From d9aff8aaade486d9f7a9d6c242350684fcea85fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sara=20Aim=C3=A9e=20Smiseth?= <51710585+SaraSmiseth@users.noreply.github.com> Date: Mon, 1 Jun 2020 11:10:19 +0200 Subject: [PATCH] Use automatic location for certificates README: SSL certificates Port 5223 for legacy ssl c2s --- Dockerfile | 2 +- conf.d/05-vhost.cfg.lua | 10 +++- readme.md | 100 ++++++++++++++++++++++++++-------------- 3 files changed, 75 insertions(+), 37 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6ec59ac..b2ebe77 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,7 +50,7 @@ RUN buildDeps='gcc git libc6-dev libidn11-dev liblua5.2-dev libsqlite3-dev libss \ && apt-get purge -y --auto-remove $buildDeps -EXPOSE 5000 5222 5269 5347 5280 5281 +EXPOSE 5000 5222 5223 5269 5347 5280 5281 RUN groupadd -r prosody \ && useradd -r -g prosody prosody \ diff --git a/conf.d/05-vhost.cfg.lua b/conf.d/05-vhost.cfg.lua index a791784..44f69cd 100644 --- a/conf.d/05-vhost.cfg.lua +++ b/conf.d/05-vhost.cfg.lua @@ -3,11 +3,17 @@ local domain_http_upload = os.getenv("DOMAIN_HTTP_UPLOAD") local domain_muc = os.getenv("DOMAIN_MUC") local domain_proxy = os.getenv("DOMAIN_PROXY") +-- This is a fallback just for http_upload because service certificates are searched differently +-- https://prosody.im/doc/certificates#service_certificates ssl = { - key = "/usr/local/etc/prosody/certs/prosody.key"; - certificate = "/usr/local/etc/prosody/certs/prosody.crt"; + certificate = "certs/" .. domain .. "/fullchain.pem"; + key = "certs/" .. domain .. "/privkey.pem"; } +-- XEP-0368: SRV records for XMPP over TLS +-- https://compliance.conversations.im/test/xep0368/ +legacy_ssl_ports = { 5223 } + VirtualHost (domain) -- Set up a http file upload because proxy65 is not working in muc diff --git a/readme.md b/readme.md index a6414b0..b147dea 100644 --- a/readme.md +++ b/readme.md @@ -19,12 +19,19 @@ While Conversations got everything set-up out-of-the-box, Gajim was used with th - [Image Details](#image-details) - [Ports](#ports) - [Directories](#directories) + - [Data](#data) + - [Bundled modules](#bundled-modules) + - [Additionally installed prosody modules](#additionally-installed-prosody-modules) + - [Config](#config) + - [SSL certificates](#ssl-certificates) + - [Folder structure](#folder-structure) + - [Symlinks](#symlinks) + - [Permissions](#permissions) - [Run](#run) - [Configuration](#configuration) - [Environment variables](#environment-variables) - [DNS](#dns) - [server_contact_info](#server_contact_info) - - [Debugging](#debugging) - [Extend](#extend) - [Upgrade](#upgrade) - [Test your server](#test-your-server) @@ -53,6 +60,7 @@ The following ports are exposed: * 5000: proxy65 port used for file sharing * 5222: c2s port (client to server) +* 5223: c2s legacy ssl port (client to server) * 5269: s2s port (server to server) * 5347: XMPP component port * 5280: BOSH / websocket port @@ -60,17 +68,60 @@ The following ports are exposed: ### Directories -* Data: ```/usr/local/var/lib/prosody/``` - * used for SQLite file - * used for HTTP uploads - * this is exposed as docker volume -* Bundled modules: ```/usr/local/lib/prosody/modules/``` -* Additionally installed prosody modules: ```/usr/local/lib/prosody/custom-modules/``` -* Config: ```/usr/local/etc/prosody/``` - * containing the main config file called ```prosody.cfg.lua``` - * containing additional config files within ```conf.d/``` -* SSL certificates: ```/usr/local/etc/prosody/certs/``` - * expects private key to be named ```prosody.key``` and certificate (fullchain) to be ```prosody.crt``` +#### Data + +Path: ```/usr/local/var/lib/prosody/```. + +* used for SQLite file +* used for HTTP uploads +* this is exposed as docker volume + +#### Bundled modules + +Path: ```/usr/local/lib/prosody/modules/```. + +#### Additionally installed prosody modules + +Path: ```/usr/local/lib/prosody/custom-modules/```. + +#### Config + +Path: ```/usr/local/etc/prosody/```. + +* containing the main config file called ```prosody.cfg.lua``` +* containing additional config files within ```conf.d/``` + +#### SSL certificates + +Path: ```/usr/local/etc/prosody/certs/```. + +Uses [automatic location](https://prosody.im/doc/certificates#automatic_location) to find your certs. + +The http_upload module does not use the same search algorithm for the certificates. See [service certificates](https://prosody.im/doc/certificates#service_certificates). + +The setting ssl in [05-vhost.cfg.lua](./conf.d/05-vhost.cfg.lua) configures certificates globally as a fallback. + +Which defaults to ```cert/domain.tld/fullchain.pem``` and ```cert/domain.tld/privkey.pem```. + +##### Folder structure + +An example certificate folder structure could look like this: + +TODO + +Thats how Let's encrypt certbot does it out of the box. + +##### Symlinks + +certbot creates the structure and uses symlinks to the actual certificates. +If you mount them like that prosody somehow does not find them. +I copied them to a folder named ```certs``` next to my ```docker-compose.yml``` and made sure to use the ```-L``` flag of ```cp```. +This makes cp follow symbolic links when copying from them. +For example ```cp -L src dest```. + +##### Permissions + +TODO ### Run @@ -90,15 +141,14 @@ services: environment: DOMAIN: domain.tld volumes: - - ./privkey.pem:/usr/local/etc/prosody/certs/prosody.key - - ./fullchain.pem:/usr/local/etc/prosody/certs/prosody.crt + - ./certs:/usr/local/etc/prosody/certs - ./data:/usr/local/var/lib/prosody restart: unless-stopped ``` -Boot it via: ```docker-compose up -d``` +Boot it via: ```docker-compose up -d```. -Inspect logs: ```docker-compose logs -f``` +Inspect logs: ```docker-compose logs -f```. ### Configuration @@ -141,24 +191,6 @@ It is configured for the following contacts: You can change them in [05-server_contact_info.cfg.lua](./conf.d/04-server_contact_info.cfg.lua). -### Debugging - -Change to verbose logging by replacing the following config lines within ```prosody.cfg.lua```: - -```lua -log = { - {levels = {min = "info"}, to = "console"}; -}; -``` - -with: - -```lua -log = { - {levels = {min = "debug"}, to = "console"}; -}; -``` - ### Extend There is a helper script that eases installing additional prosody modules: ```docker-prosody-module-install```