
smacks_enabled_s2s = false
smacks_max_unacked_stanzas = 0
smacks_max_ack_delay = 60
smacks_max_hibernated_sessions = 10
smacks_max_old_sessions = 10

-- mod_checkcerts
checkcerts_notify = 7 -- in days

-- mod_watchregistrations
registration_watchers = { "admin@example.com" } -- mod_watchregistrations will use this list of users instead of the admin list
registration_notification = "User $username registered on $host from $ip"

-- mod_watchuntrusted
untrusted_fail_watchers = { "admin@example.com" }
untrusted_fail_notification = "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha1. $errors"

-- mod_strict_https
hsts_header = "max-age=31556952"

-- mod_cloud_notify
push_notification_important_body = "Nouveau Message"
push_notification_with_body = false -- Whether or not to send the message body to remote pubsub node
push_notification_with_sender = false -- Whether or not to send the message sender to remote pubsub node
push_max_errors = 5 -- persistent push errors are tolerated before notifications for the identifier in question are disabled
push_max_devices = 5 -- number of allowed devices per user


-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false

-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = true

-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.

s2s_require_encryption = true

-- Force certificate authentication for server-to-server connections?

s2s_secure_auth = false

-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.

--s2s_insecure_domains = { "insecure.example" }

-- Even if you disable s2s_secure_auth, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "jabber.org" }

--http_default_host = "xmpp.example.com"
--http_external_url = "https://xmpp.example.com:5281/"

-- Enable rate limits for incoming client and server connections

limits = {
    c2s = {
        rate = "10kb/s";
    };
    s2sin = {
        rate = "30kb/s";
    };
}

-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/prosody.pid"

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.

authentication = "internal_hashed"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See https://prosody.im/doc/storage for more info.

storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }


-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.

archive_expires_after = "1y" -- Remove archived messages after 1 year

-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam

-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
    --info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
    debug = "/var/log/prosody/prosody.log";
    error = "/var/log/prosody/prosody.err";
    -- "*syslog"; -- Uncomment this for logging to syslog
    -- "*console"; -- Log to the console, useful for debugging with daemonize=false
}

-- Uncomment to enable statistics
-- For more info see https://prosody.im/doc/statistics
-- statistics = "internal"

-- Port configuration
legacy_ssl_ports = { 5223 }
ports = { 80 }
ssl_ports = { 443 }

--legacy_ssl_ssl = {
--  certificate = "/etc/prosody/certs/example.com.crt";
--  key = "/etc/prosody/certs/example.com.key";
--}

-- default port configuration
http_ports = { 5280 }
http_interfaces = { "*", "::" }

https_ports = { 5281 }
https_interfaces = { "*", "::" }
------------
--
-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates

-- Location of directory to find certificates in (relative to main config file):
certificates = "certs"

-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "certs/localhost.crt"
https_certificate = "certs/xmpp.example.com.crt"

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

VirtualHost "example.com"
    name = "Prosody"

--VirtualHost "example.com"
--  certificate = "/path/to/example.crt"

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see https://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
--- Store MUC messages in an archive and allow users to access it
--modules_enabled = { "muc_mam" }

---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: https://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--  component_secret = "password"

-- multi user chat
Component "rooms.example.com" "muc"
  name = "example.com chatrooms"
  restrict_room_creation = "local" 

  modules_enabled = {
    "muc_mam"; -- message archive in muc
    "muc_mam_hints";
    "muc_limits";
    "vcard_muc"; -- This module adds the ability to set vCard for MUC rooms.
    "bob";
  }

  muc_log_by_default = true;
  muc_log_all_rooms = false;
  max_history_messages = 20;

-- proxy
Component "proxy.example.com" "proxy65"
  proxy65_address = "proxy.example.com"
  name = "SOCKS5 Bytestreams Service"

-- http_file_share
Component "xmpp.example.com" "http_file_share"
    http_file_share_size_limit = 1024 * 1024 * 16 -- 16 MB
    http_file_share_expires_after = 60 * 60 * 24 * 180 -- 180 days, in seconds

Check that the configuration is syntactically correct:

$ sudo prosodyctl check config

Import TLS Certificates

$ sudo prosodyctl --root cert import /etc/letsencrypt/live

Start Prosody and Create First User

$ sudo systemctl start prosody.service
$ sudo prosodyctl status

Check /var/log/prosody/prosody.log and /var/log/prosody/prosody.err for any errors.

$ sudo prosodyctl adduser username@example.com