From 522e26c5ac3bef2d6255d4a631bf771d9564924c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sara=20Aim=C3=A9e=20Smiseth?= <51710585+SaraSmiseth@users.noreply.github.com> Date: Wed, 8 Jul 2020 16:06:05 +0200 Subject: [PATCH] Change global ssl section to http_upload and legacy_ssl sections. It is only needed there. --- CHANGELOG.md | 6 ++++-- conf.d/05-vhost.cfg.lua | 16 ++++++++++------ readme.md | 8 +++----- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b208e3..1bc75c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,11 @@ ## Unreleased * Enable "announce" and "lastactivity" modules. -* Add badges to README. Fixes #5. -* Update readme. Fixes #2 * Add PROSODY_ADMINS to specify who is an administrator. Fixes #7 +* Move global ssl section to https_ssl and legacy_ssl_ssl section. It is only needed there. #3 + * +* Add badges to README. Fixes #5. +* Update README. Add information for certificate permissions. ## v1.0.0 diff --git a/conf.d/05-vhost.cfg.lua b/conf.d/05-vhost.cfg.lua index 7d0da7e..e4fe3f1 100644 --- a/conf.d/05-vhost.cfg.lua +++ b/conf.d/05-vhost.cfg.lua @@ -4,17 +4,21 @@ local domain_muc = os.getenv("DOMAIN_MUC") local domain_proxy = os.getenv("DOMAIN_PROXY") local domain_pubsub = os.getenv("DOMAIN_PUBSUB") --- This is a fallback just for http_upload because service certificates are searched differently --- https://prosody.im/doc/certificates#service_certificates -ssl = { +-- XEP-0368: SRV records for XMPP over TLS +-- https://compliance.conversations.im/test/xep0368/ +legacy_ssl_ssl = { certificate = "certs/" .. domain .. "/fullchain.pem"; key = "certs/" .. domain .. "/privkey.pem"; } - --- XEP-0368: SRV records for XMPP over TLS --- https://compliance.conversations.im/test/xep0368/ legacy_ssl_ports = { 5223 } +-- https://prosody.im/doc/certificates#service_certificates +-- https://prosody.im/doc/ports#ssl_configuration +https_ssl = { + certificate = "certs/" .. domain_http_upload .. "/fullchain.pem"; + key = "certs/" .. domain_http_upload .. "/privkey.pem"; +} + VirtualHost (domain) -- Set up a http file upload because proxy65 is not working in muc diff --git a/readme.md b/readme.md index c11de14..9b1d9ff 100644 --- a/readme.md +++ b/readme.md @@ -7,7 +7,7 @@ This docker image provides you with a configured [Prosody](https://prosody.im/) XMPP server. The image is based on `debian:buster-slim`. The server was tested using the Android App [Conversations](https://conversations.im/) and the Desktop client [Gajim](https://gajim.org). -Multiple [architectures](https://hub.docker.com/r/sarasmiseth/prosody/tags) are supported. +Multiple [architectures](https://hub.docker.com/r/sarasmiseth/prosody/tags) are supported. I use it on my raspberry pi 4. While Conversations got everything set-up out-of-the-box, Gajim was used with the following extensions: @@ -102,11 +102,9 @@ Path: ```/usr/local/etc/prosody/certs/```. Uses [automatic location](https://prosody.im/doc/certificates#automatic_location) to find your certs. -The http_upload module does not use the same search algorithm for the certificates. See [service certificates](https://prosody.im/doc/certificates#service_certificates). +The http_upload module and the legacy_ssl module do not use the same search algorithm for the certificates. See [service certificates](https://prosody.im/doc/certificates#service_certificates). -The setting ssl in [05-vhost.cfg.lua](./conf.d/05-vhost.cfg.lua) configures certificates globally as a fallback. - -Which defaults to ```cert/domain.tld/fullchain.pem``` and ```cert/domain.tld/privkey.pem```. +The settings https_ssl and legacy_ssl_ssl in [05-vhost.cfg.lua](./conf.d/05-vhost.cfg.lua) configures the certificates to ```certs/domain.tld/fullchain.pem``` and ```certs/domain.tld/privkey.pem``` for legacy_ssl and to ```certs/DOMAIN_HTTP_UPLOAD/fullchain.pem``` and ```certs/DOMAIN_HTTP_UPLOAD/privkey.pem``` for http_upload where DOMAIN_HTTP_UPLOAD is an environtment variable. ##### Folder structure