-
Notifications
You must be signed in to change notification settings - Fork 127
Ejabberd: Configuration
Guys, we don't exactly know why it seems to be so hard for you to drop the default ejabberd.cfg packaged by Debian. But it seems it badly hurts your feelings. We are sorry, but the default Debian ejabberd.cfg is a configuration for basic chat server (which is very great for a chat server). Archipel needs more advanced options to be a full XMPP server. So please, rm /etc/ejabberd/ejabberd.cfg, copy the following sample in a new file named /etc/ejabberd/ejabberd.cfg, and replace the occurrence of FQDN by your actual FQDN (and also eventually update the path of the TLS certificate). Please, stop trying to adapt the default config file because most of the time, you miss several tokens and it makes Archipel sad. If you really can't remove the original file for sentimental reasons, rename it to ejabberd.cfg.orig. Then, later, you will be able to print it, frame it, and cherish it until the rest of your life :)
Important note: If you can't start ejabberd with this config file, this is mainly because something is wrong with your module installation, and Archipel will certainly not work.
This sample file contains the ejabberd configuration needed for Archipel. It is not ready for production, but allows you to quickly start playing with Archipel.
WARNING: some file paths may need to be tweaked to match your ejabberd install.
%%%
%%% ejabberd configuration file
%%%
%%% Archipel Sample Configuration
%%% =======================
%%% OVERRIDE STORED OPTIONS
%% loglevel: Verbosity of log files generated by ejabberd.
{loglevel, 3}.
%%% ================
%%% SERVED HOSTNAMES
%% CHANGE FQDN to your FQDN
{hosts, ["FQDN"]}.
%%% ===============
%%% LISTENING PORTS
{listen,
[
%% If you have compiled the ejabberd-xmlrpc, uncomment the following line
%%{4560, ejabberd_xmlrpc, [{access_commands, [{xmlrpcaccess, all, []}]}]},
{5222, ejabberd_c2s, [
{access, c2s},
starttls,
{certfile, "/etc/ejabberd/ejabberd.pem"},
{max_stanza_size, 65536000}
]},
%% if you notice some issues with the health monitoring, it is likely that you need to comment the lines
%% starttls and certfile or upgrade archipel from source to be able to use SECURE BOSH
%% more information at https://github.com/ArchipelProject/Archipel/wiki/Installation:-Agent
{5269, ejabberd_s2s_in, [
{max_stanza_size, 65536000}
]},
%% BOSH service
{5280, ejabberd_http, [
http_bind,
http_poll
]},
%% Make a SSL version of the BOSH service
{5281, ejabberd_http, [
http_bind,
http_poll,
web_admin,
tls,{certfile, "/etc/ejabberd/ejabberd.pem"}
]}
]}.
%%% ===============
%%% S2S
{route_subdomains, s2s}.
{s2s_use_starttls, true}.
{s2s_default_policy, allow}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
%%% ==============
%%% AUTHENTICATION
{auth_method, internal}.
%%% ===============
%%% TRAFFIC SHAPERS
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
%%% ====================
%%% ACCESS CONTROL LISTS
%% CHANGE FQDN to your FQDN
{acl, admin, {user, "admin", "FQDN"}}.
{acl, local, {user_regexp, ""}}.
%% if you HAVE NOT compiled ejabberd-xmlrpc module, you
%% Need to declare all your hypervisors as ejabberd admin
%% The hypervisor JID is defined in archipel.conf. By default it
%% it is hypervisor@FQDN.
%% You can also use archipel-ejabberdadmin tool to add them
%% directly to the ejabberd database.
%% {acl, admin, {user, "hypervisor", "FQDN"}}.
%% {acl, admin, {user, "hypervisor-x", "FQDN"}}.
%%% ============
%%% ACCESS RULES
{access, max_user_sessions, [{10, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked}, {allow, all}]}.
{access, c2s_shaper, [{none, admin}, {fast, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, muc_create, [{allow, local}]}.
{access, pubsub_createnode, [{allow, all}]}.
{access, xmlrpcaccess, [{allow, admin}]}.
%%% ================
%%% DEFAULT LANGUAGE
{language, "en"}.
%%% =======
%%% REGISTRATION
{access, register, [{allow, all}]}.
{registration_timeout, infinity}.
%%% =======
%%% MODULES
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % requires mod_adhoc
{mod_caps, []},
{mod_configure,[]},
{mod_disco, []},
{mod_http_bind,[
{max_inactivity, 480} % timeout value for the BOSH, usefull for a large number of VM
]},
{mod_irc, []},
{mod_last, []},
{mod_muc, [
{access, muc},
{access_create, muc_create},
{access_persistent, muc_create},
{access_admin, muc_admin}
]},
{mod_offline, []},
{mod_privacy, []},
{mod_private, []},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{ignore_pep_from_offline, true},
{last_item_cache, false},
{plugins, ["flat", "hometree", "pep"]},
{max_items_node, 1000}
]},
{mod_register, [
{access, register}
]},
{mod_roster, []},
{mod_shared_roster,[]},
{mod_time, []},
{mod_vcard, []},
{mod_version, []},
{mod_admin_extra, []}
]}.Latest ejabberd release can now deal with YAML configuration file.
###
### ejabberd configuration file
### Archipel Sample default condiguration
### =========
### DEBUGGING
loglevel: 3
### ================
### SERVED HOSTNAMES
# Change it for you FQDN
hosts:
- "FQDN"
### ===============
### LISTENING PORTS
listen:
## If you have compiled the ejabberd-xmlrpc, uncomment the following line
#-
# #ip : 127.0.0.1
# port: 4560
# module: ejabberd_xmlrpc
# #timeout: 30000
# #maxsessions: 20
# access_commands:
# xmlrpcaccess:
# all : []
## ejabberd c2s
-
port: 5222
module: ejabberd_c2s
##
## If TLS is compiled in and you installed a SSL
## certificate, specify the full path to the
## file and uncomment this line:
##
## certfile: "/etc/ejabberd/ejabberd.pem"
## starttls: true
max_stanza_size: 65536000
shaper: c2s_shaper
access: c2s
## ejabbed s2s
-
port: 5269
module: ejabberd_s2s_in
max_stanza_size: 65536000
## ejabberd http/s (BOSH)
-
port: 5280
module: ejabberd_http
##
## If TLS is compiled in and you installed a SSL
## certificate, specify the full path to the
## file and uncomment this line:
##
## certfile: "/etc/ejabberd/ejabberd.pem"
## tls: true
web_admin: true
http_poll: true
http_bind: true
### ===
### S2S
s2s_use_starttls: optional
s2s_certifile: "/etc/ejabberd/ejabberd.pem"
## domain_certfile: Specify a different certificate for each served hostname.
##
## host_config:
## "example.org":
## domain_certfile: "/path/to/example_org.pem"
## "example.com":
## domain_certfile: "/path/to/example_com.pem"
s2s_policy: s2s_access
### ==============
### AUTHENTICATION
auth_method: internal
### ===============
### TRAFFIC SHAPERS
shaper:
##
## The "normal" shaper limits traffic speed to 1000 B/s
##
normal: 1000
##
## The "fast" shaper limits traffic speed to 50000 B/s
##
fast: 50000
### ====================
### ACCESS CONTROL LISTS
acl:
admin:
user:
- "admin": "FQDN"
local:
user_regexp:
- []
### ============
### ACCESS RULES
access:
max_user_sessions:
all: 10
local:
local: allow
c2s:
blocked: deny
all: allow
c2s_shaper:
admin: none
all: fast
s2s_shaper:
all: fast
announce:
admin: allow
configure:
admin: allow
muc_admin:
admin: allow
muc_create:
local: allow
muc:
all: allow
pubsub_createnode:
all: allow
register:
all: allow
xmlrpcaccess:
admin : allow
### Frequency of account registration
registration_timeout: infinity
### ================
### DEFAULT LANGUAGE
language: "en"
### =======
### MODULES
modules:
mod_adhoc: []
mod_announce:
access: announce
mod_caps: []
mod_configure: []
mod_disco: []
mod_http_bind:
max_inactivity: 400 # timeout valie for BOSH usefull for a large number of VM
mod_irc: []
mod_last: []
mod_muc:
access: muc
access_create: muc_create
access_persistent: muc_create
access_admin: muc_admin
mod_offline: []
mod_privacy: []
mod_private: []
mod_pubsub:
access_createnode: pubsub_createnode
ignore_pep_from_offline: true
last_item_cache: false
max_items_node: 1000
plugins:
- "flat"
- "hometree"
- "pep"
mod_register:
access: register
mod_roster: []
mod_shared_roster: []
mod_time: []
mod_vcard: []
mod_version: []
mod_admin_extra: []
Note you have to replace all FQDN by your accessible fully qualified domain name manually or with:
sed -i 's/FQDN/your.fqnd.com/' /etc/ejabberd/ejabberd.cfg
If you have not access to a DNS, you need to add in all the /etc/hosts files of your platform:
X.X.X.X your.fqdn.com
Generate your self-signed certificate if you don't have any.
Important note: Be sure to enter your FQDN when asked for "Common Name (e.g. server FQDN or YOUR name)".
openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout /etc/ejabberd/privkey.pem -out /etc/ejabberd/ejabberd.pem
openssl rsa -in /etc/ejabberd/privkey.pem -out /etc/ejabberd/privkey.pem
cat /etc/ejabberd/privkey.pem >> /etc/ejabberd/ejabberd.pem
rm /etc/ejabberd/privkey.pem
In the Debian system, ejabberdctl is used for controlling the already running ejabberd process. The proper way to start ejabberd in these distros is (often run as root):
/etc/init.d/ejabberd startor
service ejabberd startStopping and restarting follow the same method. On Debian systems, the ejabberdctl script itself has no start command.
When using the ejabberdctl script, if you receive a response that says, Failed RPC connection to the node ejabberd@localhost: nodedown, try running the script as root (prefixing the command with sudo).
You can check that ejabberd is started and working with (often run as root):
ejabberdctl status
> The node ejabberd@FQDN is started with status: started
> ejabberd 2.1.10 is running in that nodeYou then can start Ejabberd with the following command:
ejabberdctl startWait 10 seconds and check if it is started:
ejabberdctl status
> The node ejabberd@FQDN is started with status: started
> ejabberd 2.1.8 is running in that nodeIf you are getting Failed RPC connection to the node ejabberd@localhost: nodedown, modify your /etc/ejabberd/ejabberdctl.conf:
ERLANG_NODE=ejabberd@FQDN
Note : ejabberdctl command will try to reach the epmd daemon listening to localhost as defined in /etc/ejabberd/ejabberdctl.conf by default.
#.
#' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes
#
# This communication is used by ejabberdctl command line tool,
# and in a cluster of several ejabberd nodes.
#
# Default: 127.0.0.1
#
#INET_DIST_INTERFACE=127.0.0.1
So the command first tries to resolve hostname via inet:gethostbyname, and gets hosts FQDN and public IP via dns (since /etc/resolv.conf have "search" line). Then it tries to connect to epmd port on that public IP, but as epmd is listening only on 127.0.0.1 it will failed.
In this case, you will have to add an entry to your /etc/hosts file :
127.0.0.1 FQDN ShortName
example :
127.0.0.1 archipel.local archipel
It is not recommended to make the epmd daemon listening on 0.0.0.0 (or don't forget to add iptables rules).
You need to register a XMPP admin account (if you want archipel to work out of the box, just name it admin):
# ejabberdctl register admin your.fqdn.com yourpassword
Do not create any other account for virtual machine or hypervisor. You can create as much as user accounts as you want.