Ejabberd Tips & Tricks
Since the setting of the server itself, including the creation of common roasters and the connection of transports, was written apparently and invisibly, I will touch on issues that are less illuminated in the national press - safety, convenience, speed.
Let's start with the simplest and most important - let's protect ourselves!
First, we turn on the client to encrypt the connection via ssl, so that enemies who by all means try to steal the secret password suffer their first defeat.
With the inclusion of encryption of the connection, you can allow the password to be passed in clear text.
')
<Retreat>
I assume that there is already a certificate on the server side.
If an annoying omission happened, and the certificate was not generated, it can be done like this:
cd / var / lib / ssl /; openssl req -newkey rsa: 1024 -keyout server.pem -nodes -x509 -days 3650 -out server.cer
echo "" >> server.pem; cat server.cer >> server.pem
As you can see, this is easier than installing Gentoo (as you know, all three commands are required to install Gentoo).
Do not forget about the rights to the certificate: chown ejabberd: ejabberd server.pem; chmod 0400 server.pem
The support for this happiness is included in the listen section:
...
%% port 5222 listens for client-server connections for clients that can starttls, and also accepts unencrypted connections for older clients.
{5222, ejabberd_c2s, [
{certfile, "/var/lib/ssl/ejabberd.pem"}, starttls,
{access, c2s}, {shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
%% port 5223 listens for c2s connections for old ssl.
{5223, ejabberd_c2s, [
{access, c2s},
{shaper, c2s_shaper},
{certfile, "/var/lib/ssl/ejabberd.pem"}, tls,
{max_stanza_size, 65536}
]},
...
In order for server-to-server connections to be encrypted, you must uncomment after the listen section.
{s2s_use_starttls, true}.
{s2s_certfile, "/var/lib/ssl/ejabberd.pem"}.
</ Retreat>
So, we have the last section where the passwords are transmitted in a fairly open form - admin panel! This is completely useless, so we will include encryption here.
Go back to the listen section and look for the entry for port 5280.
We fix something like this:
{5280, ejabberd_http, [http_poll, web_admin, tls, {certfile, "/var/lib/ssl/ejabberd.pem"}]},
Here you can rejoice and enjoy the cozy admin panel, the entrance to which will now be here - jabber.tld : 5280 / admin /
To make communication with the server truly convenient, with a generous hand add third-party snouts to it.
Depending on the distribution, for this you have to do different squats. By the way, in Alto, everything is already done for you ^ _ ^
So, on my installations I add
- mod_statsdx : advanced statistics showing sparse on clients, OS, connection type of connected users, the number of offline messages and much more. (+ mod_stats2file, which saves all statistics to a file in the specified location). Native mod_stats can be disabled.
- mod_ctlextra : many additional commands for ejabberdctl. Operations with a roster, operations with groups for a shared rooster, etc. More than useful useful extension.
- mod_http_bind and mod_http _fileserver so that you can use web clients.
- mod_rest / mod_xmlrpc - to taste and need. Here you need to remember about the need to separately protect the entry points for the specified modules.
Building modules is easy - either manually using erlc, or running build.sh (after checking the paths).
The finished module should be placed to the other modules (usually / usr / lib {, 64} / ejabberd / ebin /) and make the necessary changes to the config.
An example of such changes can be found here .
First, it is necessary to reconsider the need for such heavy modules as mod_shared_roster_ldap — with 5 hundred users in AD, the roster will climb up from the server for a minute or three minutes for each connecting client.
It may be better to fill in the roster of new users manually - “Search-> Find all-> Add all”. This option, however, has its big disadvantage - because Fired or otherwise disconnected entries will still hang in the roster, so much loved by the secretaries of the “everyone” mailing list, not through MOTD, will steadily clog up the database with offline messages and have to be cleaned by the crown.
You can disable pubsub if you are not using subscriptions.
Ta-da-m! And finally, you can rebuild xml.erl with the + native option on the machine itself, which will give a very good speed jump, since all the files are serialized to xml, which takes the most CPU cycles to parse.
cd ejabberd / src; erlc + native xml.erl
1. Security.
Let's start with the simplest and most important - let's protect ourselves!
First, we turn on the client to encrypt the connection via ssl, so that enemies who by all means try to steal the secret password suffer their first defeat.
With the inclusion of encryption of the connection, you can allow the password to be passed in clear text.
')
<Retreat>
I assume that there is already a certificate on the server side.
If an annoying omission happened, and the certificate was not generated, it can be done like this:
cd / var / lib / ssl /; openssl req -newkey rsa: 1024 -keyout server.pem -nodes -x509 -days 3650 -out server.cer
echo "" >> server.pem; cat server.cer >> server.pem
As you can see, this is easier than installing Gentoo (as you know, all three commands are required to install Gentoo).
Do not forget about the rights to the certificate: chown ejabberd: ejabberd server.pem; chmod 0400 server.pem
The support for this happiness is included in the listen section:
...
%% port 5222 listens for client-server connections for clients that can starttls, and also accepts unencrypted connections for older clients.
{5222, ejabberd_c2s, [
{certfile, "/var/lib/ssl/ejabberd.pem"}, starttls,
{access, c2s}, {shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
%% port 5223 listens for c2s connections for old ssl.
{5223, ejabberd_c2s, [
{access, c2s},
{shaper, c2s_shaper},
{certfile, "/var/lib/ssl/ejabberd.pem"}, tls,
{max_stanza_size, 65536}
]},
...
In order for server-to-server connections to be encrypted, you must uncomment after the listen section.
{s2s_use_starttls, true}.
{s2s_certfile, "/var/lib/ssl/ejabberd.pem"}.
</ Retreat>
So, we have the last section where the passwords are transmitted in a fairly open form - admin panel! This is completely useless, so we will include encryption here.
Go back to the listen section and look for the entry for port 5280.
We fix something like this:
{5280, ejabberd_http, [http_poll, web_admin, tls, {certfile, "/var/lib/ssl/ejabberd.pem"}]},
Here you can rejoice and enjoy the cozy admin panel, the entrance to which will now be here - jabber.tld : 5280 / admin /
2. Convenience of use.
To make communication with the server truly convenient, with a generous hand add third-party snouts to it.
Depending on the distribution, for this you have to do different squats. By the way, in Alto, everything is already done for you ^ _ ^
So, on my installations I add
- mod_statsdx : advanced statistics showing sparse on clients, OS, connection type of connected users, the number of offline messages and much more. (+ mod_stats2file, which saves all statistics to a file in the specified location). Native mod_stats can be disabled.
- mod_ctlextra : many additional commands for ejabberdctl. Operations with a roster, operations with groups for a shared rooster, etc. More than useful useful extension.
- mod_http_bind and mod_http _fileserver so that you can use web clients.
- mod_rest / mod_xmlrpc - to taste and need. Here you need to remember about the need to separately protect the entry points for the specified modules.
Building modules is easy - either manually using erlc, or running build.sh (after checking the paths).
The finished module should be placed to the other modules (usually / usr / lib {, 64} / ejabberd / ebin /) and make the necessary changes to the config.
An example of such changes can be found here .
3. Speed
First, it is necessary to reconsider the need for such heavy modules as mod_shared_roster_ldap — with 5 hundred users in AD, the roster will climb up from the server for a minute or three minutes for each connecting client.
It may be better to fill in the roster of new users manually - “Search-> Find all-> Add all”. This option, however, has its big disadvantage - because Fired or otherwise disconnected entries will still hang in the roster, so much loved by the secretaries of the “everyone” mailing list, not through MOTD, will steadily clog up the database with offline messages and have to be cleaned by the crown.
You can disable pubsub if you are not using subscriptions.
Ta-da-m! And finally, you can rebuild xml.erl with the + native option on the machine itself, which will give a very good speed jump, since all the files are serialized to xml, which takes the most CPU cycles to parse.
cd ejabberd / src; erlc + native xml.erl
Source: https://habr.com/ru/post/71275/
All Articles