kitoy/conf_server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Init repo

Browse Source
This commit is contained in:
kitoy
2023-01-11 01:03:34 +01:00
parent 533a540a1d
commit 85930b7cac
33 changed files with 2389 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
default_configuration/dolibarr/nginx.conf.example Normal file
View File

@@ -0,0 +1,41 @@
server {
root /dolibarr/htdocs;
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /etc/ssl/__dolibarr_domain__.crt;
ssl_certificate_key /etc/ssl/private/__dolibarr_domain__.key;
index index.html index.php;
server_name __dolibar_domain__;
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}
server {
listen [::]:80;
listen 80;
server_name __dolibarr_domain__;
if ($host = dolibarr.example.fr) {
return 301 https://$host$request_uri;
}
}

45
default_configuration/dolibarr/nginx.conf.sample Normal file
View File

@@ -0,0 +1,45 @@
server {
listen 80;
server_name __dolibarr_domain__;
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /htdocs/;
}
server {
listen 443 ssl http2;
server_name __dolibarr_domain__;
root /var/www/dolibarr/htdocs;
index index.html index.php;
ssl_certificate /etc/ssl/__dolibarr_domain__.crt;
ssl_certificate_key /etc/ssl/private/__dolibarr_domain__.key;
include snippets/secure-ssl.conf;
include snippets/acme-challenge.conf;
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}

4
default_configuration/nextcloud/custom.config.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$CONFIG = array (
'datadirectory' => ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/nextcloud/data',
);

153
default_configuration/nextcloud/nginx.conf.sample Normal file
View File

@@ -0,0 +1,153 @@
server {
listen 80;
server_name __nextcloud_domain__;
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /htdocs/;
}
server {
listen 443 ssl http2;
server_name __nextcloud_domain__;
ssl_certificate /etc/ssl/__nextcloud_domain__.crt;
ssl_certificate_key /etc/ssl/private/__nextcloud_domain__.key;
include snippets/secure-ssl.conf;
include snippets/acme-challenge.conf;
# set max upload size
client_max_body_size 4096M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
add_header X-Frame-Options "SAMEORIGIN" "always";
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
# pagespeed off;
add_header X-Content-Type-Options "nosniff";
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
root /nextcloud;
}

5
default_configuration/nginx/snippets/acme-challenge.conf Normal file
View File

@@ -0,0 +1,5 @@
location ^~ /.well-known/acme-challenge/ {
rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
default_type "text/plain";
root /acme;
}

35
default_configuration/nginx/snippets/secure-headers.conf Normal file
View File

@@ -0,0 +1,35 @@
# Ajout HSTS header
# Appliquer une durée de plus d'une semaine pour obtenir A+ sur ssl-labs
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Désactive HSTS
# Ajoute gzip mais n'enleve pas les ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the ngx_pagespeed module, uncomment this line to disable it.
# pagespeed off;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "upgrade-insecure-requests";
add_header Content-Security-Policy-Report-Only " default-src https: data: 'unsafe-inline' 'unsafe-eval'";
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

21
default_configuration/nginx/snippets/secure-ssl.conf Normal file
View File

@@ -0,0 +1,21 @@
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Score=100
# ssl ciphers list
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended because more compatible)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
# to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order
ssl_prefer_server_ciphers on;
# OCSP stapling
ssl_stapling on; # allow Nginx to send OCSP results during the connection process
ssl_stapling_verify on;
resolver 80.67.169.12 80.67.169.40 valid=300s;
resolver_timeout 10s;
# Speeds things up a little bit when resuming a session
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;

59
default_configuration/pf.conf Normal file
View File

@@ -0,0 +1,59 @@
#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist
## Table pour les batards de bruteforceurs
table <bruteforce> persist
set block-policy drop # bloque silencieusement
set skip on lo # En local on s'en fou on surveille rien
set limit table-entries 400000
set limit states 100000
## Traitement des paquets ##
# Paquets partiels on vire
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress # Protection vol d'ip
antispoof quick for lo0 # Protection vol d'ip
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# On bloque tout par défault
block
block quick on egress from <pfbadhost>
block in from <sshguard>
block log quick from <bruteforce> label "brutes"
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
#déclaration des variables
web_ports = "{ http https }"
mail_ports = "{ smtp submission imap }"
xmpp_ports = "{ 5222 5269 }"
ssh_port = "42420"
## Anti bruteforce
### SSH
#### Limite à 5 connexions simultanne par IP source
#### Limite à 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port $ssh_port modulate state \
(max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
#web
pass in on egress proto tcp to port $web_ports modulate state \
(max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
# mails
## antispam
pass in on egress proto tcp to port $mail_ports modulate state \
(max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp
# XMPP
pass in on egress proto tcp to port $xmpp_ports modulate state \
(max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

4
default_configuration/php/nginx-php-enabled.conf Normal file
View File

@@ -0,0 +1,4 @@
upstream php-handler {
server unix:/run/php-fpm.sock;
}

189
default_configuration/php/php-8.0.ini Normal file
View File

@@ -0,0 +1,189 @@
[PHP]
;;;;;;;;;;;;;;;;;;;
; Quick Reference ;
;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =
zend.enable_gc = On
zend.exception_ignore_args = On
zend.exception_string_param_max_len = 0
;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
expose_php = Off
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30
max_input_time = 60
memory_limit = 2048M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
; UNIX: "/path1:/path2"
include_path = ".:/pear/lib:/var/www/pear/lib"
doc_root =
user_dir =
extension_dir = "/usr/local/lib/php-8.0/modules"
enable_dl = Off
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
file_uploads = On
upload_max_filesize = 2048M
max_file_uploads = 20
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60
;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;
[CLI Server]
; Whether the CLI web server uses ANSI color coding in its terminal output.
cli_server.color = On
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = UTC
[mail function]
SMTP = localhost
; http://php.net/smtp-port
smtp_port = 25
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[PostgreSQL]
; Allow or prevent persistent links.
; http://php.net/pgsql.allow-persistent
pgsql.allow_persistent = On
; Detect broken persistent links always with pg_pconnect().
; Auto reset feature requires a little overheads.
; http://php.net/pgsql.auto-reset-persistent
pgsql.auto_reset_persistent = Off
; Maximum number of persistent links. -1 means no limit.
; http://php.net/pgsql.max-persistent
pgsql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no limit.
; http://php.net/pgsql.max-links
pgsql.max_links = -1
; Ignore PostgreSQL backends Notice message or not.
; Notice message logging require a little overheads.
; http://php.net/pgsql.ignore-notice
pgsql.ignore_notice = 0
; Log PostgreSQL backends Notice message or not.
; Unless pgsql.ignore_notice=0, module cannot log notice message.
; http://php.net/pgsql.log-notice
pgsql.log_notice = 0
[bcmath]
; Number of decimal digits for all bcmath functions.
; http://php.net/bcmath.scale
bcmath.scale = 0
[Session]
; Handler used to store/retrieve data.
; http://php.net/session.save-handler
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[ldap]
; Sets the maximum number of open links or -1 for unlimited.
ldap.max_links = -1
[opcache]
; Determines if Zend OPCache is enabled
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

29
default_configuration/php/php-fpm.conf Normal file
View File

@@ -0,0 +1,29 @@
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;
[global]
error_log = log/php-fpm.log
;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;
include=/etc/php-fpm.d/*.conf
[www]
user = www
group = www
listen = /var/www/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chroot = /var/www
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

18
default_configuration/postgresql/pg_hba.conf Normal file
View File

@@ -0,0 +1,18 @@
# TYPE DATABASE USER ADDRESS METHOD
local all postgres trust
# "local" is for Unix domain socket connections only
#local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all scram-sha-256
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256

47
default_configuration/pywallter/nginx.conf.sample Normal file
View File

@@ -0,0 +1,47 @@
server {
listen 80;
server_name __pywallter_domain__;
#Ajout pour les certificats letsencrypt
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
root /html/;
}
server {
listen 443 ssl http2;
server_name __pywallter_domain__;
ssl_certificate /etc/ssl/__pywallter_domain__.crt;
ssl_certificate_key /etc/ssl/private/__pywallter_domain__.key;
#Ajout d'une configuration ssl securise
include snippets/secure-ssl.conf;
# Speeds things up a little bit when resuming a session
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:5m;
# Ajout pour le certificat letsencrypt
include snippets/acme-challenge.conf;
# Ajout pour securiser les headers
include snippets/secure-headers.conf;
client_max_body_size 100M;
location / {
proxy_pass http://127.0.0.1:8000/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Prefix /;
}
# Path to the root of your installation
root /html/;
}

16
default_configuration/pywallter/pywallter.rc Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/ksh
daemon="/usr/local/bin/python3"
daemon_flags="wsgi.py"
daemon_user="pywallter"
location="/home/pywallter/pywallter"
. /etc/rc.d/rc.subr
rc_start() {
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
}
rc_bg=YES
rc_cmd $1

59
default_configuration/xmpp/nginx.conf.sample Normal file
View File

@@ -0,0 +1,59 @@
server {
listen 80;
listen [::]:80;
server_name upload.__XMPP_DOMAIN__ ;
include snippets/acme-challenge.conf;
return 301 https://$http_host$request_uri;
access_log /var/log/upload.__DOMAIN__-access.log;
error_log /var/log/upload.__DOMAIN__-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name upload.__DOMAIN__;
ssl_certificate /etc/ssl/upload.__DOMAIN__.crt;
ssl_certificate_key /etc/ssl/private/upload.__DOMAIN__.key;
root /xmpp-upload/;
include snippets/secure-ssl.conf;
include snippets/secure-headers.conf;
#custom headers
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header x-robots-tag "noindex, follow";
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
# add_header Strict-Transport-Security " max-age=63072000; includeSubDomains; preload";
include snippets/acme-challenge.conf;
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
access_log /var/log/upload.__DOMAIN__-access.log;
error_log /var/log/upload.__DOMAIN__-error.log;
}

132
default_configuration/xmpp/prosody.cfg.lua.example Normal file
View File

@@ -0,0 +1,132 @@
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "admin@__DOMAIN__" }
-- Drop privileges
prosody_user = "_prosody"
prosody_group = "_prosody"
-- Enable POSIX-only options
pidfile = "/var/prosody/prosody.pid"
-- Enable use of libevent for better performance under high load
-- For more information see: https://prosody.im/doc/libevent
--use_libevent = true
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
plugin_paths = { "/var/prosody/plugins" }
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"carbons"; -- Keep multiple clients in sync
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
"bidi";
"private"; -- Private XML storage (for room bookmarks, etc.)
"blocklist"; -- Allow users to block communications with other users
"vcard4"; -- User profiles (stored in PEP)
--"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
"limits"; -- Enable bandwidth limiting for XMPP connections
"smacks";
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
-- "register"; -- Allow users to register on this server using a client and change passwords
"mam"; -- Store messages in an archive and allow users to access it
"csi_simple"; -- Simple Mobile optimizations
-- HTTP modules
"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
"websocket"; -- XMPP over WebSockets
"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
"groups"; -- Shared roster support
"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
-- cloud notify
"cloud_notify";
"cloud_notify_extensions";
}
modules_disabled = {
}
allow_registration = false
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true
-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.
s2s_require_encryption = true
-- Force certificate authentication for server-to-server connections?
s2s_secure_auth = false
-- Enable rate limits for incoming client and server connections
limits = {
c2s = {
rate = "100kb/s";
};
s2sin = {
rate = "300kb/s";
};
}
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
authentication = "internal_hashed"
-- Archiving configuration
archive_expires_after = "1w" -- Remove archived messages after 1 week
-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam
-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
info = "/var/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/prosody/prosody.err";
}
-- Location of directory to find certificates in (relative to main config file):
certificates = "/var/prosody/"
-- WebSocket configuration (mod_websocket)
consider_websocket_secure = true
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
include "virtualHosts/*.conf"

141
default_configuration/xmpp/share.php.sample Normal file
View File

@@ -0,0 +1,141 @@
<?php
/*
PHP script to handle file uploads and downloads for Prosody's mod_http_upload_external
Tested with Apache 2.2+ and PHP 5.3+
** Why this script?
This script only allows uploads that have been authorized by mod_http_upload_external. It
attempts to make the upload/download as safe as possible, considering that there are *many*
security concerns involved with allowing arbitrary file upload/download on a web server.
With that said, I do not consider myself a PHP developer, and at the time of writing, this
code has had no external review. Use it at your own risk. I make no claims that this code
is secure.
** How to use?
Drop this file somewhere it will be served by your web server. Edit the config options below.
In Prosody set:
http_upload_external_base_url = "https://your.example.com/path/to/share.php/"
http_upload_external_secret = "this is your secret string"
** License
(C) 2016 Matthew Wild <mwild1@gmail.com>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software
and associated documentation files (the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial
portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* CONFIGURATION OPTIONS */
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* Change this to a directory that is writable by your web server, but is outside your web root */
$CONFIG_STORE_DIR = '/xmpp-upload/__DOMAIN__/upload';
/* This must be the same as 'http_upload_external_secret' that you set in Prosody's config file */
$CONFIG_SECRET = "__xmpp_passphrase_for_filesuploads__" ;
/* For people who need options to tweak that they don't understand... here you are */
$CONFIG_CHUNK_SIZE = 4096;
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* END OF CONFIGURATION */
/*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\*/
/* Do not edit below this line unless you know what you are doing (spoiler: nobody does) */
$upload_file_name = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);
$store_file_name = $CONFIG_STORE_DIR . '/store-' . hash('sha256', $upload_file_name);
$request_method = $_SERVER['REQUEST_METHOD'];
/* Set CORS headers */
header('Access-Control-Allow-Methods: GET, PUT, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type');
header('Access-Control-Max-Age: 7200');
header('Access-Control-Allow-Origin: *');
if(array_key_exists('v', $_GET) === TRUE && $request_method === 'PUT') {
$upload_file_size = $_SERVER['CONTENT_LENGTH'];
$upload_token = $_GET['v'];
$calculated_token = hash_hmac('sha256', "$upload_file_name $upload_file_size", $CONFIG_SECRET);
if(function_exists('hash_equals')) {
if(hash_equals($calculated_token, $upload_token) !== TRUE) {
error_log("Token mismatch: calculated $calculated_token got $upload_token");
header('HTTP/1.0 403 Forbidden');
exit;
}
}
else {
if($upload_token !== $calculated_token) {
error_log("Token mismatch: calculated $calculated_token got $upload_token");
header('HTTP/1.0 403 Forbidden');
exit;
}
}
/* Open a file for writing */
$store_file = fopen($store_file_name, 'x');
if($store_file === FALSE) {
header('HTTP/1.0 409 Conflict');
exit;
}
/* PUT data comes in on the stdin stream */
$incoming_data = fopen('php://input', 'r');
/* Read the data a chunk at a time and write to the file */
while ($data = fread($incoming_data, $CONFIG_CHUNK_SIZE)) {
fwrite($store_file, $data);
}
/* Close the streams */
fclose($incoming_data);
fclose($store_file);
// https://xmpp.org/extensions/xep-0363.html#upload
// A HTTP status Code of 201 means that the server is now ready to serve the file via the provided GET URL.
header('HTTP/1.0 201 Created');
exit;
} else if($request_method === 'GET' || $request_method === 'HEAD') {
// Send file (using X-Sendfile would be nice here...)
if(file_exists($store_file_name)) {
header('Content-Disposition: attachment');
header('Content-Type: application/octet-stream');
header('Content-Length: '.filesize($store_file_name));
header("Content-Security-Policy: \"default-src 'none'\"");
header("X-Content-Security-Policy: \"default-src 'none'\"");
header("X-WebKit-CSP: \"default-src 'none'\"");
if($request_method !== 'HEAD') {
readfile($store_file_name);
}
} else {
header('HTTP/1.0 404 Not Found');
}
} else if($request_method === 'OPTIONS') {
} else {
header('HTTP/1.0 400 Bad Request');
}
exit;

100
default_configuration/xmpp/virtualHosts/example.com.conf Normal file
View File

@@ -0,0 +1,100 @@
VirtualHost "__DOMAIN__"
enable = true
ssl = {
key = "/etc/prosody/certs/__DOMAIN__.key";
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
-- Configuration Avancée
protocol = "tlsv1_2+";
dhparam = "/etc/prosody/certs/dh-2048.pem";
ciphers = "HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true };
}
archive_expires_after = "15d";
-- Discovery items
disco_items = {
{ "muc.__DOMAIN__" },
{ "pubsub.__DOMAIN__" },
{ "upload.__DOMAIN__" },
};
contact_info = {
abuse = { "mailto:abuse@__DOMAIN__", "xmpp:admin@__DOMAIN__" };
admin = { "mailto:root@$__DOMAIN__", "xmpp:admin@__DOMAIN__" };
};
-- BOSH configuration (mod_bosh)
consider_bosh_secure = true
cross_domain_bosh = true
bosh_ports = {
{
port = 5280;
path = "http-bind";
},
{
port = 5281;
path = "http-bind";
ssl = {
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
key = "/etc/prosody/certs/__DOMAIN__.key";
}
}
}
http_ports = { 5280 }
http_interfaces = { "localhost" }
https_ports = { 5281 }
https_interfaces = { "localhost" }
https_ssl = {
certificate = "/etc/prosody/certs/__DOMAIN__.crt";
key = "/etc/prosody/certs/__DOMAIN__.key";
}
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
--Component "proxy.__DOMAIN__" "proxy65"
-- proxy65_address = ""
-- proxy65_acl = { "" }
Component "muc.__DOMAIN__" "muc"
name = "__DOMAIN__ Chatrooms"
modules_enabled = {
"muc_mam";
"muc_limits";
"muc_log";
"vcard_muc";
}
muc_log_by_default = true
muc_log_presences = false
log_all_rooms = false
muc_log_expires_after = "1w"
muc_log_cleanup_interval = 4 * 60 * 60
muc_event_rate = 0.5
muc_burst_factor = 10
room_default_config = {
logging = true,
persistent = true
};
---Set up a PubSub server
Component "pubsub.__DOMAIN__" "pubsub"
name = "__DOMAIN__ Publish/Subscribe"
unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server)
---Set up a HTTP Upload service
Component "upload.__DOMAIN__" "http_upload_external"
name = "__DOMAIN__ Sharing Service"
http_upload_external_base_url = "https://upload.__DOMAIN__/share.php/"
http_upload_external_secret = "__xmpp_passphrase_for_filesuploads__"