### Example of folded string:
### > Art thou not Romeo,
### and a Montague?
-
+---
###. =======
###' LOGGING
##
## hosts: Domains served by ejabberd.
## You can define one or several, for example:
-## hosts:
+## hosts:
## - "example.net"
## - "example.com"
## - "example.org"
##
## route_subdomains: s2s
+###. ============
+###' Certificates
+
+## List all available PEM files containing certificates for your domains,
+## chains of certificates or certificate keys. Full chains will be built
+## automatically by ejabberd.
+##
+certfiles:
+ - "/etc/ejabberd/ejabberd.pem"
+
+## If your system provides only a single CA file (CentOS/FreeBSD):
+## ca_file: "/etc/ssl/certs/ca-bundle.pem"
+
+###. =================
+###' TLS configuration
+
+## Note that the following configuration is the default
+## configuration of the TLS driver, so you don't need to
+## uncomment it.
+##
+define_macro:
+ 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
+ 'TLS_OPTIONS':
+ - "no_sslv3"
+ - "no_tlsv1"
+ - "cipher_server_preference"
+ - "no_compression"
+ ## 'DH_FILE': "/path/to/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048
+
+## c2s_dhfile: 'DH_FILE'
+## s2s_dhfile: 'DH_FILE'
+c2s_ciphers: 'TLS_CIPHERS'
+s2s_ciphers: 'TLS_CIPHERS'
+c2s_protocol_options: 'TLS_OPTIONS'
+s2s_protocol_options: 'TLS_OPTIONS'
+
###. ===============
###' LISTENING PORTS
## listen: The ports ejabberd will listen on, which service each is handled
## by and what options to start it with.
##
-listen:
- -
+listen:
+ -
port: 5222
ip: "::"
module: ejabberd_c2s
- ##
- ## If TLS is compiled in and you installed a SSL
- ## certificate, specify the full path to the
- ## file and uncomment these lines:
- ##
- certfile: "/etc/ejabberd/ejabberd.pem"
- starttls: true
- ##
- ## To enforce TLS encryption for client connections,
- ## use this instead of the "starttls" option:
- ##
- ## starttls_required: true
- ##
- ## Custom OpenSSL options
- ##
- protocol_options:
- - "no_sslv3"
- ## - "no_tlsv1"
+ starttls_required: true
+ protocol_options: 'TLS_OPTIONS'
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
- zlib: true
- resend_on_timeout: if_offline
- -
+ -
port: 5269
ip: "::"
module: ejabberd_s2s_in
+ -
+ port: 5280
+ ip: "::"
+ module: ejabberd_http
+ request_handlers:
+ "/ws": ejabberd_http_ws
+ "/bosh": mod_bosh
+ "/api": mod_http_api
+ ## "/pub/archive": mod_http_fileserver
+ web_admin: true
+ ## register: true
+ ## captcha: true
+ tls: true
+ protocol_options: 'TLS_OPTIONS'
+
##
## ejabberd_service: Interact with external components (transports, ...)
##
- ## -
+ ## -
## port: 8888
+ ## ip: "::"
## module: ejabberd_service
## access: all
## shaper_rule: fast
## ip: "127.0.0.1"
+ ## privilege_access:
+ ## roster: "both"
+ ## message: "outgoing"
+ ## presence: "roster"
+ ## delegations:
+ ## "urn:xmpp:mam:1":
+ ## filtering: ["node"]
+ ## "http://jabber.org/protocol/pubsub":
+ ## filtering: []
## hosts:
## "icq.example.org":
## password: "secret"
##
## ejabberd_stun: Handles STUN Binding requests
##
- ## -
+ ## -
## port: 3478
## transport: udp
## module: ejabberd_stun
##
## To handle XML-RPC requests that provide admin credentials:
##
- ## -
+ ## -
## port: 4560
+ ## ip: "::"
## module: ejabberd_xmlrpc
- ## access_commands: {}
- -
- port: 5280
- ip: "::"
- module: ejabberd_http
- request_handlers:
- "/websocket": ejabberd_http_ws
- ## "/pub/archive": mod_http_fileserver
- web_admin: true
- http_bind: true
- ## register: true
- captcha: true
- tls: true
- certfile: "/etc/ejabberd/ejabberd.pem"
+ ## maxsessions: 10
+ ## timeout: 5000
+ ## access_commands:
+ ## admin:
+ ## commands: all
+ ## options: []
+
+ ##
+ ## To enable secure http upload
+ ##
+ ## -
+ ## port: 5444
+ ## ip: "::"
+ ## module: ejabberd_http
+ ## request_handlers:
+ ## "": mod_http_upload
+ ## tls: true
+ ## protocol_options: 'TLS_OPTIONS'
+ ## dhfile: 'DH_FILE'
+ ## ciphers: 'TLS_CIPHERS'
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
###' S2S GLOBAL OPTIONS
##
-## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
-## Allowed values are: false optional required required_trusted
-## You must specify a certificate file.
-##
-s2s_use_starttls: optional
-
-##
-## s2s_certfile: Specify a certificate file.
-##
-s2s_certfile: "/etc/ejabberd/ejabberd.pem"
-
-## Custom OpenSSL options
-##
-s2s_protocol_options:
- - "no_sslv3"
-## - "no_tlsv1"
-
-##
-## domain_certfile: Specify a different certificate for each served hostname.
+## s2s_use_starttls: Enable STARTTLS for S2S connections.
+## Allowed values are: false, optional or required
+## You must specify 'certfiles' option
##
-## host_config:
-## "example.org":
-## domain_certfile: "/path/to/example_org.pem"
-## "example.com":
-## domain_certfile: "/path/to/example_com.pem"
+s2s_use_starttls: required
##
## S2S whitelist or blacklist
## Outgoing S2S options
##
## Preferred address families (which to try first) and connect timeout
-## in milliseconds.
+## in seconds.
##
## outgoing_s2s_families:
## - ipv4
## - ipv6
-## outgoing_s2s_timeout: 10000
+## outgoing_s2s_timeout: 190
###. ==============
###' AUTHENTICATION
## extauth_program: "/path/to/authentication/script"
##
-## Authentication using ODBC
+## Authentication using SQL
## Remember to setup a database in the next section.
##
-## auth_method: odbc
+## auth_method: sql
##
## Authentication using PAM
##
## MySQL server:
##
-## odbc_type: mysql
-## odbc_server: "server"
-## odbc_database: "database"
-## odbc_username: "username"
-## odbc_password: "password"
+## sql_type: mysql
+## sql_server: "server"
+## sql_database: "database"
+## sql_username: "username"
+## sql_password: "password"
##
## If you want to specify the port:
-## odbc_port: 1234
+## sql_port: 1234
##
## PostgreSQL server:
##
-## odbc_type: pgsql
-## odbc_server: "server"
-## odbc_database: "database"
-## odbc_username: "username"
-## odbc_password: "password"
+## sql_type: pgsql
+## sql_server: "server"
+## sql_database: "database"
+## sql_username: "username"
+## sql_password: "password"
##
## If you want to specify the port:
-## odbc_port: 1234
+## sql_port: 1234
##
## If you use PostgreSQL, have a large database, and need a
## faster but inexact replacement for "select count(*) from users"
##
## SQLite:
##
-## odbc_type: sqlite
-## odbc_database: "/path/to/database.db"
+## sql_type: sqlite
+## sql_database: "/path/to/database.db"
##
## ODBC compatible or MSSQL server:
##
-## odbc_type: odbc
-## odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
+## sql_type: odbc
+## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
##
## Number of connections to open to the database for each virtual host
##
-## odbc_pool_size: 10
+## sql_pool_size: 10
##
## Interval to make a dummy SQL request to keep the connections to the
## database alive. Specify in seconds: for example 28800 means 8 hours
##
-## odbc_keepalive_interval: undefined
+## sql_keepalive_interval: undefined
###. ===============
###' TRAFFIC SHAPERS
## This option specifies the maximum number of elements in the queue
## of the FSM. Refer to the documentation for details.
##
-max_fsm_queue: 1000
+max_fsm_queue: 10000
###. ====================
###' ACCESS CONTROL LISTS
##
admin:
user:
- - "": "localhost"
+ - ""
##
## Blocked users
##
## blocked:
## user:
- ## - "baduser": "example.org"
+ ## - "baduser@example.org"
## - "test"
## Local users: don't modify this.
##
- local:
+ local:
user_regexp: ""
##
## - "jabber.org"
## aleksey:
## user:
- ## - "aleksey": "jabber.ru"
+ ## - "aleksey@jabber.ru"
## test:
## user_regexp: "^test"
## user_glob: "test*"
loopback:
ip:
- "127.0.0.0/8"
+ - "::1/128"
+ - "::FFFF:127.0.0.1/128"
##
## Bad XMPP servers
## acl:
## admin:
## user:
-## - "bob-local": "localhost"
+## - "bob-local@localhost"
###. ============
-###' ACCESS RULES
-access:
+###' SHAPER RULES
+
+shaper_rules:
## Maximum number of simultaneous sessions allowed for a single user:
- max_user_sessions:
- all: 10
+ max_user_sessions: 10
## Maximum number of offline messages that users can have:
- max_user_offline_messages:
- admin: 5000
- all: 100
- ## This rule allows access only for local users:
- local:
- local: allow
- ## Only non-blocked users can use c2s connections:
- c2s:
- blocked: deny
- all: allow
+ max_user_offline_messages:
+ - 5000: admin
+ - 100
## For C2S connections, all users except admins use the "normal" shaper
- c2s_shaper:
- admin: none
- all: normal
+ c2s_shaper:
+ - none: admin
+ - normal
## All S2S connections use the "fast" shaper
- s2s_shaper:
- all: fast
+ s2s_shaper: fast
+
+###. ============
+###' ACCESS RULES
+access_rules:
+ ## This rule allows access only for local users:
+ local:
+ - allow: local
+ ## Only non-blocked users can use c2s connections:
+ c2s:
+ - deny: blocked
+ - allow
## Only admins can send announcement messages:
- announce:
- admin: allow
+ announce:
+ - allow: admin
## Only admins can use the configuration interface:
- configure:
- admin: allow
- ## Admins of this server are also admins of the MUC service:
- muc_admin:
- admin: allow
+ configure:
+ - allow: admin
## Only accounts of the local ejabberd server can create rooms:
- muc_create:
- local: allow
- ## All users are allowed to use the MUC service:
- muc:
- all: allow
+ muc_create:
+ - allow: local
## Only accounts on the local ejabberd server can create Pubsub nodes:
- pubsub_createnode:
- local: allow
+ pubsub_createnode:
+ - allow: local
## In-band registration allows registration of any possible username.
## To disable in-band registration, replace 'allow' with 'deny'.
- register:
- all: allow
+ register:
+ - allow
## Only allow to register from localhost
- trusted_network:
- loopback: allow
- ## Do not establish S2S connections with bad servers
- ## s2s:
- ## bad_servers: deny
- ## all: allow
+ trusted_network:
+ - allow: loopback
+ ## Do not establish S2S connections with bad servers
+ ## If you enable this you also have to uncomment "s2s_access: s2s"
+ ## s2s:
+ ## - deny:
+ ## - ip: "XXX.XXX.XXX.XXX/32"
+ ## - deny:
+ ## - ip: "XXX.XXX.XXX.XXX/32"
+ ## - allow
+
+## ===============
+## API PERMISSIONS
+## ===============
+##
+## This section allows you to define who and using what method
+## can execute commands offered by ejabberd.
+##
+## By default "console commands" section allow executing all commands
+## issued using ejabberdctl command, and "admin access" section allows
+## users in admin acl that connect from 127.0.0.1 to execute all
+## commands except start and stop with any available access method
+## (ejabberdctl, http-api, xmlrpc depending what is enabled on server).
+##
+## If you remove "console commands" there will be one added by
+## default allowing executing all commands, but if you just change
+## permissions in it, version from config file will be used instead
+## of default one.
+##
+api_permissions:
+ "console commands":
+ from:
+ - ejabberd_ctl
+ who: all
+ what: "*"
+ "admin access":
+ who:
+ - access:
+ - allow:
+ - acl: loopback
+ - acl: admin
+ - oauth:
+ - scope: "ejabberd:admin"
+ - access:
+ - allow:
+ - acl: loopback
+ - acl: admin
+ what:
+ - "*"
+ - "!stop"
+ - "!start"
+ "public commands":
+ who:
+ - ip: "127.0.0.1/8"
+ what:
+ - "status"
+ - "connected_users_number"
## By default the frequency of account registrations from the same IP
## is limited to 1 account every 10 minutes. To disable, specify: infinity
## registration_timeout: 600
-
+
##
## Define specific Access Rules in a virtual host.
##
## "localhost":
## access:
## c2s:
-## admin: allow
-## all: deny
+## - allow: admin
+## - deny
## register:
-## all: deny
+## - deny
###. ================
###' DEFAULT LANGUAGE
##
## captcha_limit: 5
+###. ====
+###' ACME
+##
+## In order to use the acme certificate acquiring through "Let's Encrypt"
+## an http listener has to be configured to listen to port 80 so that
+## the authorization challenges posed by "Let's Encrypt" can be solved.
+##
+## A simple way of doing this would be to add the following in the listening
+## section and to configure port forwarding from 80 to 5281 either via NAT
+## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
+## -
+## port: 5281
+## ip: "::"
+## module: ejabberd_http
+
+acme:
+
+ ## A contact mail that the ACME Certificate Authority can contact in case of
+ ## an authorization issue, such as a server-initiated certificate revocation.
+ ## It is not mandatory to provide an email address but it is highly suggested.
+ contact: "mailto:example-admin@example.com"
+
+
+ ## The ACME Certificate Authority URL.
+ ## This could either be:
+ ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
+ ## - https://acme-staging.api.letsencrypt.org - for the staging CA
+ ## - http://localhost:4000 - for a local version of the CA
+ ca_url: "https://acme-v01.api.letsencrypt.org"
+
###. =======
###' MODULES
##
## Modules enabled in all ejabberd virtual hosts.
##
-modules:
+modules:
mod_adhoc: {}
mod_admin_extra: {}
- mod_announce: # recommends mod_adhoc
+ mod_announce: # recommends mod_adhoc
access: announce
- mod_blocking: {} # requires mod_privacy
+ mod_blocking: {} # requires mod_privacy
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
- mod_configure: {} # requires mod_adhoc
+ mod_configure: {} # requires mod_adhoc
+ ## mod_delegation: {} # for xep0356
mod_disco: {}
mod_echo: {}
mod_irc: {}
- mod_http_bind: {}
+ mod_bosh: {}
## mod_http_fileserver:
## docroot: "/var/www"
## accesslog: "/var/log/ejabberd/access.log"
+ ## mod_http_upload:
+ ## # docroot: "@HOME@/upload"
+ ## put_url: "https://@HOST@:5444"
+ ## thumbnail: false # otherwise needs the identify command from ImageMagick installed
+ ## mod_http_upload_quota:
+ ## max_days: 30
mod_last: {}
- mod_muc:
+ ## XEP-0313: Message Archive Management
+ ## You might want to setup a SQL backend for MAM because the mnesia database is
+ ## limited to 2GB which might be exceeded on large servers
+ ## mod_mam: {} # for xep0313, mnesia is limited to 2GB, better use an SQL backend
+ mod_muc:
## host: "conference.@HOST@"
- access: muc
+ access:
+ - allow
+ access_admin:
+ - allow: admin
access_create: muc_create
access_persistent: muc_create
- access_admin: muc_admin
- ## mod_muc_log: {}
mod_muc_admin: {}
+ ## mod_muc_log: {}
## mod_multicast: {}
- mod_offline:
+ mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
## mod_pres_counter:
mod_privacy: {}
mod_private: {}
## mod_proxy65: {}
- mod_pubsub:
+ mod_pubsub:
access_createnode: pubsub_createnode
## reduces resource comsumption, but XEP incompliant
ignore_pep_from_offline: true
## XEP compliant, but increases resource comsumption
## ignore_pep_from_offline: false
last_item_cache: false
- plugins:
+ plugins:
- "flat"
- "hometree"
- - "pep" # pep requires mod_caps
- mod_register:
- ##
- ## Protect In-Band account registrations with CAPTCHA.
- ##
- ## captcha_protected: true
-
- ##
- ## Set the minimum informational entropy for passwords.
- ##
- ## password_strength: 32
-
- ##
- ## After successful registration, the user receives
- ## a message with this subject and body.
- ##
- welcome_message:
- subject: "Welcome!"
- body: |-
- Hi.
- Welcome to this XMPP server.
-
- ##
- ## When a user registers, send a notification to
- ## these XMPP accounts.
- ##
- ## registration_watchers:
- ## - "admin1@example.org"
-
- ##
- ## Only clients in the server machine can register accounts
- ##
- ip_access: trusted_network
-
- ##
- ## Local c2s or remote s2s users cannot register accounts
- ##
- ## access_from: deny
-
- access: register
- mod_roster: {}
+ - "pep" # pep requires mod_caps
+ mod_push: {}
+ mod_push_keepalive: {}
+ ## mod_register:
+ ##
+ ## Protect In-Band account registrations with CAPTCHA.
+ ##
+ ## captcha_protected: true
+ ##
+ ## Set the minimum informational entropy for passwords.
+ ##
+ ## password_strength: 32
+ ##
+ ## After successful registration, the user receives
+ ## a message with this subject and body.
+ ##
+ ## welcome_message:
+ ## subject: "Welcome!"
+ ## body: |-
+ ## Hi.
+ ## Welcome to this XMPP server.
+ ##
+ ## When a user registers, send a notification to
+ ## these XMPP accounts.
+ ##
+ ## registration_watchers:
+ ## - "admin1@example.org"
+ ##
+ ## Only clients in the server machine can register accounts
+ ##
+ ## ip_access: trusted_network
+ ##
+ ## Local c2s or remote s2s users cannot register accounts
+ ##
+ ## access_from: deny
+ ## access: register
+ mod_roster:
+ versioning: true
mod_shared_roster: {}
mod_stats: {}
mod_time: {}
mod_vcard:
search: false
+ mod_vcard_xupdate: {}
+ ## Convert all avatars posted by Android clients from WebP to JPEG
+ ## mod_avatar: # this module needs compile option --enable-graphics
+ ## convert:
+ ## webp: jpeg
mod_version: {}
+ mod_stream_mgmt:
+ resend_on_timeout: if_offline
+ ## Non-SASL Authentication (XEP-0078) is now disabled by default
+ ## because it's obsoleted and is used mostly by abandoned
+ ## client software
+ ## mod_legacy_auth: {}
+ ## The module for S2S dialback (XEP-0220). Please note that you cannot
+ ## rely solely on dialback if you want to federate with other servers,
+ ## because a lot of servers have dialback disabled and instead rely on
+ ## PKIX authentication. Make sure you have proper certificates installed
+ ## and check your accessibility at https://check.messaging.one/
+ mod_s2s_dialback: {}
+ mod_http_api: {}
##
## Enable modules with custom options in a specific virtual host
projects / sysconfig / ejabberd.git / commitdiff