ejabberd-current.yml 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931
  1. ###
  2. ###' ejabberd configuration file
  3. ###
  4. ###
  5. ### The parameters used in this configuration file are explained in more detail
  6. ### in the ejabberd Installation and Operation Guide.
  7. ### Please consult the Guide in case of doubts, it is included with
  8. ### your copy of ejabberd, and is also available online at
  9. ### http://www.process-one.net/en/ejabberd/docs/
  10. ### The configuration file is written in YAML.
  11. ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
  12. ### However, ejabberd treats different literals as different types:
  13. ###
  14. ### - unquoted or single-quoted strings. They are called "atoms".
  15. ### Example: dog, 'Jupiter', '3.14159', YELLOW
  16. ###
  17. ### - numeric literals. Example: 3, -45.0, .0
  18. ###
  19. ### - quoted or folded strings.
  20. ### Examples of quoted string: "Lizzard", "orange".
  21. ### Example of folded string:
  22. ### > Art thou not Romeo,
  23. ### and a Montague?
  24. ###. =======
  25. ###' LOGGING
  26. ##
  27. ## loglevel: Verbosity of log files generated by ejabberd.
  28. ## 0: No ejabberd log at all (not recommended)
  29. ## 1: Critical
  30. ## 2: Error
  31. ## 3: Warning
  32. ## 4: Info
  33. ## 5: Debug
  34. ##
  35. loglevel: 4
  36. ##
  37. ## rotation: Describe how to rotate logs. Either size and/or date can trigger
  38. ## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
  39. ## does not disable rotation, it instead rotates the file and keeps no previous
  40. ## versions around. Setting size to X rotate log when it reaches X bytes.
  41. ## To disable rotation set the size to 0 and the date to ""
  42. ## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
  43. ## Some examples:
  44. ## $D0 rotate every night at midnight
  45. ## $D23 rotate every day at 23:00 hr
  46. ## $W0D23 rotate every week on Sunday at 23:00 hr
  47. ## $W5D16 rotate every week on Friday at 16:00 hr
  48. ## $M1D0 rotate on the first day of every month at midnight
  49. ## $M5D6 rotate on every 5th day of the month at 6:00 hr
  50. ##
  51. log_rotate_size: 1048576
  52. log_rotate_date: ""
  53. log_rotate_count: 0
  54. ##
  55. ## overload protection: If you want to limit the number of messages per second
  56. ## allowed from error_logger, which is a good idea if you want to avoid a flood
  57. ## of messages when system is overloaded, you can set a limit.
  58. ## 100 is ejabberd's default.
  59. log_rate_limit: 100
  60. ##
  61. ## watchdog_admins: Only useful for developers: if an ejabberd process
  62. ## consumes a lot of memory, send live notifications to these XMPP
  63. ## accounts.
  64. ##
  65. ## watchdog_admins:
  66. ## - "bob@example.com"
  67. ###. ===============
  68. ###' NODE PARAMETERS
  69. ##
  70. ## net_ticktime: Specifies net_kernel tick time in seconds. This options must have
  71. ## identical value on all nodes, and in most cases shouldn't be changed at all from
  72. ## default value.
  73. ##
  74. ## net_ticktime: 60
  75. ###. ================
  76. ###' SERVED HOSTNAMES
  77. ##
  78. ## hosts: Domains served by ejabberd.
  79. ## You can define one or several, for example:
  80. ## hosts:
  81. ## - "example.net"
  82. ## - "example.com"
  83. ## - "example.org"
  84. ##
  85. hosts:
  86. - "im.s-up.net"
  87. # - "localhost"
  88. ##
  89. ## route_subdomains: Delegate subdomains to other XMPP servers.
  90. ## For example, if this ejabberd serves example.org and you want
  91. ## to allow communication with an XMPP server called im.example.org.
  92. ##
  93. ## route_subdomains: s2s
  94. ###. ============
  95. ###' Certificates
  96. ## List all available PEM files containing certificates for your domains,
  97. ## chains of certificates or certificate keys. Full chains will be built
  98. ## automatically by ejabberd.
  99. ##
  100. certfiles:
  101. - "/home/ejabberd/ssl/*.pem"
  102. # - "/home/ejabberd/conf/server.pem"
  103. ## - "/etc/letsencrypt/live/example.org/*.pem"
  104. ## - "/etc/letsencrypt/live/example.com/*.pem"
  105. ca_file: "/home/ejabberd/conf/cacert.pem"
  106. ###. =================
  107. ###' TLS configuration
  108. ## Note that the following configuration is the default
  109. ## configuration of the TLS driver, so you don't need to
  110. ## uncomment it.
  111. ##
  112. ## define_macro:
  113. ## 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
  114. ## 'TLS_OPTIONS':
  115. ## - "no_sslv3"
  116. ## - "cipher_server_preference"
  117. ## - "no_compression"
  118. ## 'DH_FILE': "/home/ejabberd/conf/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048
  119. ##
  120. ## c2s_dhfile: 'DH_FILE'
  121. ## s2s_dhfile: 'DH_FILE'
  122. ## c2s_ciphers: 'TLS_CIPHERS'
  123. c2s_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
  124. ## s2s_ciphers: 'TLS_CIPHERS'
  125. s2s_ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
  126. ## c2s_protocol_options: 'TLS_OPTIONS'
  127. c2s_protocol_options:
  128. - "no_sslv2"
  129. - "no_sslv3"
  130. - "no_tlsv1"
  131. - "no_tlsv1_1"
  132. ## s2s_protocol_options: 'TLS_OPTIONS'
  133. s2s_protocol_options:
  134. - "no_sslv2"
  135. - "no_sslv3"
  136. ###. ===============
  137. ###' LISTENING PORTS
  138. ##
  139. ## listen: The ports ejabberd will listen on, which service each is handled
  140. ## by and what options to start it with.
  141. ##
  142. listen:
  143. -
  144. port: 8080
  145. ip: "::"
  146. module: ejabberd_http
  147. request_handlers:
  148. "": mod_http_fileserver
  149. -
  150. port: 5223
  151. ip: "::"
  152. module: ejabberd_c2s
  153. tls: true
  154. max_stanza_size: 65536
  155. shaper: c2s_shaper
  156. access: c2s
  157. -
  158. port: 5347
  159. ip: "::"
  160. module: ejabberd_service
  161. access: all
  162. hosts:
  163. "irc.im.s-up.net":
  164. password: "secret"
  165. -
  166. port: 5443
  167. protocol_options:
  168. - "no_sslv2"
  169. - "no_sslv3"
  170. - "no_tlsv1"
  171. - "no_tlsv1_1"
  172. ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
  173. ip: "::"
  174. module: ejabberd_http
  175. request_handlers:
  176. "": mod_http_upload
  177. tls: true
  178. -
  179. port: 5222
  180. ip: "::"
  181. module: ejabberd_c2s
  182. starttls: true
  183. ##
  184. ## To enforce TLS encryption for client connections,
  185. ## use this instead of the "starttls" option:
  186. ##
  187. ## starttls_required: true
  188. starttls_required: true
  189. ##
  190. ## Stream compression
  191. ##
  192. ## zlib: true
  193. ##
  194. max_stanza_size: 65536
  195. #shaper: c2s_shaper
  196. access: c2s
  197. -
  198. port: 5269
  199. ip: "::"
  200. module: ejabberd_s2s_in
  201. max_stanza_size: 131072
  202. shaper: s2s_shaper
  203. -
  204. port: 5280
  205. protocol_options:
  206. - "no_sslv2"
  207. - "no_sslv3"
  208. - "no_tlsv1"
  209. - "no_tlsv1_1"
  210. ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
  211. ip: "::"
  212. module: ejabberd_http
  213. tls: true
  214. request_handlers:
  215. "/ws": ejabberd_http_ws
  216. "/bosh": mod_bosh
  217. "/": mod_http_fileserver
  218. http_bind: true
  219. ## "/oauth": ejabberd_oauth
  220. ## "/api": mod_http_api
  221. ## "/pub/archive": mod_http_fileserver
  222. # web_admin: true
  223. ## register: true
  224. captcha: false
  225. ##
  226. ## ejabberd_service: Interact with external components (transports, ...)
  227. ##
  228. ## -
  229. ## port: 8888
  230. ## ip: "::"
  231. ## module: ejabberd_service
  232. ## access: all
  233. ## shaper_rule: fast
  234. ## ip: "127.0.0.1"
  235. ## privilege_access:
  236. ## roster: "both"
  237. ## message: "outgoing"
  238. ## presence: "roster"
  239. ## delegations:
  240. ## "urn:xmpp:mam:1":
  241. ## filtering: ["node"]
  242. ## "http://jabber.org/protocol/pubsub":
  243. ## filtering: []
  244. ## hosts:
  245. ## "icq.example.org":
  246. ## password: "secret"
  247. ## "sms.example.org":
  248. ## password: "secret"
  249. ##
  250. ## ejabberd_stun: Handles STUN Binding requests
  251. ##
  252. -
  253. port: 3478
  254. transport: udp
  255. module: ejabberd_stun
  256. ##
  257. ## To handle XML-RPC requests that provide admin credentials:
  258. ##
  259. ## -
  260. ## port: 4560
  261. ## ip: "::"
  262. ## module: ejabberd_xmlrpc
  263. ## maxsessions: 10
  264. ## timeout: 5000
  265. ## access_commands:
  266. ## admin:
  267. ## commands: all
  268. ## options: []
  269. ##
  270. ## To enable secure http upload
  271. ##
  272. ## -
  273. ## port: 5444
  274. ## ip: "::"
  275. ## module: ejabberd_http
  276. ## request_handlers:
  277. ## "": mod_http_upload
  278. ## tls: true
  279. ## protocol_options: 'TLS_OPTIONS'
  280. ## dhfile: 'DH_FILE'
  281. ## ciphers: 'TLS_CIPHERS'
  282. ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
  283. ## password storage (see auth_password_format option).
  284. ## disable_sasl_mechanisms: "digest-md5"
  285. ###. ==================
  286. ###' S2S GLOBAL OPTIONS
  287. ##
  288. ## s2s_use_starttls: Enable STARTTLS for S2S connections.
  289. ## Allowed values are: false, optional or required
  290. ## You must specify 'certfiles' option
  291. ##
  292. s2s_use_starttls: optional
  293. ##
  294. ## S2S whitelist or blacklist
  295. ##
  296. ## Default s2s policy for undefined hosts.
  297. ##
  298. ## s2s_access: s2s
  299. ##
  300. ## Outgoing S2S options
  301. ##
  302. ## Preferred address families (which to try first) and connect timeout
  303. ## in seconds.
  304. ##
  305. ## outgoing_s2s_families:
  306. ## - ipv4
  307. ## - ipv6
  308. ## outgoing_s2s_timeout: 190
  309. ###. ==============
  310. ###' AUTHENTICATION
  311. ##
  312. ## auth_method: Method used to authenticate the users.
  313. ## The default method is the internal.
  314. ## If you want to use a different method,
  315. ## comment this line and enable the correct ones.
  316. ##
  317. auth_method: internal
  318. ##
  319. ## Store the plain passwords or hashed for SCRAM:
  320. ## auth_password_format: plain
  321. ## auth_password_format: scram
  322. ##
  323. ## Define the FQDN if ejabberd doesn't detect it:
  324. ## fqdn: "server3.example.com"
  325. ##
  326. ## Authentication using external script
  327. ## Make sure the script is executable by ejabberd.
  328. ##
  329. ## auth_method: external
  330. ## extauth_program: "/path/to/authentication/script"
  331. ##
  332. ## Authentication using SQL
  333. ## Remember to setup a database in the next section.
  334. ##
  335. ## auth_method: sql
  336. ##
  337. ## Authentication using PAM
  338. ##
  339. ## auth_method: pam
  340. ## pam_service: "pamservicename"
  341. ##
  342. ## Authentication using LDAP
  343. ##
  344. ## auth_method: ldap
  345. ##
  346. ## List of LDAP servers:
  347. ## ldap_servers:
  348. ## - "localhost"
  349. ##
  350. ## Encryption of connection to LDAP servers:
  351. ## ldap_encrypt: none
  352. ## ldap_encrypt: tls
  353. ##
  354. ## Port to connect to on LDAP servers:
  355. ## ldap_port: 389
  356. ## ldap_port: 636
  357. ##
  358. ## LDAP manager:
  359. ## ldap_rootdn: "dc=example,dc=com"
  360. ##
  361. ## Password of LDAP manager:
  362. ## ldap_password: "******"
  363. ##
  364. ## Search base of LDAP directory:
  365. ## ldap_base: "dc=example,dc=com"
  366. ##
  367. ## LDAP attribute that holds user ID:
  368. ## ldap_uids:
  369. ## - "mail": "%u@mail.example.org"
  370. ##
  371. ## LDAP filter:
  372. ## ldap_filter: "(objectClass=shadowAccount)"
  373. ##
  374. ## Anonymous login support:
  375. ## auth_method: anonymous
  376. ## anonymous_protocol: sasl_anon | login_anon | both
  377. ## allow_multiple_connections: true | false
  378. ##
  379. ## host_config:
  380. ## "public.example.org":
  381. ## auth_method: anonymous
  382. ## allow_multiple_connections: false
  383. ## anonymous_protocol: sasl_anon
  384. ##
  385. ## To use both anonymous and internal authentication:
  386. ##
  387. ## host_config:
  388. ## "public.example.org":
  389. ## auth_method:
  390. ## - internal
  391. ## - anonymous
  392. ###. ==============
  393. ###' DATABASE SETUP
  394. ## ejabberd by default uses the internal Mnesia database,
  395. ## so you do not necessarily need this section.
  396. ## This section provides configuration examples in case
  397. ## you want to use other database backends.
  398. ## Please consult the ejabberd Guide for details on database creation.
  399. ##
  400. ## MySQL server:
  401. ##
  402. ## sql_type: mysql
  403. ## sql_server: "server"
  404. ## sql_database: "database"
  405. ## sql_username: "username"
  406. ## sql_password: "password"
  407. ##
  408. ## If you want to specify the port:
  409. ## sql_port: 1234
  410. ##
  411. ## PostgreSQL server:
  412. ##
  413. ## sql_type: pgsql
  414. ## sql_server: "server"
  415. ## sql_database: "database"
  416. ## sql_username: "username"
  417. ## sql_password: "password"
  418. ##
  419. ## If you want to specify the port:
  420. ## sql_port: 1234
  421. ##
  422. ## If you use PostgreSQL, have a large database, and need a
  423. ## faster but inexact replacement for "select count(*) from users"
  424. ##
  425. ## pgsql_users_number_estimate: true
  426. ##
  427. ## SQLite:
  428. ##
  429. ## sql_type: sqlite
  430. ## sql_database: "/home/ejabberd/database/ejabberd.db"
  431. ##
  432. ## ODBC compatible or MSSQL server:
  433. ##
  434. ## sql_type: odbc
  435. ## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
  436. ##
  437. ## Number of connections to open to the database for each virtual host
  438. ##
  439. ## sql_pool_size: 10
  440. ##
  441. ## Interval to make a dummy SQL request to keep the connections to the
  442. ## database alive. Specify in seconds: for example 28800 means 8 hours
  443. ##
  444. ## sql_keepalive_interval: undefined
  445. ##
  446. ## Use the new SQL schema
  447. ##
  448. ## new_sql_schema: true
  449. ###. ===============
  450. ###' TRAFFIC SHAPERS
  451. shaper:
  452. ##
  453. ## The "normal" shaper limits traffic speed to 1000 B/s
  454. ##
  455. #normal: 1000
  456. normal: 1000000
  457. ##
  458. ## The "fast" shaper limits traffic speed to 50000 B/s
  459. ##
  460. #fast: 50000
  461. fast: 1000000
  462. ##
  463. ## This option specifies the maximum number of elements in the queue
  464. ## of the FSM. Refer to the documentation for details.
  465. ##
  466. max_fsm_queue: 10000
  467. ###. ====================
  468. ###' ACCESS CONTROL LISTS
  469. acl:
  470. ##
  471. ## The 'admin' ACL grants administrative privileges to XMPP accounts.
  472. ## You can put here as many accounts as you want.
  473. ##
  474. admin:
  475. user:
  476. - "admin@localhost"
  477. - "ircadmin@im.s-up.net"
  478. ##
  479. ## Blocked users
  480. ##
  481. ## blocked:
  482. ## user:
  483. ## - "baduser@example.org"
  484. ## - "test"
  485. ## Local users: don't modify this.
  486. ##
  487. local:
  488. user_regexp: ""
  489. ##
  490. ## More examples of ACLs
  491. ##
  492. ## jabberorg:
  493. ## server:
  494. ## - "jabber.org"
  495. ## aleksey:
  496. ## user:
  497. ## - "aleksey@jabber.ru"
  498. ## test:
  499. ## user_regexp: "^test"
  500. ## user_glob: "test*"
  501. ##
  502. ## Loopback network
  503. ##
  504. loopback:
  505. ip:
  506. - "127.0.0.0/8"
  507. - "::1/128"
  508. - "::FFFF:127.0.0.1/128"
  509. ##
  510. ## Bad XMPP servers
  511. ##
  512. ## bad_servers:
  513. ## server:
  514. ## - "xmpp.zombie.org"
  515. ## - "xmpp.spam.com"
  516. ##
  517. ## Define specific ACLs in a virtual host.
  518. ##
  519. ## host_config:
  520. ## "localhost":
  521. ## acl:
  522. ## admin:
  523. ## user:
  524. ## - "bob-local@localhost"
  525. ###. ============
  526. ###' SHAPER RULES
  527. shaper_rules:
  528. ## Maximum number of simultaneous sessions allowed for a single user:
  529. max_user_sessions: 10
  530. ## Maximum number of offline messages that users can have:
  531. max_user_offline_messages:
  532. - 5000: admin
  533. - 100
  534. ## For C2S connections, all users except admins use the "normal" shaper
  535. # c2s_shaper:
  536. # - none: admin
  537. # - normal
  538. ## All S2S connections use the "fast" shaper
  539. s2s_shaper: fast
  540. ###. ============
  541. ###' ACCESS RULES
  542. access_rules:
  543. ## This rule allows access only for local users:
  544. local:
  545. - allow: local
  546. ## Only non-blocked users can use c2s connections:
  547. c2s:
  548. - deny: blocked
  549. - allow
  550. ## Only admins can send announcement messages:
  551. announce:
  552. - allow: admin
  553. ## Only admins can use the configuration interface:
  554. configure:
  555. - allow: admin
  556. ## Only accounts of the local ejabberd server can create rooms:
  557. muc_create:
  558. - allow: local
  559. ## Only accounts on the local ejabberd server can create Pubsub nodes:
  560. pubsub_createnode:
  561. - allow: local
  562. ## In-band registration allows registration of any possible username.
  563. ## To disable in-band registration, replace 'allow' with 'deny'.
  564. register:
  565. - allow
  566. ## Only allow to register from localhost
  567. trusted_network:
  568. - allow: loopback
  569. ## Do not establish S2S connections with bad servers
  570. ## If you enable this you also have to uncomment "s2s_access: s2s"
  571. ## s2s:
  572. ## - deny:
  573. ## - ip: "XXX.XXX.XXX.XXX/32"
  574. ## - deny:
  575. ## - ip: "XXX.XXX.XXX.XXX/32"
  576. ## - allow
  577. ## ===============
  578. ## API PERMISSIONS
  579. ## ===============
  580. ##
  581. ## This section allows you to define who and using what method
  582. ## can execute commands offered by ejabberd.
  583. ##
  584. ## By default "console commands" section allow executing all commands
  585. ## issued using ejabberdctl command, and "admin access" section allows
  586. ## users in admin acl that connect from 127.0.0.1 to execute all
  587. ## commands except start and stop with any available access method
  588. ## (ejabberdctl, http-api, xmlrpc depending what is enabled on server).
  589. ##
  590. ## If you remove "console commands" there will be one added by
  591. ## default allowing executing all commands, but if you just change
  592. ## permissions in it, version from config file will be used instead
  593. ## of default one.
  594. ##
  595. api_permissions:
  596. "console commands":
  597. from:
  598. - ejabberd_ctl
  599. who: all
  600. what: "*"
  601. "admin access":
  602. who:
  603. - access:
  604. - allow:
  605. - acl: loopback
  606. - acl: admin
  607. - oauth:
  608. - scope: "ejabberd:admin"
  609. - access:
  610. - allow:
  611. - acl: loopback
  612. - acl: admin
  613. what:
  614. - "*"
  615. - "!stop"
  616. - "!start"
  617. "public commands":
  618. who:
  619. - ip: "127.0.0.1/8"
  620. what:
  621. - "status"
  622. - "connected_users_number"
  623. ## By default the frequency of account registrations from the same IP
  624. ## is limited to 1 account every 10 minutes. To disable, specify: infinity
  625. ## registration_timeout: 600
  626. ##
  627. ## Define specific Access Rules in a virtual host.
  628. ##
  629. ## host_config:
  630. ## "localhost":
  631. ## access:
  632. ## c2s:
  633. ## - allow: admin
  634. ## - deny
  635. ## register:
  636. ## - deny
  637. ###. ================
  638. ###' DEFAULT LANGUAGE
  639. ##
  640. ## language: Default language used for server messages.
  641. ##
  642. language: "en"
  643. ##
  644. ## Set a different default language in a virtual host.
  645. ##
  646. ## host_config:
  647. ## "localhost":
  648. ## language: "ru"
  649. ###. =======
  650. ###' CAPTCHA
  651. ##
  652. ## Full path to a script that generates the image.
  653. ##
  654. ## captcha_cmd: "/home/ejabberd/lib/ejabberd-xx.yy/priv/bin/captcha.sh"
  655. ##
  656. ## Host for the URL and port where ejabberd listens for CAPTCHA requests.
  657. ##
  658. ## captcha_host: "example.org:5280"
  659. ##
  660. ## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
  661. ##
  662. ## captcha_limit: 5
  663. ###. ====
  664. ###' ACME
  665. ##
  666. ## In order to use the acme certificate acquiring through "Let's Encrypt"
  667. ## an http listener has to be configured to listen to port 80 so that
  668. ## the authorization challenges posed by "Let's Encrypt" can be solved.
  669. ##
  670. ## A simple way of doing this would be to add the following in the listening
  671. ## section and to configure port forwarding from 80 to 5280 either via NAT
  672. ## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
  673. ## -
  674. ## port: 5280
  675. ## ip: "::"
  676. ## module: ejabberd_http
  677. acme:
  678. ## A contact mail that the ACME Certificate Authority can contact in case of
  679. ## an authorization issue, such as a server-initiated certificate revocation.
  680. ## It is not mandatory to provide an email address but it is highly suggested.
  681. contact: "mailto:example-admin@example.com"
  682. ## The ACME Certificate Authority URL.
  683. ## This could either be:
  684. ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
  685. ## - https://acme-staging.api.letsencrypt.org - for the staging CA
  686. ## - http://localhost:4000 - for a local version of the CA
  687. ca_url: "https://acme-v01.api.letsencrypt.org"
  688. ###. =======
  689. ###' MODULES
  690. ##
  691. ## Modules enabled in all ejabberd virtual hosts.
  692. ##
  693. modules:
  694. mod_adhoc: {}
  695. mod_admin_extra: {}
  696. mod_announce: # recommends mod_adhoc
  697. access: announce
  698. mod_blocking: {} # requires mod_privacy
  699. mod_caps: {}
  700. mod_carboncopy: {}
  701. mod_client_state: {}
  702. mod_configure: {} # requires mod_adhoc
  703. ## mod_delegation: {} # for xep0356
  704. mod_disco: {}
  705. mod_stun_disco: {}
  706. ## mod_echo: {}
  707. ## mod_irc: {}
  708. mod_bosh: {}
  709. mod_http_fileserver:
  710. default_content_type: "text/html"
  711. docroot: "/var/www/"
  712. directory_indices:
  713. - "index.html"
  714. ## docroot: "/var/www"
  715. ## accesslog: "/home/ejabberd/logs/access.log"
  716. mod_http_upload:
  717. put_url: "https://@HOST@:5443/upload"
  718. thumbnail: false # otherwise needs ejabberd to be compiled with libgd support
  719. max_size: 524288 # 5MB
  720. mod_http_upload_quota:
  721. max_days: 3
  722. mod_last: {}
  723. ## XEP-0313: Message Archive Management
  724. ## You might want to setup a SQL backend for MAM because the mnesia database is
  725. ## limited to 2GB which might be exceeded on large servers
  726. ## mod_mam: {} # for xep0313, mnesia is limited to 2GB, better use an SQL backend
  727. mod_mam: {}
  728. mod_muc:
  729. ## host: "conference.@HOST@"
  730. access:
  731. - allow
  732. access_admin:
  733. - allow: admin
  734. access_create: muc_create
  735. access_persistent: muc_create
  736. mod_muc_admin: {}
  737. ## mod_muc_log: {}
  738. ## mod_multicast: {}
  739. mod_offline:
  740. access_max_user_messages: max_user_offline_messages
  741. mod_ping: {}
  742. ## mod_pres_counter:
  743. ## count: 5
  744. ## interval: 60
  745. mod_privacy: {}
  746. mod_private: {}
  747. mod_proxy65: {}
  748. mod_pubsub:
  749. access_createnode: pubsub_createnode
  750. ## reduces resource comsumption, but XEP incompliant
  751. ignore_pep_from_offline: true
  752. ## XEP compliant, but increases resource comsumption
  753. ## ignore_pep_from_offline: false
  754. last_item_cache: false
  755. max_items_node: 10
  756. plugins:
  757. - "flat"
  758. - "pep" # pep requires mod_caps
  759. force_node_config:
  760. # ## Avoid using OMEMO by default because it
  761. # ## introduces a lot of hard-to-track problems
  762. # "eu.siacs.conversations.axolotl.*":
  763. # access_model: whitelist
  764. ## Avoid buggy clients to make their bookmarks public
  765. "storage:bookmarks":
  766. access_model: whitelist
  767. mod_push: {}
  768. mod_push_keepalive: {}
  769. mod_register:
  770. ##
  771. ## Protect In-Band account registrations with CAPTCHA.
  772. ##
  773. ## captcha_protected: true
  774. ##
  775. ## Set the minimum informational entropy for passwords.
  776. ##
  777. ## password_strength: 32
  778. ##
  779. ## After successful registration, the user receives
  780. ## a message with this subject and body.
  781. ##
  782. welcome_message:
  783. subject: "Welcome!"
  784. body: |-
  785. Hi.
  786. Welcome to this XMPP server.
  787. ##
  788. ## When a user registers, send a notification to
  789. ## these XMPP accounts.
  790. ##
  791. ## registration_watchers:
  792. ## - "admin1@example.org"
  793. ##
  794. ## Only clients in the server machine can register accounts
  795. ##
  796. ip_access: trusted_network
  797. ##
  798. ## Local c2s or remote s2s users cannot register accounts
  799. ##
  800. ## access_from: deny
  801. access: register
  802. # mod_roster: {}
  803. mod_roster:
  804. versioning: true
  805. mod_shared_roster: {}
  806. ## mod_stats: {}
  807. ## mod_time: {}
  808. mod_vcard:
  809. search: false
  810. mod_vcard_xupdate: {}
  811. mod_avatar: {}
  812. mod_version: {}
  813. mod_stream_mgmt: {}
  814. ## Non-SASL Authentication (XEP-0078) is now disabled by default
  815. ## because it's obsoleted and is used mostly by abandoned
  816. ## client software
  817. ## mod_legacy_auth: {}
  818. ## The module for S2S dialback (XEP-0220). Please note that you cannot
  819. ## rely solely on dialback if you want to federate with other servers,
  820. ## because a lot of servers have dialback disabled and instead rely on
  821. ## PKIX authentication. Make sure you have proper certificates installed
  822. ## and check your accessibility at https://check.messaging.one/
  823. mod_s2s_dialback: {}
  824. mod_http_api: {}
  825. mod_fail2ban: {}
  826. ##
  827. ## Enable modules with custom options in a specific virtual host
  828. ##
  829. ## host_config:
  830. ## "localhost":
  831. ## modules:
  832. ## mod_echo:
  833. ## host: "mirror.localhost"
  834. ##
  835. ## Enable modules management via ejabberdctl for installation and
  836. ## uninstallation of public/private contributed modules
  837. ## (enabled by default)
  838. ##
  839. allow_contrib_modules: true
  840. ###.
  841. ###'
  842. ### Local Variables:
  843. ### mode: yaml
  844. ### End:
  845. ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: