mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-25 01:20:31 +00:00
933 lines
28 KiB
INI
933 lines
28 KiB
INI
|
%%%
|
||
|
%%% ejabberd configuration file
|
||
|
%%%
|
||
|
%%%'
|
||
|
|
||
|
%%% The parameters used in this configuration file are explained in more detail
|
||
|
%%% in the ejabberd Installation and Operation Guide.
|
||
|
%%% Please consult the Guide in case of doubts, it is included with
|
||
|
%%% your copy of ejabberd, and is also available online at
|
||
|
%%% http://www.process-one.net/en/ejabberd/docs/
|
||
|
|
||
|
%%% This configuration file contains Erlang terms.
|
||
|
%%% In case you want to understand the syntax, here are the concepts:
|
||
|
%%%
|
||
|
%%% - The character to comment a line is %
|
||
|
%%%
|
||
|
%%% - Each term ends in a dot, for example:
|
||
|
%%% override_global.
|
||
|
%%%
|
||
|
%%% - A tuple has a fixed definition, its elements are
|
||
|
%%% enclosed in {}, and separated with commas:
|
||
|
%%% {loglevel, 4}.
|
||
|
%%%
|
||
|
%%% - A list can have as many elements as you want,
|
||
|
%%% and is enclosed in [], for example:
|
||
|
%%% [http_poll, web_admin, tls]
|
||
|
%%%
|
||
|
%%% Pay attention that list elements are delimited with commas,
|
||
|
%%% but no comma is allowed after the last list element. This will
|
||
|
%%% give a syntax error unlike in more lenient languages (e.g. Python).
|
||
|
%%%
|
||
|
%%% - A keyword of ejabberd is a word in lowercase.
|
||
|
%%% Strings are enclosed in "" and can contain spaces, dots, ...
|
||
|
%%% {language, "en"}.
|
||
|
%%% {ldap_rootdn, "dc=example,dc=com"}.
|
||
|
%%%
|
||
|
%%% - This term includes a tuple, a keyword, a list, and two strings:
|
||
|
%%% {hosts, ["jabber.example.net", "im.example.com"]}.
|
||
|
%%%
|
||
|
%%% - This config is preprocessed during release generation by a tool which
|
||
|
%%% interprets double curly braces as substitution markers, so avoid this
|
||
|
%%% syntax in this file (though it's valid Erlang).
|
||
|
%%%
|
||
|
%%% So this is OK (though arguably looks quite ugly):
|
||
|
%%% { {s2s_addr, "example-host.net"}, {127,0,0,1} }.
|
||
|
%%%
|
||
|
%%% And I can't give an example of what's not OK exactly because
|
||
|
%%% of this rule.
|
||
|
%%%
|
||
|
|
||
|
|
||
|
%%%. =======================
|
||
|
%%%' OVERRIDE STORED OPTIONS
|
||
|
|
||
|
%%
|
||
|
%% Override the old values stored in the database.
|
||
|
%%
|
||
|
|
||
|
%%
|
||
|
%% Override global options (shared by all ejabberd nodes in a cluster).
|
||
|
%%
|
||
|
%%override_global.
|
||
|
|
||
|
%%
|
||
|
%% Override local options (specific for this particular ejabberd node).
|
||
|
%%
|
||
|
%%override_local.
|
||
|
|
||
|
%%
|
||
|
%% Remove the Access Control Lists before new ones are added.
|
||
|
%%
|
||
|
%%override_acls.
|
||
|
|
||
|
|
||
|
%%%. =========
|
||
|
%%%' DEBUGGING
|
||
|
|
||
|
%%
|
||
|
%% loglevel: Verbosity of log files generated by ejabberd.
|
||
|
%% 0: No ejabberd log at all (not recommended)
|
||
|
%% 1: Critical
|
||
|
%% 2: Error
|
||
|
%% 3: Warning
|
||
|
%% 4: Info
|
||
|
%% 5: Debug
|
||
|
%%
|
||
|
{loglevel, 3}.
|
||
|
|
||
|
%%%. ================
|
||
|
%%%' SERVED HOSTNAMES
|
||
|
|
||
|
%%
|
||
|
%% hosts: Domains served by ejabberd.
|
||
|
%% You can define one or several, for example:
|
||
|
%% {hosts, ["example.net", "example.com", "example.org"]}.
|
||
|
%%
|
||
|
{hosts, ["pleroma.soykaf.com"] }.
|
||
|
|
||
|
%%
|
||
|
%% route_subdomains: Delegate subdomains to other XMPP servers.
|
||
|
%% For example, if this ejabberd serves example.org and you want
|
||
|
%% to allow communication with an XMPP server called im.example.org.
|
||
|
%%
|
||
|
%%{route_subdomains, s2s}.
|
||
|
|
||
|
|
||
|
%%%. ===============
|
||
|
%%%' LISTENING PORTS
|
||
|
|
||
|
%%
|
||
|
%% listen: The ports ejabberd will listen on, which service each is handled
|
||
|
%% by and what options to start it with.
|
||
|
%%
|
||
|
{listen,
|
||
|
[
|
||
|
%% BOSH and WS endpoints over HTTP
|
||
|
{ 5280, ejabberd_cowboy, [
|
||
|
{num_acceptors, 10},
|
||
|
{transport_options, [{max_connections, 1024}]},
|
||
|
{modules, [
|
||
|
|
||
|
{"_", "/http-bind", mod_bosh},
|
||
|
{"_", "/ws-xmpp", mod_websockets, [{ejabberd_service, [
|
||
|
{access, all},
|
||
|
{shaper_rule, fast},
|
||
|
{ip, {127, 0, 0, 1}},
|
||
|
{password, "secret"}]}
|
||
|
%% Uncomment to enable connection dropping or/and server-side pings
|
||
|
%{timeout, 600000}, {ping_rate, 2000}
|
||
|
]}
|
||
|
%% Uncomment to serve static files
|
||
|
%{"_", "/static/[...]", cowboy_static,
|
||
|
% {dir, "/var/www", [{mimetypes, cow_mimetypes, all}]}
|
||
|
%},
|
||
|
|
||
|
%% Example usage of mod_revproxy
|
||
|
|
||
|
%% {"_", "/[...]", mod_revproxy, [{timeout, 5000},
|
||
|
%% % time limit for upstream to respond
|
||
|
%% {body_length, 8000000},
|
||
|
%% % maximum body size (may be infinity)
|
||
|
%% {custom_headers, [{<<"header">>,<<"value">>}]}
|
||
|
%% % list of extra headers that are send to upstream
|
||
|
%% ]}
|
||
|
|
||
|
%% Example usage of mod_cowboy
|
||
|
|
||
|
%% {"_", "/[...]", mod_cowboy, [{http, mod_revproxy,
|
||
|
%% [{timeout, 5000},
|
||
|
%% % time limit for upstream to respond
|
||
|
%% {body_length, 8000000},
|
||
|
%% % maximum body size (may be infinity)
|
||
|
%% {custom_headers, [{<<"header">>,<<"value">>}]}
|
||
|
%% % list of extra headers that are send to upstream
|
||
|
%% ]},
|
||
|
%% {ws, xmpp, mod_websockets}
|
||
|
%% ]}
|
||
|
]}
|
||
|
]},
|
||
|
|
||
|
%% BOSH and WS endpoints over HTTPS
|
||
|
{ 5285, ejabberd_cowboy, [
|
||
|
{num_acceptors, 10},
|
||
|
{transport_options, [{max_connections, 1024}]},
|
||
|
{ssl, [{certfile, "priv/ssl/fullchain.pem"}, {keyfile, "priv/ssl/privkey.pem"}, {password, ""}]},
|
||
|
{modules, [
|
||
|
{"_", "/http-bind", mod_bosh},
|
||
|
{"_", "/ws-xmpp", mod_websockets, [
|
||
|
%% Uncomment to enable connection dropping or/and server-side pings
|
||
|
%{timeout, 600000}, {ping_rate, 60000}
|
||
|
]}
|
||
|
%% Uncomment to serve static files
|
||
|
%{"_", "/static/[...]", cowboy_static,
|
||
|
% {dir, "/var/www", [{mimetypes, cow_mimetypes, all}]}
|
||
|
%},
|
||
|
]}
|
||
|
]},
|
||
|
|
||
|
%% MongooseIM HTTP API it's important to start it on localhost
|
||
|
%% or some private interface only (not accessible from the outside)
|
||
|
%% At least start it on different port which will be hidden behind firewall
|
||
|
|
||
|
{ {8088, "127.0.0.1"} , ejabberd_cowboy, [
|
||
|
{num_acceptors, 10},
|
||
|
{transport_options, [{max_connections, 1024}]},
|
||
|
{modules, [
|
||
|
{"localhost", "/api", mongoose_api_admin, []}
|
||
|
]}
|
||
|
]},
|
||
|
|
||
|
{ 8089 , ejabberd_cowboy, [
|
||
|
{num_acceptors, 10},
|
||
|
{transport_options, [{max_connections, 1024}]},
|
||
|
{protocol_options, [{compress, true}]},
|
||
|
{ssl, [{certfile, "priv/ssl/fullchain.pem"}, {keyfile, "priv/ssl/privkey.pem"}, {password, ""}]},
|
||
|
{modules, [
|
||
|
{"_", "/api/sse", lasse_handler, [mongoose_client_api_sse]},
|
||
|
{"_", "/api/messages/[:with]", mongoose_client_api_messages, []},
|
||
|
{"_", "/api/contacts/[:jid]", mongoose_client_api_contacts, []},
|
||
|
{"_", "/api/rooms/[:id]", mongoose_client_api_rooms, []},
|
||
|
{"_", "/api/rooms/[:id]/config", mongoose_client_api_rooms_config, []},
|
||
|
{"_", "/api/rooms/:id/users/[:user]", mongoose_client_api_rooms_users, []},
|
||
|
{"_", "/api/rooms/[:id]/messages", mongoose_client_api_rooms_messages, []}
|
||
|
]}
|
||
|
]},
|
||
|
|
||
|
%% Following HTTP API is deprected, the new one abouve should be used instead
|
||
|
|
||
|
{ {5288, "127.0.0.1"} , ejabberd_cowboy, [
|
||
|
{num_acceptors, 10},
|
||
|
{transport_options, [{max_connections, 1024}]},
|
||
|
{modules, [
|
||
|
{"localhost", "/api", mongoose_api, [{handlers, [mongoose_api_metrics,
|
||
|
mongoose_api_users]}]}
|
||
|
]}
|
||
|
]},
|
||
|
|
||
|
{ 5222, ejabberd_c2s, [
|
||
|
|
||
|
%%
|
||
|
%% If TLS is compiled in and you installed a SSL
|
||
|
%% certificate, specify the full path to the
|
||
|
%% file and uncomment this line:
|
||
|
%%
|
||
|
{certfile, "priv/ssl/both.pem"}, starttls,
|
||
|
|
||
|
%%{zlib, 10000},
|
||
|
%% https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
|
||
|
%% {ciphers, "DEFAULT:!EXPORT:!LOW:!SSLv2"},
|
||
|
{access, c2s},
|
||
|
{shaper, c2s_shaper},
|
||
|
{max_stanza_size, 65536},
|
||
|
{protocol_options, ["no_sslv3"]}
|
||
|
|
||
|
]},
|
||
|
|
||
|
|
||
|
|
||
|
%%
|
||
|
%% To enable the old SSL connection method on port 5223:
|
||
|
%%
|
||
|
%%{5223, ejabberd_c2s, [
|
||
|
%% {access, c2s},
|
||
|
%% {shaper, c2s_shaper},
|
||
|
%% {certfile, "/path/to/ssl.pem"}, tls,
|
||
|
%% {max_stanza_size, 65536}
|
||
|
%% ]},
|
||
|
|
||
|
{ 5269, ejabberd_s2s_in, [
|
||
|
{shaper, s2s_shaper},
|
||
|
{max_stanza_size, 131072},
|
||
|
{protocol_options, ["no_sslv3"]}
|
||
|
|
||
|
]}
|
||
|
|
||
|
%%
|
||
|
%% ejabberd_service: Interact with external components (transports, ...)
|
||
|
%%
|
||
|
,{8888, ejabberd_service, [
|
||
|
{access, all},
|
||
|
{shaper_rule, fast},
|
||
|
{ip, {127, 0, 0, 1}},
|
||
|
{password, "secret"}
|
||
|
]}
|
||
|
|
||
|
%%
|
||
|
%% ejabberd_stun: Handles STUN Binding requests
|
||
|
%%
|
||
|
%%{ {3478, udp}, ejabberd_stun, []}
|
||
|
|
||
|
]}.
|
||
|
|
||
|
%%
|
||
|
%% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
|
||
|
%% Allowed values are: false optional required required_trusted
|
||
|
%% You must specify a certificate file.
|
||
|
%%
|
||
|
{s2s_use_starttls, optional}.
|
||
|
%%
|
||
|
%% s2s_certfile: Specify a certificate file.
|
||
|
%%
|
||
|
{s2s_certfile, "priv/ssl/both.pem"}.
|
||
|
|
||
|
%% https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
|
||
|
%% {s2s_ciphers, "DEFAULT:!EXPORT:!LOW:!SSLv2"}.
|
||
|
|
||
|
%%
|
||
|
%% domain_certfile: Specify a different certificate for each served hostname.
|
||
|
%%
|
||
|
%%{domain_certfile, "example.org", "/path/to/example_org.pem"}.
|
||
|
%%{domain_certfile, "example.com", "/path/to/example_com.pem"}.
|
||
|
|
||
|
%%
|
||
|
%% S2S whitelist or blacklist
|
||
|
%%
|
||
|
%% Default s2s policy for undefined hosts.
|
||
|
%%
|
||
|
{s2s_default_policy, deny }.
|
||
|
|
||
|
%%
|
||
|
%% Allow or deny communication with specific servers.
|
||
|
%%
|
||
|
%%{ {s2s_host, "goodhost.org"}, allow}.
|
||
|
%%{ {s2s_host, "badhost.org"}, deny}.
|
||
|
|
||
|
{outgoing_s2s_port, 5269 }.
|
||
|
|
||
|
%%
|
||
|
%% IP addresses predefined for specific hosts to skip DNS lookups.
|
||
|
%% Ports defined here take precedence over outgoing_s2s_port.
|
||
|
%% Examples:
|
||
|
%%
|
||
|
%% { {s2s_addr, "example-host.net"}, {127,0,0,1} }.
|
||
|
%% { {s2s_addr, "example-host.net"}, { {127,0,0,1}, 5269 } }.
|
||
|
%% { {s2s_addr, "example-host.net"}, { {127,0,0,1}, 5269 } }.
|
||
|
|
||
|
%%
|
||
|
%% Outgoing S2S options
|
||
|
%%
|
||
|
%% Preferred address families (which to try first) and connect timeout
|
||
|
%% in milliseconds.
|
||
|
%%
|
||
|
%%{outgoing_s2s_options, [ipv4, ipv6], 10000}.
|
||
|
%%
|
||
|
%%%. ==============
|
||
|
%%%' SESSION BACKEND
|
||
|
|
||
|
%%{sm_backend, {mnesia, []}}.
|
||
|
|
||
|
%% Requires {redis, global, default, ..., ...} outgoing pool
|
||
|
%%{sm_backend, {redis, []}}.
|
||
|
|
||
|
{sm_backend, {mnesia, []} }.
|
||
|
|
||
|
|
||
|
%%%. ==============
|
||
|
%%%' AUTHENTICATION
|
||
|
|
||
|
%% Advertised SASL mechanisms
|
||
|
{sasl_mechanisms, [cyrsasl_plain]}.
|
||
|
|
||
|
%%
|
||
|
%% auth_method: Method used to authenticate the users.
|
||
|
%% The default method is the internal.
|
||
|
%% If you want to use a different method,
|
||
|
%% comment this line and enable the correct ones.
|
||
|
%%
|
||
|
%% {auth_method, internal }.
|
||
|
{auth_method, http }.
|
||
|
{auth_opts, [
|
||
|
{http, global, auth, [{workers, 50}], [{server, "https://pleroma.soykaf.com"}]},
|
||
|
{password_format, plain} % default
|
||
|
%% {password_format, scram}
|
||
|
|
||
|
%% {scram_iterations, 4096} % default
|
||
|
|
||
|
%%
|
||
|
%% For auth_http:
|
||
|
%% {basic_auth, "user:password"}
|
||
|
%% {path_prefix, "/"} % default
|
||
|
%% auth_http requires {http, Host | global, auth, ..., ...} outgoing pool.
|
||
|
%%
|
||
|
%% For auth_external
|
||
|
%%{extauth_program, "/path/to/authentication/script"}.
|
||
|
%%
|
||
|
%% For auth_jwt
|
||
|
%% {jwt_secret_source, "/path/to/file"},
|
||
|
%% {jwt_algorithm, "RS256"},
|
||
|
%% {jwt_username_key, user}
|
||
|
%% For cyrsasl_external
|
||
|
%% {authenticate_with_cn, false}
|
||
|
{cyrsasl_external, standard}
|
||
|
]}.
|
||
|
|
||
|
%%
|
||
|
%% Authentication using external script
|
||
|
%% Make sure the script is executable by ejabberd.
|
||
|
%%
|
||
|
%%{auth_method, external}.
|
||
|
|
||
|
%%
|
||
|
%% Authentication using RDBMS
|
||
|
%% Remember to setup a database in the next section.
|
||
|
%%
|
||
|
%%{auth_method, rdbms}.
|
||
|
|
||
|
%%
|
||
|
%% Authentication using LDAP
|
||
|
%%
|
||
|
%%{auth_method, ldap}.
|
||
|
%%
|
||
|
|
||
|
%% List of LDAP servers:
|
||
|
%%{ldap_servers, ["localhost"]}.
|
||
|
%%
|
||
|
%% Encryption of connection to LDAP servers:
|
||
|
%%{ldap_encrypt, none}.
|
||
|
%%{ldap_encrypt, tls}.
|
||
|
%%
|
||
|
%% Port to connect to on LDAP servers:
|
||
|
%%{ldap_port, 389}.
|
||
|
%%{ldap_port, 636}.
|
||
|
%%
|
||
|
%% LDAP manager:
|
||
|
%%{ldap_rootdn, "dc=example,dc=com"}.
|
||
|
%%
|
||
|
%% Password of LDAP manager:
|
||
|
%%{ldap_password, "******"}.
|
||
|
%%
|
||
|
%% Search base of LDAP directory:
|
||
|
%%{ldap_base, "dc=example,dc=com"}.
|
||
|
%%
|
||
|
%% LDAP attribute that holds user ID:
|
||
|
%%{ldap_uids, [{"mail", "%u@mail.example.org"}]}.
|
||
|
%%
|
||
|
%% LDAP filter:
|
||
|
%%{ldap_filter, "(objectClass=shadowAccount)"}.
|
||
|
|
||
|
%%
|
||
|
%% Anonymous login support:
|
||
|
%% auth_method: anonymous
|
||
|
%% anonymous_protocol: sasl_anon | login_anon | both
|
||
|
%% allow_multiple_connections: true | false
|
||
|
%%
|
||
|
%%{host_config, "public.example.org", [{auth_method, anonymous},
|
||
|
%% {allow_multiple_connections, false},
|
||
|
%% {anonymous_protocol, sasl_anon}]}.
|
||
|
%%
|
||
|
%% To use both anonymous and internal authentication:
|
||
|
%%
|
||
|
%%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.
|
||
|
|
||
|
|
||
|
%%%. ==============
|
||
|
%%%' OUTGOING CONNECTIONS (e.g. DB)
|
||
|
|
||
|
%% Here you may configure all outgoing connections used by MongooseIM,
|
||
|
%% e.g. to RDBMS (such as MySQL), Riak or external HTTP components.
|
||
|
%% Default MongooseIM configuration uses only Mnesia (non-Mnesia extensions are disabled),
|
||
|
%% so no options here are uncommented out of the box.
|
||
|
%% This section includes configuration examples; for comprehensive guide
|
||
|
%% please consult MongooseIM documentation, page "Outgoing connections":
|
||
|
%% - doc/advanced-configuration/outgoing-connections.md
|
||
|
%% - https://mongooseim.readthedocs.io/en/latest/advanced-configuration/outgoing-connections/
|
||
|
|
||
|
|
||
|
{outgoing_pools, [
|
||
|
% {riak, global, default, [{workers, 5}], [{address, "127.0.0.1"}, {port, 8087}]},
|
||
|
% {elastic, global, default, [], [{host, "elastic.host.com"}, {port, 9042}]},
|
||
|
{http, global, auth, [{workers, 50}], [{server, "https://pleroma.soykaf.com"}]}
|
||
|
% {cassandra, global, default, [{workers, 100}], [{servers, [{"server1", 9042}]}, {keyspace, "big_mongooseim"}]},
|
||
|
% {rdbms, global, default, [{workers, 10}], [{server, {mysql, "server", 3306, "database", "username", "password"}}]}
|
||
|
]}.
|
||
|
|
||
|
%% More examples that may be added to outgoing_pools list:
|
||
|
%%
|
||
|
%% == MySQL ==
|
||
|
%% {rdbms, global, default, [{workers, 10}],
|
||
|
%% [{server, {mysql, "server", 3306, "database", "username", "password"}},
|
||
|
%% {keepalive_interval, 10}]},
|
||
|
%% keepalive_interval is optional
|
||
|
|
||
|
%% == PostgreSQL ==
|
||
|
%% {rdbms, global, default, [{workers, 10}],
|
||
|
%% [{server, {pgsql, "server", 5432, "database", "username", "password"}}]},
|
||
|
|
||
|
%% == ODBC (MSSQL) ==
|
||
|
%% {rdbms, global, default, [{workers, 10}],
|
||
|
%% [{server, "DSN=mongooseim;UID=mongooseim;PWD=mongooseim"}]},
|
||
|
|
||
|
%% == Elastic Search ==
|
||
|
%% {elastic, global, default, [], [{host, "elastic.host.com"}, {port, 9042}]},
|
||
|
|
||
|
%% == Riak ==
|
||
|
%% {riak, global, default, [{workers, 20}], [{address, "127.0.0.1"}, {port, 8087}]},
|
||
|
|
||
|
%% == HTTP ==
|
||
|
%% {http, global, conn1, [{workers, 50}], [{server, "http://server:8080"}]},
|
||
|
|
||
|
%% == Cassandra ==
|
||
|
%% {cassandra, global, default, [{workers, 100}],
|
||
|
%% [
|
||
|
%% {servers, [
|
||
|
%% {"cassandra_server1.example.com", 9042},
|
||
|
%% {"cassandra_server2.example.com", 9042},
|
||
|
%% {"cassandra_server3.example.com", 9042},
|
||
|
%% {"cassandra_server4.example.com", 9042}
|
||
|
%% ]},
|
||
|
%% {keyspace, "big_mongooseim"}
|
||
|
%% ]}
|
||
|
|
||
|
%% == Extra options ==
|
||
|
%%
|
||
|
%% If you use PostgreSQL, have a large database, and need a
|
||
|
%% faster but inexact replacement for "select count(*) from users"
|
||
|
%%
|
||
|
%%{pgsql_users_number_estimate, true}.
|
||
|
%%
|
||
|
%% rdbms_server_type specifies what database is used over the RDBMS layer
|
||
|
%% Can take values mssql, pgsql, mysql
|
||
|
%% In some cases (for example for MAM with pgsql) it is required to set proper value.
|
||
|
%%
|
||
|
%% {rdbms_server_type, pgsql}.
|
||
|
|
||
|
%%%. ===============
|
||
|
%%%' TRAFFIC SHAPERS
|
||
|
|
||
|
%%
|
||
|
%% The "normal" shaper limits traffic speed to 1000 B/s
|
||
|
%%
|
||
|
{shaper, normal, {maxrate, 1000}}.
|
||
|
|
||
|
%%
|
||
|
%% The "fast" shaper limits traffic speed to 50000 B/s
|
||
|
%%
|
||
|
{shaper, fast, {maxrate, 50000}}.
|
||
|
|
||
|
%%
|
||
|
%% This option specifies the maximum number of elements in the queue
|
||
|
%% of the FSM. Refer to the documentation for details.
|
||
|
%%
|
||
|
{max_fsm_queue, 1000}.
|
||
|
|
||
|
%%%. ====================
|
||
|
%%%' ACCESS CONTROL LISTS
|
||
|
|
||
|
%%
|
||
|
%% The 'admin' ACL grants administrative privileges to XMPP accounts.
|
||
|
%% You can put here as many accounts as you want.
|
||
|
%%
|
||
|
%{acl, admin, {user, "alice", "localhost"}}.
|
||
|
%{acl, admin, {user, "a", "localhost"}}.
|
||
|
|
||
|
%%
|
||
|
%% Blocked users
|
||
|
%%
|
||
|
%%{acl, blocked, {user, "baduser", "example.org"}}.
|
||
|
%%{acl, blocked, {user, "test"}}.
|
||
|
|
||
|
%%
|
||
|
%% Local users: don't modify this line.
|
||
|
%%
|
||
|
{acl, local, {user_regexp, ""}}.
|
||
|
|
||
|
%%
|
||
|
%% More examples of ACLs
|
||
|
%%
|
||
|
%%{acl, jabberorg, {server, "jabber.org"}}.
|
||
|
%%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
|
||
|
%%{acl, test, {user_regexp, "^test"}}.
|
||
|
%%{acl, test, {user_glob, "test*"}}.
|
||
|
|
||
|
%%
|
||
|
%% Define specific ACLs in a virtual host.
|
||
|
%%
|
||
|
%%{host_config, "localhost",
|
||
|
%% [
|
||
|
%% {acl, admin, {user, "bob-local", "localhost"}}
|
||
|
%% ]
|
||
|
%%}.
|
||
|
|
||
|
%%%. ============
|
||
|
%%%' ACCESS RULES
|
||
|
|
||
|
%% Maximum number of simultaneous sessions allowed for a single user:
|
||
|
{access, max_user_sessions, [{10, all}]}.
|
||
|
|
||
|
%% Maximum number of offline messages that users can have:
|
||
|
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
|
||
|
|
||
|
%% This rule allows access only for local users:
|
||
|
{access, local, [{allow, local}]}.
|
||
|
|
||
|
%% Only non-blocked users can use c2s connections:
|
||
|
{access, c2s, [{deny, blocked},
|
||
|
{allow, all}]}.
|
||
|
|
||
|
%% For C2S connections, all users except admins use the "normal" shaper
|
||
|
{access, c2s_shaper, [{none, admin},
|
||
|
{normal, all}]}.
|
||
|
|
||
|
%% All S2S connections use the "fast" shaper
|
||
|
{access, s2s_shaper, [{fast, all}]}.
|
||
|
|
||
|
%% Admins of this server are also admins of the MUC service:
|
||
|
{access, muc_admin, [{allow, admin}]}.
|
||
|
|
||
|
%% Only accounts of the local ejabberd server can create rooms:
|
||
|
{access, muc_create, [{allow, local}]}.
|
||
|
|
||
|
%% All users are allowed to use the MUC service:
|
||
|
{access, muc, [{allow, all}]}.
|
||
|
|
||
|
%% In-band registration allows registration of any possible username.
|
||
|
%% To disable in-band registration, replace 'allow' with 'deny'.
|
||
|
{access, register, [{allow, all}]}.
|
||
|
|
||
|
%% By default the frequency of account registrations from the same IP
|
||
|
%% is limited to 1 account every 10 minutes. To disable, specify: infinity
|
||
|
{registration_timeout, infinity}.
|
||
|
|
||
|
%% Default settings for MAM.
|
||
|
%% To set non-standard value, replace 'default' with 'allow' or 'deny'.
|
||
|
%% Only user can access his/her archive by default.
|
||
|
%% An online user can read room's archive by default.
|
||
|
%% Only an owner can change settings and purge messages by default.
|
||
|
%% Empty list (i.e. `[]`) means `[{deny, all}]`.
|
||
|
{access, mam_set_prefs, [{default, all}]}.
|
||
|
{access, mam_get_prefs, [{default, all}]}.
|
||
|
{access, mam_lookup_messages, [{default, all}]}.
|
||
|
{access, mam_purge_single_message, [{default, all}]}.
|
||
|
{access, mam_purge_multiple_messages, [{default, all}]}.
|
||
|
|
||
|
%% 1 command of the specified type per second.
|
||
|
{shaper, mam_shaper, {maxrate, 1}}.
|
||
|
%% This shaper is primeraly for Mnesia overload protection during stress testing.
|
||
|
%% The limit is 1000 operations of each type per second.
|
||
|
{shaper, mam_global_shaper, {maxrate, 1000}}.
|
||
|
|
||
|
{access, mam_set_prefs_shaper, [{mam_shaper, all}]}.
|
||
|
{access, mam_get_prefs_shaper, [{mam_shaper, all}]}.
|
||
|
{access, mam_lookup_messages_shaper, [{mam_shaper, all}]}.
|
||
|
{access, mam_purge_single_message_shaper, [{mam_shaper, all}]}.
|
||
|
{access, mam_purge_multiple_messages_shaper, [{mam_shaper, all}]}.
|
||
|
|
||
|
{access, mam_set_prefs_global_shaper, [{mam_global_shaper, all}]}.
|
||
|
{access, mam_get_prefs_global_shaper, [{mam_global_shaper, all}]}.
|
||
|
{access, mam_lookup_messages_global_shaper, [{mam_global_shaper, all}]}.
|
||
|
{access, mam_purge_single_message_global_shaper, [{mam_global_shaper, all}]}.
|
||
|
{access, mam_purge_multiple_messages_global_shaper, [{mam_global_shaper, all}]}.
|
||
|
|
||
|
%%
|
||
|
%% Define specific Access Rules in a virtual host.
|
||
|
%%
|
||
|
%%{host_config, "localhost",
|
||
|
%% [
|
||
|
%% {access, c2s, [{allow, admin}, {deny, all}]},
|
||
|
%% {access, register, [{deny, all}]}
|
||
|
%% ]
|
||
|
%%}.
|
||
|
|
||
|
%%%. ================
|
||
|
%%%' DEFAULT LANGUAGE
|
||
|
|
||
|
%%
|
||
|
%% language: Default language used for server messages.
|
||
|
%%
|
||
|
{language, "en"}.
|
||
|
|
||
|
%%
|
||
|
%% Set a different default language in a virtual host.
|
||
|
%%
|
||
|
%%{host_config, "localhost",
|
||
|
%% [{language, "ru"}]
|
||
|
%%}.
|
||
|
|
||
|
%%%. ================
|
||
|
%%%' MISCELLANEOUS
|
||
|
|
||
|
{all_metrics_are_global, false }.
|
||
|
|
||
|
%%%. ========
|
||
|
%%%' SERVICES
|
||
|
|
||
|
%% Unlike modules, services are started per node and provide either features which are not
|
||
|
%% related to any particular host, or backend stuff which is used by modules.
|
||
|
%% This is handled by `mongoose_service` module.
|
||
|
|
||
|
{services,
|
||
|
[
|
||
|
{service_admin_extra, [{submods, [node, accounts, sessions, vcard,
|
||
|
roster, last, private, stanza, stats]}]}
|
||
|
]
|
||
|
}.
|
||
|
|
||
|
%%%. =======
|
||
|
%%%' MODULES
|
||
|
|
||
|
%%
|
||
|
%% Modules enabled in all mongooseim virtual hosts.
|
||
|
%% For list of possible modules options, check documentation.
|
||
|
%%
|
||
|
{modules,
|
||
|
[
|
||
|
|
||
|
%% The format for a single route is as follows:
|
||
|
%% {Host, Path, Method, Upstream}
|
||
|
%%
|
||
|
%% "_" can be used as wildcard for Host, Path and Method
|
||
|
%% Upstream can be either host (just http(s)://host:port) or uri
|
||
|
%% The difference is that host upstreams append whole path while
|
||
|
%% uri upstreams append only remainder that follows the matched Path
|
||
|
%% (this behaviour is similar to nginx's proxy_pass rules)
|
||
|
%%
|
||
|
%% Bindings can be used to match certain parts of host or path.
|
||
|
%% They will be later overlaid with parts of the upstream uri.
|
||
|
%%
|
||
|
%% {mod_revproxy,
|
||
|
%% [{routes, [{"www.erlang-solutions.com", "/admin", "_",
|
||
|
%% "https://www.erlang-solutions.com/"},
|
||
|
%% {":var.com", "/:var", "_", "http://localhost:8080/"},
|
||
|
%% {":domain.com", "/", "_", "http://localhost:8080/:domain"}]
|
||
|
%% }]},
|
||
|
|
||
|
% {mod_http_upload, [
|
||
|
%% Set max file size in bytes. Defaults to 10 MB.
|
||
|
%% Disabled if value is `undefined`.
|
||
|
% {max_file_size, 1024},
|
||
|
%% Use S3 storage backend
|
||
|
% {backend, s3},
|
||
|
%% Set options for S3 backend
|
||
|
% {s3, [
|
||
|
% {bucket_url, "http://s3-eu-west-1.amazonaws.com/konbucket2"},
|
||
|
% {region, "eu-west-1"},
|
||
|
% {access_key_id, "AKIAIAOAONIULXQGMOUA"},
|
||
|
% {secret_access_key, "dGhlcmUgYXJlIG5vIGVhc3RlciBlZ2dzIGhlcmVf"}
|
||
|
% ]}
|
||
|
% ]},
|
||
|
|
||
|
{mod_adhoc, []},
|
||
|
|
||
|
{mod_disco, [{users_can_see_hidden_services, false}]},
|
||
|
{mod_commands, []},
|
||
|
{mod_muc_commands, []},
|
||
|
{mod_muc_light_commands, []},
|
||
|
{mod_last, []},
|
||
|
{mod_stream_management, [
|
||
|
% default 100
|
||
|
% size of a buffer of unacked messages
|
||
|
% {buffer_max, 100}
|
||
|
|
||
|
% default 1 - server sends the ack request after each stanza
|
||
|
% {ack_freq, 1}
|
||
|
|
||
|
% default: 600 seconds
|
||
|
% {resume_timeout, 600}
|
||
|
]},
|
||
|
%% {mod_muc_light, [{host, "muclight.@HOST@"}]},
|
||
|
%% {mod_muc, [{host, "muc.@HOST@"},
|
||
|
%% {access, muc},
|
||
|
%% {access_create, muc_create}
|
||
|
%% ]},
|
||
|
%% {mod_muc_log, [
|
||
|
%% {outdir, "/tmp/muclogs"},
|
||
|
%% {access_log, muc}
|
||
|
%% ]},
|
||
|
{mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
|
||
|
{mod_privacy, []},
|
||
|
{mod_blocking, []},
|
||
|
{mod_private, []},
|
||
|
% {mod_private, [{backend, mnesia}]},
|
||
|
% {mod_private, [{backend, rdbms}]},
|
||
|
% {mod_register, [
|
||
|
% %%
|
||
|
% %% Set the minimum informational entropy for passwords.
|
||
|
% %%
|
||
|
% %%{password_strength, 32},
|
||
|
%
|
||
|
% %%
|
||
|
% %% After successful registration, the user receives
|
||
|
% %% a message with this subject and body.
|
||
|
% %%
|
||
|
% {welcome_message, {""}},
|
||
|
%
|
||
|
% %%
|
||
|
% %% When a user registers, send a notification to
|
||
|
% %% these XMPP accounts.
|
||
|
% %%
|
||
|
%
|
||
|
%
|
||
|
% %%
|
||
|
% %% Only clients in the server machine can register accounts
|
||
|
% %%
|
||
|
% {ip_access, [{allow, "127.0.0.0/8"},
|
||
|
% {deny, "0.0.0.0/0"}]},
|
||
|
%
|
||
|
% %%
|
||
|
% %% Local c2s or remote s2s users cannot register accounts
|
||
|
% %%
|
||
|
% %%{access_from, deny},
|
||
|
%
|
||
|
% {access, register}
|
||
|
% ]},
|
||
|
{mod_roster, []},
|
||
|
{mod_sic, []},
|
||
|
{mod_vcard, [%{matches, 1},
|
||
|
%{search, true},
|
||
|
%{ldap_search_operator, 'or'}, %% either 'or' or 'and'
|
||
|
%{ldap_binary_search_fields, [<<"PHOTO">>]},
|
||
|
%% list of binary search fields (as in vcard after mapping)
|
||
|
{host, "vjud.@HOST@"}
|
||
|
]},
|
||
|
{mod_bosh, []},
|
||
|
{mod_carboncopy, []}
|
||
|
|
||
|
%%
|
||
|
%% Message Archive Management (MAM, XEP-0313) for registered users and
|
||
|
%% Multi-User chats (MUCs).
|
||
|
%%
|
||
|
|
||
|
% {mod_mam_meta, [
|
||
|
%% Use RDBMS backend (default)
|
||
|
% {backend, rdbms},
|
||
|
|
||
|
%% Do not store user preferences (default)
|
||
|
% {user_prefs_store, false},
|
||
|
%% Store user preferences in RDBMS
|
||
|
% {user_prefs_store, rdbms},
|
||
|
%% Store user preferences in Mnesia (recommended).
|
||
|
%% The preferences store will be called each time, as a message is routed.
|
||
|
%% That is why Mnesia is better suited for this job.
|
||
|
% {user_prefs_store, mnesia},
|
||
|
|
||
|
%% Enables a pool of asynchronous writers. (default)
|
||
|
%% Messages will be grouped together based on archive id.
|
||
|
% {async_writer, true},
|
||
|
|
||
|
%% Cache information about users (default)
|
||
|
% {cache_users, true},
|
||
|
|
||
|
%% Enable archivization for private messages (default)
|
||
|
% {pm, [
|
||
|
%% Top-level options can be overriden here if needed, for example:
|
||
|
% {async_writer, false}
|
||
|
% ]},
|
||
|
|
||
|
%%
|
||
|
%% Message Archive Management (MAM) for multi-user chats (MUC).
|
||
|
%% Enable XEP-0313 for "muc.@HOST@".
|
||
|
%%
|
||
|
% {muc, [
|
||
|
% {host, "muc.@HOST@"}
|
||
|
%% As with pm, top-level options can be overriden for MUC archive
|
||
|
% ]},
|
||
|
%
|
||
|
%% Do not use a <stanza-id/> element (by default stanzaid is used)
|
||
|
% no_stanzaid_element,
|
||
|
% ]},
|
||
|
|
||
|
|
||
|
%%
|
||
|
%% MAM configuration examples
|
||
|
%%
|
||
|
|
||
|
%% Only MUC, no user-defined preferences, good performance.
|
||
|
% {mod_mam_meta, [
|
||
|
% {backend, rdbms},
|
||
|
% {pm, false},
|
||
|
% {muc, [
|
||
|
% {host, "muc.@HOST@"}
|
||
|
% ]}
|
||
|
% ]},
|
||
|
|
||
|
%% Only archives for c2c messages, good performance.
|
||
|
% {mod_mam_meta, [
|
||
|
% {backend, rdbms},
|
||
|
% {pm, [
|
||
|
% {user_prefs_store, mnesia}
|
||
|
% ]}
|
||
|
% ]},
|
||
|
|
||
|
%% Basic configuration for c2c messages, bad performance, easy to debug.
|
||
|
% {mod_mam_meta, [
|
||
|
% {backend, rdbms},
|
||
|
% {async_writer, false},
|
||
|
% {cache_users, false}
|
||
|
% ]},
|
||
|
|
||
|
%% Cassandra archive for c2c and MUC conversations.
|
||
|
%% No custom settings supported (always archive).
|
||
|
% {mod_mam_meta, [
|
||
|
% {backend, cassandra},
|
||
|
% {user_prefs_store, cassandra},
|
||
|
% {muc, [{host, "muc.@HOST@"}]}
|
||
|
% ]}
|
||
|
|
||
|
% {mod_event_pusher, [
|
||
|
% {backends, [
|
||
|
% %%
|
||
|
% %% Configuration for Amazon SNS notifications.
|
||
|
% %%
|
||
|
% {sns, [
|
||
|
% %% AWS credentials, region and host configuration
|
||
|
% {access_key_id, "AKIAJAZYHOIPY6A2PESA"},
|
||
|
% {secret_access_key, "c3RvcCBsb29raW5nIGZvciBlYXN0ZXIgZWdncyxr"},
|
||
|
% {region, "eu-west-1"},
|
||
|
% {account_id, "251423380551"},
|
||
|
% {region, "eu-west-1"},
|
||
|
% {sns_host, "sns.eu-west-1.amazonaws.com"},
|
||
|
%
|
||
|
% %% Messages from this MUC host will be sent to the SNS topic
|
||
|
% {muc_host, "muc.@HOST@"},
|
||
|
%
|
||
|
% %% Plugin module for defining custom message attributes and user identification
|
||
|
% {plugin_module, mod_event_pusher_sns_defaults},
|
||
|
%
|
||
|
% %% Topic name configurations. Removing a topic will disable this specific SNS notification
|
||
|
% {presence_updates_topic, "user_presence_updated-dev-1"}, %% For presence updates
|
||
|
% {pm_messages_topic, "user_message_sent-dev-1"}, %% For private chat messages
|
||
|
% {muc_messages_topic, "user_messagegroup_sent-dev-1"} %% For group chat messages
|
||
|
%
|
||
|
% %% Pool options
|
||
|
% {pool_size, 100}, %% Worker pool size for publishing notifications
|
||
|
% {publish_retry_count, 2}, %% Retry count in case of publish error
|
||
|
% {publish_retry_time_ms, 50} %% Base exponential backoff time (in ms) for publish errors
|
||
|
% ]}
|
||
|
% ]}
|
||
|
|
||
|
]}.
|
||
|
|
||
|
|
||
|
%%
|
||
|
%% Enable modules with custom options in a specific virtual host
|
||
|
%%
|
||
|
%%{host_config, "localhost",
|
||
|
%% [{ {add, modules},
|
||
|
%% [
|
||
|
%% {mod_some_module, []}
|
||
|
%% ]
|
||
|
%% }
|
||
|
%% ]}.
|
||
|
|
||
|
%%%.
|
||
|
%%%'
|
||
|
|
||
|
%%% $Id$
|
||
|
|
||
|
%%% Local Variables:
|
||
|
%%% mode: erlang
|
||
|
%%% End:
|
||
|
%%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker:
|
||
|
%%%.
|