From f6b182fa922df4edee4c02f7baa8776cb72e6868 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 18 Jul 2012 17:11:43 +0300 Subject: [PATCH] Updated ejabberd.cfg template based on latest CentOS config --- ejabberd/templates/ejabberd.cfg.erb | 349 ++++++++++++++-------------- 1 file changed, 179 insertions(+), 170 deletions(-) diff --git a/ejabberd/templates/ejabberd.cfg.erb b/ejabberd/templates/ejabberd.cfg.erb index 1ac3a11..bedb954 100644 --- a/ejabberd/templates/ejabberd.cfg.erb +++ b/ejabberd/templates/ejabberd.cfg.erb @@ -1,11 +1,13 @@ %%% -%%% ejabberd configuration file -%%% This config must be in UTF-8 encoding +%%% ejabberd configuration file %%% +%%%' + %%% The parameters used in this configuration file are explained in more detail %%% in the ejabberd Installation and Operation Guide. -%%% Please consult the Guide in case of doubts, it is available at -%%% /usr/share/doc/ejabberd/guide.html +%%% Please consult the Guide in case of doubts, it is included with +%%% your copy of ejabberd, and is also available online at +%%% http://www.process-one.net/en/ejabberd/docs/ %%% This configuration file contains Erlang terms. %%% In case you want to understand the syntax, here are the concepts: @@ -24,16 +26,21 @@ %%% [http_poll, web_admin, tls] %%% %%% - A keyword of ejabberd is a word in lowercase. -%%% The strings are enclosed in "" and can have spaces, dots... +%%% Strings are enclosed in "" and can contain spaces, dots, ... %%% {language, "en"}. %%% {ldap_rootdn, "dc=example,dc=com"}. %%% -%%% - This term includes a tuple, a keyword, a list and two strings: +%%% - This term includes a tuple, a keyword, a list, and two strings: %%% {hosts, ["jabber.example.net", "im.example.com"]}. %%% -%%% =================================== -%%% OVERRIDE OPTIONS STORED IN DATABASE + +%%%. ======================= +%%%' OVERRIDE STORED OPTIONS + +%% +%% Override the old values stored in the database. +%% %% %% Override global options (shared by all ejabberd nodes in a cluster). @@ -51,8 +58,8 @@ override_local. override_acls. -%%% ========= -%%% DEBUGGING +%%%. ========= +%%%' DEBUGGING %% %% loglevel: Verbosity of log files generated by ejabberd. @@ -66,15 +73,16 @@ override_acls. {loglevel, 4}. %% -%% watchdog_admins: If an ejabberd process consumes too much memory, -%% send live notifications to those Jabber accounts. +%% watchdog_admins: Only useful for developers: if an ejabberd process +%% consumes a lot of memory, send live notifications to these XMPP +%% accounts. %% %%{watchdog_admins, ["bob@example.com"]}. {watchdog_admins, []}. -%%% ================ -%%% SERVED HOSTNAMES +%%%. ================ +%%%' SERVED HOSTNAMES %% %% hosts: Domains served by ejabberd. @@ -85,37 +93,45 @@ override_acls. {hosts, [<%= ejabberd_hosts.join(", ") %>]}. %% -%% route_subdomains: Delegate subdomains to other Jabber server. +%% route_subdomains: Delegate subdomains to other XMPP servers. %% For example, if this ejabberd serves example.org and you want -%% to allow communication with a Jabber server called im.example.org. +%% to allow communication with an XMPP server called im.example.org. %% %%{route_subdomains, s2s}. -%%% =============== -%%% LISTENING PORTS +%%%. =============== +%%%' LISTENING PORTS %% -%% listen: Which ports will ejabberd listen, which service handles it -%% and what options to start it with. +%% listen: The ports ejabberd will listen on, which service each is handled +%% by and what options to start it with. %% {listen, [ + {5222, ejabberd_c2s, [ + + %% + %% If TLS is compiled in and you installed a SSL + %% certificate, specify the full path to the + %% file and uncomment this line: + %% + {certfile, "/etc/ejabberd/ejabberd.pem"}, starttls_required, + {access, c2s}, - %%{shaper, c2s_shaper}, - {max_stanza_size, 655360}, - starttls_required, {certfile, "/etc/ejabberd/ejabberd.pem"} + {shaper, c2s_shaper}, + {max_stanza_size, 655360} ]}, %% - %% To enable the old SSL connection method (deprecated) in port 5223: + %% To enable the old SSL connection method on port 5223: %% {5223, ejabberd_c2s, [ {access, c2s}, - %%{shaper, c2s_shaper}, - {max_stanza_size, 655360}, - tls, {certfile, "/etc/ejabberd/ejabberd.pem"} + {shaper, c2s_shaper}, + {certfile, "/etc/ejabberd/ejabberd.pem"}, tls, + {max_stanza_size, 655360} ]}, {5269, ejabberd_s2s_in, [ @@ -123,55 +139,22 @@ override_acls. {max_stanza_size, 1310720} ]}, - %% External MUC jabber-muc - %%{5554, ejabberd_service, [ - %% {ip, {127, 0, 0, 1}}, + %% + %% ejabberd_service: Interact with external components (transports, ...) + %% + %%{8888, ejabberd_service, [ %% {access, all}, %% {shaper_rule, fast}, - %% {host, "muc.localhost", [{password, "secret"}]} - %% ]}, + %% {ip, {127, 0, 0, 1}}, + %% {hosts, ["icq.example.org", "sms.example.org"], + %% [{password, "secret"}] + %% } + %% ]}, - %% Jabber ICQ Transport - %%{5555, ejabberd_service, [ - %% {ip, {127, 0, 0, 1}}, - %% {access, all}, - %% {shaper_rule, fast}, - %% {hosts, ["icq.localhost", "sms.localhost"], - %% [{password, "secret"}]} - %% ]}, - - %% AIM Transport - %%{5556, ejabberd_service, [ - %% {ip, {127, 0, 0, 1}}, - %% {access, all}, - %% {shaper_rule, fast}, - %% {host, "aim.localhost", [{password, "secret"}]} - %% ]}, - - %% MSN Transport - %%{5557, ejabberd_service, [ - %% {ip, {127, 0, 0, 1}}, - %% {access, all}, - %% {shaper_rule, fast}, - %% {host, "msn.localhost", [{password, "secret"}]} - %% ]}, - - %% Yahoo! Transport - %%{5558, ejabberd_service, [ - %% {ip, {127, 0, 0, 1}}, - %% {access, all}, - %% {shaper_rule, fast}, - %% {host, "yahoo.localhost", [{password, "secret"}]} - %% ]}, - - %% External JUD (internal is more powerful, - %% but doesn't allow to register users from other servers) - %%{5559, ejabberd_service, [ - %% {ip, {127, 0, 0, 1}}, - %% {access, all}, - %% {shaper_rule, fast}, - %% {host, "jud.localhost", [{password, "secret"}]} - %% ]}, + %% + %% ejabberd_stun: Handles STUN Binding requests + %% + %%{{3478, udp}, ejabberd_stun, []}, {5280, ejabberd_http, [ %%{request_handlers, @@ -181,6 +164,7 @@ override_acls. %%captcha, http_bind, http_poll, + %%register, web_admin ]} @@ -188,7 +172,7 @@ override_acls. %% %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. -%% Allowed values are: true or false. +%% Allowed values are: false optional required required_trusted %% You must specify a certificate file. %% {s2s_use_starttls, required}. @@ -217,20 +201,6 @@ override_acls. %%{{s2s_host, "goodhost.org"}, allow}. %%{{s2s_host, "badhost.org"}, deny}. -%% -%% The maximum allowed delay for retry to connect -%% after a failed connection attempt to a remote server, in seconds. -%% The default value is 300 seconds (5 minutes). -%% -%% The reconnection algorythm works like this: if connection fails, -%% ejabberd makes an initial random delay between 1 and 15 seconds, -%% then retries, and if this attempt fails, makes another delay, -%% twice as long as previous. These attempts are performed either -%% until a successful connection is made or until the next calculated -%% delay is greated or equal than the value of s2s_max_retry_delay. -%% -%%{s2s_max_retry_delay, 300}. - %% %% Outgoing S2S options %% @@ -240,8 +210,15 @@ override_acls. %%{outgoing_s2s_options, [ipv4, ipv6], 10000}. -%%% ============== -%%% AUTHENTICATION +%%%. ============== +%%%' AUTHENTICATION + +<% if has_variable?("ejabberd_extauth") -%> +{auth_method, external}. +{extauth_program, "<%= ejabberd_extauth %>"}. +<% else -%> +{auth_method, internal}. +<% end -%> %% %% auth_method: Method used to authenticate the users. @@ -249,12 +226,14 @@ override_acls. %% If you want to use a different method, %% comment this line and enable the correct ones. %% -<% if has_variable?("ejabberd_extauth") -%> -{auth_method, external}. -{extauth_program, "<%= ejabberd_extauth %>"}. -<% else -%> -{auth_method, internal}. -<% end -%> +%%{auth_method, internal}. +%% +%% Store the plain passwords or hashed for SCRAM: +%%{auth_password_format, plain}. +%%{auth_password_format, scram}. +%% +%% Define the FQDN if ejabberd doesn't detect it: +%%{fqdn, "server3.example.com"}. %% %% Authentication using external script @@ -283,18 +262,18 @@ override_acls. %% List of LDAP servers: %%{ldap_servers, ["localhost"]}. %% -%% Encryption of connection to LDAP servers (LDAPS): +%% Encryption of connection to LDAP servers: %%{ldap_encrypt, none}. %%{ldap_encrypt, tls}. %% -%% Port connect to LDAP server: +%% Port to connect to on LDAP servers: %%{ldap_port, 389}. %%{ldap_port, 636}. %% %% LDAP manager: %%{ldap_rootdn, "dc=example,dc=com"}. %% -%% Password to LDAP manager: +%% Password of LDAP manager: %%{ldap_password, "******"}. %% %% Search base of LDAP directory: @@ -321,21 +300,14 @@ override_acls. %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}. -%%% ============== -%%% DATABASE SETUP +%%%. ============== +%%%' DATABASE SETUP -%% ejabberd uses by default the internal Mnesia database, -%% so you can avoid this section. +%% ejabberd by default uses the internal Mnesia database, +%% so you do not necessarily need this section. %% This section provides configuration examples in case %% you want to use other database backends. -%% Please consult the ejabberd Guide for details about database creation. - -%% NOTE that ejabberd in Debian supports "out of the box" -%% only mnesia (default) and ODBC storage backends. -%% Working with MySQL and PostgreSQL DB backends requires -%% building and installation of the corresponding Erlang modules, -%% not distributed as a part of ejabberd. -%% Refer to /usr/share/doc/ejabberd/README.Debian for details. +%% Please consult the ejabberd Guide for details on database creation. %% %% MySQL server: @@ -369,33 +341,41 @@ override_acls. %%{odbc_pool_size, 10}. %% -%% Interval to make a dummy SQL request to keep alive the connections -%% to the database. Specify in seconds: for example 28800 means 8 hours +%% Interval to make a dummy SQL request to keep the connections to the +%% database alive. Specify in seconds: for example 28800 means 8 hours %% %%{odbc_keepalive_interval, undefined}. -%%% =============== -%%% TRAFFIC SHAPERS +%%%. =============== +%%%' TRAFFIC SHAPERS %% -%% The "normal" shaper limits traffic speed to 1.000 B/s +%% The "normal" shaper limits traffic speed to 1000 B/s %% {shaper, normal, {maxrate, 1000}}. %% -%% The "fast" shaper limits traffic speed to 50.000 B/s +%% The "fast" shaper limits traffic speed to 50000 B/s %% {shaper, fast, {maxrate, 50000}}. +%% +%% This option specifies the maximum number of elements in the queue +%% of the FSM. Refer to the documentation for details. +%% +{max_fsm_queue, 10000}. -%%% ==================== -%%% ACCESS CONTROL LISTS + +%%%. ==================== +%%%' ACCESS CONTROL LISTS %% -%% The 'admin' ACL grants administrative privileges to Jabber accounts. -%% You can put as many accounts as you want. +%% The 'admin' ACL grants administrative privileges to XMPP accounts. +%% You can put here as many accounts as you want. %% +%%{acl, admin, {user, "aleksey", "localhost"}}. +%%{acl, admin, {user, "ermine", "example.org"}}. <% ejabberd_admin.each do |admin| user, host = admin.split("@") -%> {acl, admin, {user, "<%= user %>", "<%= host %>"}}. @@ -430,10 +410,10 @@ user, host = admin.split("@") -%> %%}. -%%% ============ -%%% ACCESS RULES +%%%. ============ +%%%' ACCESS RULES -%% Define the maximum number of time a single user is allowed to connect: +%% Maximum number of simultaneous sessions allowed for a single user: {access, max_user_sessions, [{100, all}]}. %% Maximum number of offline messages that users can have: @@ -446,46 +426,43 @@ user, host = admin.split("@") -%> {access, c2s, [{deny, blocked}, {allow, all}]}. -%% For all users except admins used "normal" shaper +%% For C2S connections, all users except admins use the "normal" shaper %%{access, c2s_shaper, [{none, admin}, %% {normal, all}]}. {access, c2s_shaper, [{none, all}]}. -%% For all S2S connections used "fast" shaper +%% All S2S connections use the "fast" shaper %%{access, s2s_shaper, [{fast, all}]}. {access, s2s_shaper, [{none, all}]}. %% Only admins can send announcement messages: {access, announce, [{allow, admin}]}. -%% Only admins can use configuration interface: +%% Only admins can use the configuration interface: {access, configure, [{allow, admin}]}. -%% Admins of this server are also admins of MUC service: +%% Admins of this server are also admins of the MUC service: {access, muc_admin, [{allow, admin}]}. %% Only accounts of the local ejabberd server can create rooms: {access, muc_create, [{allow, local}]}. -%% All users are allowed to use MUC service: +%% All users are allowed to use the MUC service: {access, muc, [{allow, all}]}. -%% No username can be registered via in-band registration: -%% To enable in-band registration, replace 'deny' with 'allow' -% (note that if you remove mod_register from modules list then users will not -% be able to change their password as well as register). -% This setting is default because it's more safe. -{access, register, [{deny, all}]}. - -%% By default frequency of account registrations from the same IP -%% is limited to 1 account every 10 minutes. To disable put: infinity -%%{registration_timeout, 600}. - %% Only accounts on the local ejabberd server can create Pubsub nodes: {access, pubsub_createnode, [{allow, local}]}. +%% In-band registration allows registration of any possible username. +%% To disable in-band registration, replace 'allow' with 'deny'. +{access, register, [{deny, all}]}. + +%% By default the frequency of account registrations from the same IP +%% is limited to 1 account every 10 minutes. To disable, specify: infinity +%%{registration_timeout, 600}. + %% -%% Define specific Access rules in a virtual host. +%% Define specific Access Rules in a virtual host. %% %%{host_config, "localhost", %% [ @@ -495,8 +472,8 @@ user, host = admin.split("@") -%> %%}. -%%% ================ -%%% DEFAULT LANGUAGE +%%%. ================ +%%%' DEFAULT LANGUAGE %% %% language: Default language used for server messages. @@ -511,27 +488,26 @@ user, host = admin.split("@") -%> %%}. -%%% ======= -%%% CAPTCHA +%%%. ======= +%%%' CAPTCHA %% %% Full path to a script that generates the image. -%% Note that this script must be made executable -%% for the user ejabberd:ejabberd. %% -%%{captcha_cmd, "/usr/lib/ejabberd/priv/bin/captcha.sh"}. +%%{captcha_cmd, "/usr/lib64/ejabberd/priv/bin/captcha.sh"}. %% -%% Host part of the URL sent to the user. -%% The port specified must be configured as the "ejabberd_http" -%% listener which must have the "captcha" directive included -%% in its configuration (see the "LISTENING PORTS" section above). +%% Host for the URL and port where ejabberd listens for CAPTCHA requests. %% -%%{captcha_host, "localhost:5280"}. +%%{captcha_host, "example.org:5280"}. +%% +%% Limit CAPTCHA calls per minute for JID/IP to avoid DoS. +%% +%%{captcha_limit, 5}. -%%% ======= -%%% MODULES +%%%. ======= +%%%' MODULES %% %% Modules enabled in all ejabberd virtual hosts. @@ -539,19 +515,16 @@ user, host = admin.split("@") -%> {modules, [ {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, % requires mod_adhoc + {mod_announce, [{access, announce}]}, % recommends mod_adhoc + {mod_blocking,[]}, % requires mod_privacy {mod_caps, []}, {mod_configure,[]}, % requires mod_adhoc - {mod_admin_extra, []}, {mod_disco, []}, %%{mod_echo, [{host, "echo.localhost"}]}, - {mod_http_bind, []}, {mod_irc, []}, - %% NOTE that mod_http_fileserver must also be enabled in the - %% "request_handlers" clause of the "ejabberd_http" listener - %% configuration (see the "LISTENING PORTS" section above). + {mod_http_bind, []}, %%{mod_http_fileserver, [ - %% {docroot, "/var/www"}, + %% {docroot, "/var/www"}, %% {accesslog, "/var/log/ejabberd/access.log"} %% ]}, {mod_last, []}, @@ -587,40 +560,73 @@ user, host = admin.split("@") -%> {file_format, <%= ejabberd_muclog_format %>}, <% end -%> {cssfile, false}, - {top_link, {"/portal/", "Back to Portal"}} + {top_link, {"/jabber-logs/", "Back to Logs"}} ]}, <% end -%> {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, + {mod_ping, []}, + %%{mod_pres_counter,[{count, 5}, {interval, 60}]}, {mod_privacy, []}, {mod_private, []}, + %%{mod_proxy65,[]}, {mod_proxy65, [ {access, local}, {shaper, c2s_shaper} ]}, - {mod_pubsub, [ % requires mod_caps + {mod_pubsub, [ {access_createnode, pubsub_createnode}, {ignore_pep_from_offline, true}, % reduces resource comsumption, but XEP incompliant + %%{ignore_pep_from_offline, false}, % XEP compliant, but increases resource comsumption {last_item_cache, false}, - %%{plugins, ["default", "pep"]} {plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps ]}, {mod_register, [ + %% + %% Protect In-Band account registrations with CAPTCHA. + %% + %%{captcha_protected, true}, + + %% + %% Set the minimum informational entropy for passwords. + %% + %%{password_strength, 32}, + %% %% After successful registration, the user receives %% a message with this subject and body. %% - {welcome_message, none}, + {welcome_message, {"Welcome!", + "Hi.\nWelcome to this XMPP server."}}, %% %% When a user registers, send a notification to - %% these Jabber accounts. + %% these XMPP accounts. %% %%{registration_watchers, ["admin1@example.org"]}, + + %% + %% Only clients in the server machine can register accounts + %% + {ip_access, [{allow, "127.0.0.0/8"}, + {deny, "0.0.0.0/0"}]}, + + %% + %% Local c2s or remote s2s users cannot register accounts + %% + %%{access_from, deny}, + {access, register} ]}, + %%{mod_register_web, [ + %% + %% When a user registers, send a notification to + %% these XMPP accounts. + %% + %%{registration_watchers, ["admin1@example.org"]} + %% ]}, {mod_roster, []}, %%{mod_service_log,[]}, - %%{mod_shared_roster,[]}, + {mod_shared_roster,[]}, {mod_stats, []}, {mod_time, []}, {mod_vcard, []}, @@ -639,9 +645,12 @@ user, host = admin.split("@") -%> %% ]}. -%%% $Id: ejabberd.cfg.example 2497 2009-08-17 20:27:28Z cromain $ +%%%. +%%%' + +%%% $Id$ %%% Local Variables: %%% mode: erlang %%% End: -%%% vim: set filetype=erlang tabstop=8: +%%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker: