Adding XMPP
This commit is contained in:
parent
87928034be
commit
c1398649d2
|
@ -1026,12 +1026,13 @@ The Apache configuration for the site should look something like the following.
|
||||||
SSLProtocol All -SSLv2 -SSLv3
|
SSLProtocol All -SSLv2 -SSLv3
|
||||||
SSLHonorCipherOrder On
|
SSLHonorCipherOrder On
|
||||||
SSLCompression off
|
SSLCompression off
|
||||||
|
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
|
||||||
|
|
||||||
# Add six earth month HSTS header for all users ...
|
# Add six earth month HSTS header for all users ...
|
||||||
Header add Strict-Transport-Security "max-age=15768000"
|
Header add Strict-Transport-Security "max-age=15768000"
|
||||||
# If you want to protect all subdomains , use the following header
|
# If you want to protect all subdomains , use the following header
|
||||||
# ALL subdomains HAVE TO support https if you use this !
|
# ALL subdomains HAVE TO support https if you use this !
|
||||||
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains
|
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains
|
||||||
# SSLCipherSuite ’EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA’
|
|
||||||
|
|
||||||
# SSL Engine Options:
|
# SSL Engine Options:
|
||||||
# Set various options for the SSL engine.
|
# Set various options for the SSL engine.
|
||||||
|
@ -1892,6 +1893,71 @@ It should look something like this:
|
||||||
|
|
||||||
If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes".
|
If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes".
|
||||||
|
|
||||||
|
** Install a Jabber/XMPP server
|
||||||
|
*** The Server
|
||||||
|
|
||||||
|
Generate a SSL certificate.
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
openssl ecparam -out /etc/ssl/private/xmpp.pem -name prime256v1
|
||||||
|
openssl genpkey -paramfile /etc/ssl/private/xmpp.pem -out /etc/ssl/private/xmpp.key
|
||||||
|
openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
The above uses a Diffie-Hellman elliptic curve (ECDH P-256) algorithm. It is apparent that amongst crypographers there are differences of opinion about the security of elliptic curves, so if you prefer there is also a more traditional RSA way to generate an SSL certificate:
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
openssl genrsa -out /etc/ssl/private/xmpp.key 4096
|
||||||
|
openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
Install Prosody.
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
apt-get install prosody
|
||||||
|
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
|
||||||
|
emacs /etc/prosody/conf.avail/.cfg.lua
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
Change the *VirtualHost* name to your domain name and remove the line below it.
|
||||||
|
|
||||||
|
Set the ssl section to:
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
ssl = {
|
||||||
|
key = "/etc/ssl/private/xmpp.key";
|
||||||
|
certificate = "/etc/ssl/certs/xmpp.crt";
|
||||||
|
}
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
Save and exit. Create a symbolic link.
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
Add a user. You will be prompted to specify a password. You can repeat the process for as many users as needed.
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
prosodyctl adduser myusername@mydomainname.com
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
Restart the server
|
||||||
|
|
||||||
|
#+BEGIN_SRC: bash
|
||||||
|
service prosody restart
|
||||||
|
#+END_SRC
|
||||||
|
|
||||||
|
On your internet router/firewall open ports 5222 and 5223 and forward them to the BBB.
|
||||||
|
|
||||||
|
It's possible to test that your XMPP server is working at https://xmpp.net. It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating.
|
||||||
|
|
||||||
|
*** Using it with Ubuntu
|
||||||
|
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
|
||||||
|
|
||||||
|
Enter your username (myusername@mydomainname.com) and password.
|
||||||
|
|
||||||
|
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
|
||||||
** Install Gopher
|
** Install Gopher
|
||||||
Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection.
|
Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection.
|
||||||
|
|
||||||
|
@ -2420,6 +2486,7 @@ The following ports on your internet router/firewall should be forwarded to the
|
||||||
| SMTP | 25 |
|
| SMTP | 25 |
|
||||||
| SMTPS | 465 |
|
| SMTPS | 465 |
|
||||||
| SSH | 22 |
|
| SSH | 22 |
|
||||||
|
| XMPP | 5222..5223 |
|
||||||
|
|
||||||
* Hints and Tips
|
* Hints and Tips
|
||||||
** Messaging security
|
** Messaging security
|
||||||
|
|
Loading…
Reference in New Issue