背景信息
操作系统:Debian 稳定版(9.6)
ejabberd 版本:18.09-2(来自后移植)
我的配置基于https://gitlab.com/hanno/ejabberd-config (我将我的真实网址更改为 example.com)
# _%%_ Ejabberd config from schokokeks.org XMPP server.
# _%%_ We try to enable modern XMPP features and document to which XEP
# _%%_ they relate.
# _%%_ We also use a modern and secure TLS configuration where possible.
define_macro:
'CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH"
'TLSOPTS':
- "no_sslv2"
- "no_sslv3"
- "cipher_server_preference"
# generated with: openssl dhparam -out dhparams.pem 2048
'DHFILE': "/etc/ejabberd/dh2048-ejabberd.pem"
certfiles:
- "/etc/letsencrypt/live/*/fullchain.pem"
- "/etc/letsencrypt/live/*/privkey.pem"
hosts:
- "example.com"
access:
announce:
admin: allow
c2s:
blocked: deny
all: allow
c2s_shaper:
admin: none
all: normal
local:
local: allow
max_user_offline_messages:
admin: 5000
all: 100
max_user_sessions:
all: 10
muc:
all: allow
muc_admin:
admin: allow
muc_create:
local: allow
pubsub_createnode:
all: allow
register:
# _%%_ Don't allow registration
all: deny
s2s_shaper:
all: fast
acl:
admin:
user:
- "kiigass": "example.com"
local:
user_regexp:
- ""
# _%%_ We want internal authentication
auth_method:
- mnesia
# _%%_ store passwords with scram hash method.
# _%%_ no DIGEST-MD5, needs plaintext storage of passwords.
auth_password_format: scram
disable_sasl_mechanisms: "DIGEST-MD5"
language: "en"
listen:
-
ip: "0.0.0.0"
port: 5222
module: ejabberd_c2s
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
# _%%_ DEPRECATED, uses mod_stream_mgmt
# _%%_ XEP-0198, Stream Management
# _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
# stream_management: true
# _%%_ TLS compression is dangerous, see CRIME attack
tls_compression: false
# _%%_ Diffie Hellman parameters with 2048 bit, created with "openssl dhparam 2048"
dhfile: 'DHFILE'
# _%%_ We only want "HIGH" strength ciphers and explicitly disable
# _%%_ 3DES (SWEET32 attack), RSA (no forward secrecy, Bleichenbacher attacks),
# _%%_ CAMELLIA (unusual and not needed).
ciphers: 'CIPHERS'
# _%%_ We require STARTTLS for clients. No unencrypted logins
starttls_required: true
# certfile: "/etc/ejabberd/ejabberd.pem"
# _%%_ Due to DROWN (SSLv2) and POODLE (SSLv3) all old SSL versions are considered insecure
protocol_options: 'TLSOPTS'
-
ip: "0.0.0.0"
port: 5269
module: ejabberd_s2s_in
max_stanza_size: 131072
shaper: s2s_shaper
protocol_options: 'TLSOPTS'
-
port: 5280
module: ejabberd_http
web_admin: true
http_bind: true
captcha: true
# _%%_ XEP-0363, HTTP File Upload
# _%%_ Note: This only opens the port, further below is the module config itself
-
port: 5443
module: ejabberd_http
tls: true
# certfile: "/etc/ejabberd/ejabberd.pem"
# _%%_ See comments above for justification of TLS options
tls_compression: false
dhfile: 'DHFILE'
ciphers: 'CIPHERS'
protocol_options: 'TLSOPTS'
request_handlers:
"": mod_http_upload
loglevel: 4
max_fsm_queue: 1000
modules:
mod_admin_extra: []
mod_adhoc: []
mod_announce:
access: announce
# _%%_ XEP-0115, Entity Capabilities
mod_caps: []
# XEP-0157
mod_disco:
server_info:
-
modules: all
name: "abuse-addresses"
urls: ["mailto:[email protected]"]
-
modules: all
name: "security-addresses"
urls: ["mailto:[email protected]"]
mod_bosh: []
mod_last: []
# _%%_ XEP-0045, Mult-User Chat (MUC)
mod_muc:
access: muc
access_create: muc_create
access_persistent: muc_create
access_admin: muc_admin
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping:
send_pings: true
ping_interval: 10
ping_ack_timeout: 5
timeout_action: kill
mod_privacy: []
mod_private: []
# _%%_ XEP-0065, SOCKS5 Bytestreams (Proxy)
mod_proxy65:
host: "proxy65.example.com"
hostname: "proxy65.example.com"
ip: "0.0.0.0"
port: 7777
mod_pubsub:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: true
plugins:
- "flat"
- "hometree"
# _%%_ XEP-0163, Personal Eventing Protocol (PEP), needed for Avatars / OMEMO
- "pep"
# _%%_ XEP-0237, Roster Versioning
mod_roster:
versioning: true
mod_shared_roster: []
mod_stats: []
# _%%_ XEP-0198, Stream Management
# _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
mod_stream_mgmt:
max_resume_timeout: 30
resend_on_timeout: if_offline
resume_timeout: 30
ack_timeout: 30
mod_time: []
mod_vcard: []
mod_version: []
# _%%_ XEP-0313, Message Archive Management (MAM)
mod_mam:
default: always
assume_mam_usage: true
# _%%_ XEP-0191, Blocking Command
mod_blocking: []
# _%%_ XEP-0352, Client State Indicator
mod_client_state: []
# _%%_ XEP-0280, Message Carbons
mod_carboncopy: []
# _%%_ XEP-0363, HTTP File Upload
# _%%_ This is the configuration for the module, port config above.
mod_http_upload:
# _%%_ With this configuration for each domain name there must be a subdirectory
# _%%_ in the docroot, e.g. /var/ejabberd-http-upload/example.org/
thumbnail: false
docroot: "/var/ejabberd-http-upload/"
put_url: "https://example.com:5443/@HOST@"
mod_s2s_dialback: []
mod_legacy_auth: []
shaper:
normal: 1000
fast: 50000
# _%%_ TLS settings for s2s communication
s2s_use_starttls: required
#s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_dhfile: 'DHFILE'
# _%%_ For s2s we allow RSA key exchange for more compatibility
s2s_ciphers: 'CIPHERS'
问题
当我尝试连接到https://example.com:5280/或者https://example.com:5280/admin/我从 Firefox 获得:
安全连接失败
页面加载时与 example.com:5280 的连接中断。
无法显示您尝试查看的页面,因为无法验证所接收数据的真实性。
请联系网站所有者并告知他们此问题。
当我同时查看 /var/log/ejabberd/ejabberd.log (tail -f) 时,我得到:
2018-12-09 13:24:32.021 [信息] <0.353.0>@ejabberd_listener:accept:221(<0.479.0>)已接受连接 xxxx:7048 -> xxyy:5280
问题
我配置错误了什么?我该如何配置才能使其正常工作?
答案1
解决方案是必须明确定义 tls:true。我还选择将 tls_compression 设置为 false(CRIME 攻击)。
工作配置是:
port: 5280
module: ejabberd_http
web_admin: true
http_bind: true
captcha: true
tls: true
tls_compression: false
(我添加了最后两行)。