-
Notifications
You must be signed in to change notification settings - Fork 127
Ejabberd: Configuration
Guys, we don't exactly know why it seems to be so hard for you to drop the default ejabberd.cfg packaged by Debian. But it seems it badly hurts your feelings. We are sorry, but the default Debian ejabberd.cfg is a configuration for basic chat server (which is very great for a chat server). Archipel needs more advanced options to be a full XMPP server. So please, rm /etc/ejabberd/ejabberd.cfg, copy the following sample in a new file named /etc/ejabberd/ejabberd.cfg, and replace the occurrence of FQDN by your actual FQDN (and also eventually update the path of the TLS certificate). Please, stop trying to adapt the default config file because most of the time, you miss several tokens and it makes Archipel sad. If you really can't remove the original file for sentimental reasons, rename it to ejabberd.cfg.orig. Then, later, you will be able to print it, frame it, and cherish it until the rest of your life :)
Important note: If you can't start ejabberd with this config file, this is mainly because something is wrong with your module installation, and Archipel will certainly not work.
This sample file contains the ejabberd configuration needed for Archipel. It is not ready for production, but allows you to quickly start playing with Archipel.
WARNING: some file paths may need to be tweaked to match your ejabberd install.
%%%
%%% ejabberd configuration file
%%%
%%% Archipel Sample Configuration
%%% =======================
%%% OVERRIDE STORED OPTIONS
%% loglevel: Verbosity of log files generated by ejabberd.
{loglevel, 3}.
%%% ================
%%% SERVED HOSTNAMES
%% CHANGE FQDN to your FQDN
{hosts, ["FQDN"]}.
%%% ===============
%%% LISTENING PORTS
{listen,
[
%% If you have compiled the ejabberd-xmlrpc, uncomment the following line
%%{4560, ejabberd_xmlrpc, [{access_commands, [{xmlrpcaccess, all, []}]}]},
{5222, ejabberd_c2s, [
{access, c2s},
starttls,
{certfile, "/etc/ejabberd/ejabberd.pem"},
{max_stanza_size, 65536000}
]},
{5269, ejabberd_s2s_in, [
{max_stanza_size, 65536000}
]},
%% BOSH service
{5280, ejabberd_http, [
http_bind,
http_poll
]},
%% Make a SSL version of the BOSH service
{5281, ejabberd_http, [
http_bind,
http_poll,
web_admin,
tls,{certfile, "/etc/ejabberd/ejabberd.pem"}
]}
]}.
%%% ===============
%%% S2S
{route_subdomains, s2s}.
{s2s_use_starttls, true}.
{s2s_default_policy, allow}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
%%% ==============
%%% AUTHENTICATION
{auth_method, internal}.
%%% ===============
%%% TRAFFIC SHAPERS
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
%%% ====================
%%% ACCESS CONTROL LISTS
%% CHANGE FQDN to your FQDN
{acl, admin, {user, "admin", "FQDN"}}.
{acl, local, {user_regexp, ""}}.
%% if you HAVE NOT compiled ejabberd-xmlrpc module, you
%% Need to declare all your hypervisors as ejabberd admin
%% The hypervisor JID is defined in archipel.conf. By default it
%% it is hypervisor@FQDN.
%% You can also use archipel-ejabberdadmin tool to add them
%% directly to the ejabberd database.
%% {acl, admin, {user, "hypervisor", "FQDN"}}.
%% {acl, admin, {user, "hypervisor-x", "FQDN"}}.
%%% ============
%%% ACCESS RULES
{access, max_user_sessions, [{10, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked}, {allow, all}]}.
{access, c2s_shaper, [{none, admin}, {fast, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, muc_create, [{allow, local}]}.
{access, pubsub_createnode, [{allow, all}]}.
{access, xmlrpcaccess, [{allow, admin}]}.
%%% ================
%%% DEFAULT LANGUAGE
{language, "en"}.
%%% =======
%%% REGISTRATION
{access, register, [{allow, all}]}.
{registration_timeout, infinity}.
%%% =======
%%% MODULES
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % requires mod_adhoc
{mod_caps, []},
{mod_configure,[]},
{mod_disco, []},
{mod_http_bind,[
{max_inactivity, 480} % timeout value for the BOSH, usefull for a large number of VM
]},
{mod_irc, []},
{mod_last, []},
{mod_muc, [
{access, muc},
{access_create, muc_create},
{access_persistent, muc_create},
{access_admin, muc_admin}
]},
{mod_offline, []},
{mod_privacy, []},
{mod_private, []},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{ignore_pep_from_offline, true},
{last_item_cache, false},
{plugins, ["flat", "hometree", "pep"]},
{max_items_node, 1000}
]},
{mod_register, [
{access, register}
]},
{mod_roster, []},
{mod_shared_roster,[]},
{mod_time, []},
{mod_vcard, []},
{mod_version, []},
{mod_admin_extra, []}
]}.Note you have to replace all FQDN by your accessible fully qualified domain name manually or with:
sed -i 's/FQDN/your.fqnd.com/' /etc/ejabberd/ejabberd.cfg
If you have not access to a DNS, you need to add in all the /etc/hosts files of your platform:
X.X.X.X your.fqdn.com
Generate your self-signed certificate if you don't have any.
Important note: Be sure to enter your FQDN when asked for "Common Name (e.g. server FQDN or YOUR name)".
openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout /etc/ejabberd/privkey.pem -out /etc/ejabberd/ejabberd.pem
openssl rsa -in /etc/ejabberd/privkey.pem -out /etc/ejabberd/privkey.pem
cat /etc/ejabberd/privkey.pem >> /etc/ejabberd/ejabberd.pem
rm /etc/ejabberd/privkey.pem
In the Debian system, ejabberdctl is used for controlling the already running ejabberd process. The proper way to start ejabberd in these distros is (often run as root):
/etc/init.d/ejabberd startor
service ejabberd startStopping and restarting follow the same method. On Debian systems, the ejabberdctl script itself has no start command.
When using the ejabberdctl script, if you receive a response that says, Failed RPC connection to the node ejabberd@localhost: nodedown, try running the script as root (prefixing the command with sudo).
You can check that ejabberd is started and working with (often run as root):
ejabberdctl status
> The node ejabberd@FQDN is started with status: started
> ejabberd 2.1.10 is running in that nodeYou then can start Ejabberd with the following command:
ejabberdctl startWait 10 seconds and check if it is started:
ejabberdctl status
> The node ejabberd@FQDN is started with status: started
> ejabberd 2.1.8 is running in that nodeIf you are getting Failed RPC connection to the node ejabberd@localhost: nodedown, modify your /etc/ejabberd/ejabberdctl.conf:
ERLANG_NODE=ejabberd@FQDN
You need to register a XMPP admin account (if you want archipel to work out of the box, just name it admin):
# ejabberdctl register admin your.fqdn.com yourpassword
Do not create any other account for virtual machine or hypervisor. You can create as much as user accounts as you want.
One sample of my working version in CentOS 6.4/64-bit
{loglevel, 4}.
{hosts, ["localhost", "94.x.x.x","sip.x.com"]}.
{listen,
[
{5222, ejabberd_c2s, [
%%
%% If TLS is compiled in and you installed a SSL
%% certificate, specify the full path to the
%% file and uncomment this line:
%%
%%{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
%%
%% To enable the old SSL connection method on port 5223:
%%
%%{5223, ejabberd_c2s, [
%% {access, c2s},
%% {shaper, c2s_shaper},
%% {certfile, "/etc/ejabberd/ejabberd.pem"}, tls,
%% {max_stanza_size, 65536}
%% ]},
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
%%
%% ejabberd_service: Interact with external components (transports, ...)
%%
%%{8888, ejabberd_service, [
%% {access, all},
%% {shaper_rule, fast},
%% {ip, {127, 0, 0, 1}},
%% {hosts, ["icq.example.org", "sms.example.org"],
%% [{password, "secret"}]
%% }
%% ]},
%%
%% ejabberd_stun: Handles STUN Binding requests
%%
%%{{3478, udp}, ejabberd_stun, []},
{5280, ejabberd_http, [
%%{request_handlers,
%% [
%% {["pub", "archive"], mod_http_fileserver}
%% ]},
http_bind,
web_admin
]}
]}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{max_fsm_queue, 1000}.
{acl, admin, {user, "admin"}}.
{acl, local, {user_regexp, ""}}.
{access, max_user_sessions, [{10, all}]}.
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc_create, [{allow, local}]}.
{access, muc, [{allow, all}]}.
{access, pubsub_createnode, [{allow, local}]}.
{access, register, [{allow, all}]}.
{language, "en"}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % recommends mod_adhoc
{mod_blocking,[]}, % requires mod_privacy
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_disco, []},
%%{mod_echo, [{host, "echo.localhost"}]},
{mod_irc, []},
{mod_http_bind, []},
%%{mod_http_fileserver, [
%% {docroot, "/var/www"},
%% {accesslog, "/var/log/ejabberd/access.log"}
%% ]},
{mod_last, []},
{mod_muc, [
%%{host, "conference.@HOST@"},
{access, muc},
{access_create, muc_create},
{access_persistent, muc_create},
{access_admin, muc_admin}
]},
%%{mod_muc_log,[]},
{mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
{mod_ping, []},
%%{mod_pres_counter,[{count, 5}, {interval, 60}]},
{mod_privacy, []},
{mod_private, []},
%%{mod_proxy65,[]},
{mod_pubsub, [
{access_createnode, pubsub_createnode},
{ignore_pep_from_offline, true}, % reduces resource comsumption, but XEP incompliant
%%{ignore_pep_from_offline, false}, % XEP compliant, but increases resource comsumption
{last_item_cache, false},
{plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps
]},
{mod_register, [
%%
%% Protect In-Band account registrations with CAPTCHA.
%%
%%{captcha_protected, true},
%%
%% Set the minimum informational entropy for passwords.
%%
%%{password_strength, 32},
%%
%% After successful registration, the user receives
%% a message with this subject and body.
%%
{welcome_message, {"Welcome!",
"Hi.\nWelcome to this XMPP server."}},
%%
%% When a user registers, send a notification to
%% these XMPP accounts.
%%
%%{registration_watchers, ["[email protected]"]},
%%
%% Only clients in the server machine can register accounts
%%
{ip_access, [{allow, "127.0.0.0/8"},
{deny, "0.0.0.0/0"}]},
%%
%% Local c2s or remote s2s users cannot register accounts
%%
%%{access_from, deny},
{access, register}
]},
%%{mod_register_web, [
%%
%% When a user registers, send a notification to
%% these XMPP accounts.
%%
%%{registration_watchers, ["[email protected]"]}
%% ]},
{mod_roster, []},
%%{mod_service_log,[]},
{mod_shared_roster,[]},
{mod_stats, []},
{mod_time, []},
{mod_vcard, []},
{mod_version, []}
]}.