Change global ssl section to http_upload and legacy_ssl sections. It is only needed there.

This commit is contained in:
Sara Aimée Smiseth 2020-07-08 16:06:05 +02:00
parent d49e03b5c9
commit 522e26c5ac
3 changed files with 17 additions and 13 deletions

View file

@ -3,9 +3,11 @@
## Unreleased ## Unreleased
* Enable "announce" and "lastactivity" modules. * Enable "announce" and "lastactivity" modules.
* Add badges to README. Fixes #5.
* Update readme. Fixes #2
* Add PROSODY_ADMINS to specify who is an administrator. Fixes #7 * Add PROSODY_ADMINS to specify who is an administrator. Fixes #7
* Move global ssl section to https_ssl and legacy_ssl_ssl section. It is only needed there. #3
* <https://prosody.im/doc/ports#ssl_configuration>
* Add badges to README. Fixes #5.
* Update README. Add information for certificate permissions.
## v1.0.0 ## v1.0.0

View file

@ -4,17 +4,21 @@ local domain_muc = os.getenv("DOMAIN_MUC")
local domain_proxy = os.getenv("DOMAIN_PROXY") local domain_proxy = os.getenv("DOMAIN_PROXY")
local domain_pubsub = os.getenv("DOMAIN_PUBSUB") local domain_pubsub = os.getenv("DOMAIN_PUBSUB")
-- This is a fallback just for http_upload because service certificates are searched differently -- XEP-0368: SRV records for XMPP over TLS
-- https://prosody.im/doc/certificates#service_certificates -- https://compliance.conversations.im/test/xep0368/
ssl = { legacy_ssl_ssl = {
certificate = "certs/" .. domain .. "/fullchain.pem"; certificate = "certs/" .. domain .. "/fullchain.pem";
key = "certs/" .. domain .. "/privkey.pem"; key = "certs/" .. domain .. "/privkey.pem";
} }
-- XEP-0368: SRV records for XMPP over TLS
-- https://compliance.conversations.im/test/xep0368/
legacy_ssl_ports = { 5223 } legacy_ssl_ports = { 5223 }
-- https://prosody.im/doc/certificates#service_certificates
-- https://prosody.im/doc/ports#ssl_configuration
https_ssl = {
certificate = "certs/" .. domain_http_upload .. "/fullchain.pem";
key = "certs/" .. domain_http_upload .. "/privkey.pem";
}
VirtualHost (domain) VirtualHost (domain)
-- Set up a http file upload because proxy65 is not working in muc -- Set up a http file upload because proxy65 is not working in muc

View file

@ -7,7 +7,7 @@
This docker image provides you with a configured [Prosody](https://prosody.im/) XMPP server. The image is based on `debian:buster-slim`. This docker image provides you with a configured [Prosody](https://prosody.im/) XMPP server. The image is based on `debian:buster-slim`.
The server was tested using the Android App [Conversations](https://conversations.im/) and the Desktop client [Gajim](https://gajim.org). The server was tested using the Android App [Conversations](https://conversations.im/) and the Desktop client [Gajim](https://gajim.org).
Multiple [architectures](https://hub.docker.com/r/sarasmiseth/prosody/tags) are supported. Multiple [architectures](https://hub.docker.com/r/sarasmiseth/prosody/tags) are supported. I use it on my raspberry pi 4.
While Conversations got everything set-up out-of-the-box, Gajim was used with the following extensions: While Conversations got everything set-up out-of-the-box, Gajim was used with the following extensions:
@ -102,11 +102,9 @@ Path: ```/usr/local/etc/prosody/certs/```.
Uses [automatic location](https://prosody.im/doc/certificates#automatic_location) to find your certs. Uses [automatic location](https://prosody.im/doc/certificates#automatic_location) to find your certs.
The http_upload module does not use the same search algorithm for the certificates. See [service certificates](https://prosody.im/doc/certificates#service_certificates). The http_upload module and the legacy_ssl module do not use the same search algorithm for the certificates. See [service certificates](https://prosody.im/doc/certificates#service_certificates).
The setting ssl in [05-vhost.cfg.lua](./conf.d/05-vhost.cfg.lua) configures certificates globally as a fallback. The settings https_ssl and legacy_ssl_ssl in [05-vhost.cfg.lua](./conf.d/05-vhost.cfg.lua) configures the certificates to ```certs/domain.tld/fullchain.pem``` and ```certs/domain.tld/privkey.pem``` for legacy_ssl and to ```certs/DOMAIN_HTTP_UPLOAD/fullchain.pem``` and ```certs/DOMAIN_HTTP_UPLOAD/privkey.pem``` for http_upload where DOMAIN_HTTP_UPLOAD is an environtment variable.
Which defaults to ```cert/domain.tld/fullchain.pem``` and ```cert/domain.tld/privkey.pem```.
##### Folder structure ##### Folder structure