Last active
November 17, 2022 12:44
-
-
Save SamWhited/69b25f8948ad7abec4ea to your computer and use it in GitHub Desktop.
Example ejabberd config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### ======= | |
| ### LOGGING | |
| ## | |
| ## loglevel: Verbosity of log files generated by ejabberd. | |
| ## 0: No ejabberd log at all (not recommended) | |
| ## 1: Critical | |
| ## 2: Error | |
| ## 3: Warning | |
| ## 4: Info | |
| ## 5: Debug | |
| ## | |
| loglevel: 4 | |
| ## | |
| ## rotation: Describe how to rotate logs. Either size and/or date can trigger | |
| ## log rotation. Setting count to N keeps N rotated logs. Setting count to 0 | |
| ## does not disable rotation, it instead rotates the file and keeps no previous | |
| ## versions around. Setting size to X rotate log when it reaches X bytes. | |
| ## To disable rotation set the size to 0 and the date to "" | |
| ## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf. | |
| ## Some examples: | |
| ## $D0 rotate every night at midnight | |
| ## $D23 rotate every day at 23:00 hr | |
| ## $W0D23 rotate every week on Sunday at 23:00 hr | |
| ## $W5D16 rotate every week on Friday at 16:00 hr | |
| ## $M1D0 rotate on the first day of every month at midnight | |
| ## $M5D6 rotate on every 5th day of the month at 6:00 hr | |
| ## | |
| ## Or just use logrotate... | |
| log_rotate_size: 10485760 | |
| log_rotate_date: "" | |
| log_rotate_count: 1 | |
| ## overload protection: If you want to limit the number of messages per second | |
| ## allowed from error_logger, which is a good idea if you want to avoid a flood | |
| ## of messages when system is overloaded, you can set a limit. | |
| ## 100 is ejabberd's default. | |
| log_rate_limit: 100 | |
| ## | |
| ## watchdog_admins: Only useful for developers: if an ejabberd process | |
| ## consumes a lot of memory, send live notifications to these XMPP | |
| ## accounts. | |
| ## | |
| watchdog_admins: | |
| - "todo@todo.com" | |
| ### ================ | |
| ### SERVED HOSTNAMES | |
| ## | |
| ## hosts: Domains served by ejabberd. | |
| ## You can define one or several, for example: | |
| ## | |
| hosts: | |
| - "todo.com" | |
| - "todo.net" | |
| ## | |
| ## route_subdomains: Delegate subdomains to other XMPP servers. | |
| ## For example, if this ejabberd serves example.org and you want | |
| ## to allow communication with an XMPP server called im.example.org. | |
| ## | |
| ## route_subdomains: s2s | |
| ### =============== | |
| ### LISTENING PORTS | |
| ## | |
| ## listen: The ports ejabberd will listen on, which service each is handled | |
| ## by and what options to start it with. | |
| ## | |
| listen: | |
| - | |
| port: 5222 | |
| module: ejabberd_c2s | |
| ## Don't use stream compression and tls compression | |
| zlib: false | |
| ## | |
| ## If TLS is compiled in and you installed a SSL | |
| ## certificate, specify the full path to the | |
| ## file and uncomment these lines: | |
| ## | |
| certfile: "TODO" | |
| ## starttls: true | |
| ## | |
| ## To enforce TLS encryption for client connections, | |
| ## use this instead of the "starttls" option: | |
| ## | |
| starttls_required: true | |
| ## | |
| ## Custom OpenSSL options | |
| ## All my clients support TLSv1.2, so just turn everything else off... | |
| ## | |
| protocol_options: | |
| - "no_sslv2" | |
| - "no_sslv3" | |
| - "no_tlsv1" | |
| - "no_tlsv1_1" | |
| ## Specify a small number of PFS ciphers only. | |
| ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA" | |
| max_stanza_size: 65536 | |
| shaper: c2s_shaper | |
| access: c2s | |
| - | |
| port: 5269 | |
| module: ejabberd_s2s_in | |
| tls_compression: true | |
| ## | |
| ## ejabberd_stun: Handles STUN Binding requests | |
| ## | |
| - | |
| port: 5349 | |
| module: ejabberd_stun | |
| tls: true | |
| certfile: "TODO" | |
| use_turn: true | |
| turn_ip: "TODO (actual server IP)" | |
| auth_realm: "todo.com" | |
| ## | |
| ## To handle XML-RPC requests that provide admin credentials: | |
| ## | |
| ## - | |
| ## port: 4560 | |
| ## module: ejabberd_xmlrpc | |
| - | |
| ## TODO: Bind to localhost, then put this behind a TLS reverse proxy (read, "Nginx") | |
| port: 5280 | |
| module: ejabberd_http | |
| ## request_handlers: | |
| ## "/pub/archive": mod_http_fileserver | |
| web_admin: true | |
| http_poll: true | |
| http_bind: true | |
| ## register: true | |
| captcha: true | |
| ## | |
| ## domain_certfile: Specify a different certificate for each served hostname. | |
| ## | |
| host_config: | |
| "todo.com": | |
| domain_certfile: "TODO" | |
| "todo.net": | |
| domain_certfile: "TODO" | |
| ## | |
| ## Outgoing S2S options | |
| ## | |
| outgoing_s2s_families: | |
| - ipv6 | |
| - ipv4 | |
| outgoing_s2s_timeout: 10000 | |
| ## | |
| ## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. | |
| ## Allowed values are: false optional required required_trusted | |
| ## | |
| s2s_use_starttls: required | |
| ## | |
| ## s2s_certfile: Specify a certificate file. | |
| ## | |
| s2s_certfile: "TODO" | |
| ## | |
| ## Set the ciphers which can be used for s2s connections. | |
| ## | |
| s2s_ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH" | |
| ## Custom OpenSSL options | |
| s2s_protocol_options: | |
| - "no_sslv2" | |
| - "no_sslv3" | |
| ### ============== | |
| ### AUTHENTICATION | |
| ## | |
| ## auth_method: Method used to authenticate the users. | |
| ## The default method is the internal. | |
| auth_method: internal | |
| ## | |
| ## Store the plain passwords ("plain") or hashed for SCRAM ("scram"): | |
| auth_password_format: scram | |
| ## | |
| ## Define the FQDN if ejabberd doesn't detect it: | |
| fqdn: "TODO" | |
| ## | |
| ## Authentication using external script | |
| ## Make sure the script is executable by ejabberd. | |
| ## | |
| ## auth_method: external | |
| ## extauth_program: "/path/to/authentication/script" | |
| ## | |
| ## Authentication using ODBC | |
| ## Remember to setup a database in the next section. | |
| ## | |
| ## auth_method: odbc | |
| ## | |
| ## Authentication using PAM | |
| ## | |
| ## auth_method: pam | |
| ## pam_service: "pamservicename" | |
| ## | |
| ## Authentication using LDAP | |
| ## | |
| ## auth_method: ldap | |
| ## | |
| ## List of LDAP servers: | |
| ## ldap_servers: | |
| ## - "localhost" | |
| ## | |
| ## Encryption of connection to LDAP servers: | |
| ## ldap_encrypt: none | |
| ## ldap_encrypt: tls | |
| ## | |
| ## Port to connect to on LDAP servers: | |
| ## ldap_port: 389 | |
| ## ldap_port: 636 | |
| ## | |
| ## LDAP manager: | |
| ## ldap_rootdn: "dc=example,dc=com" | |
| ## | |
| ## Password of LDAP manager: | |
| ## ldap_password: "******" | |
| ## | |
| ## Search base of LDAP directory: | |
| ## ldap_base: "dc=example,dc=com" | |
| ## | |
| ## LDAP attribute that holds user ID: | |
| ## ldap_uids: | |
| ## - "mail": "%u@mail.example.org" | |
| ## | |
| ## LDAP filter: | |
| ## ldap_filter: "(objectClass=shadowAccount)" | |
| ## | |
| ## Anonymous login support: | |
| ## auth_method: anonymous | |
| ## anonymous_protocol: sasl_anon | login_anon | both | |
| ## allow_multiple_connections: true | false | |
| ## | |
| ## host_config: | |
| ## "public.example.org": | |
| ## auth_method: anonymous | |
| ## allow_multiple_connections: false | |
| ## anonymous_protocol: sasl_anon | |
| ## | |
| ## To use both anonymous and internal authentication: | |
| ## | |
| ## host_config: | |
| ## "public.example.org": | |
| ## auth_method: | |
| ## - internal | |
| ## - anonymous | |
| ### ============== | |
| ### DATABASE SETUP | |
| ## ejabberd by default uses the internal Mnesia database, | |
| ## so you do not necessarily need this section. | |
| ## This section provides configuration examples in case | |
| ## you want to use other database backends. | |
| ## Please consult the ejabberd Guide for details on database creation. | |
| ## | |
| ## MySQL server: | |
| ## | |
| ## odbc_type: mysql | |
| ## odbc_server: "server" | |
| ## odbc_database: "database" | |
| ## odbc_username: "username" | |
| ## odbc_password: "password" | |
| ## | |
| ## If you want to specify the port: | |
| ## odbc_port: 1234 | |
| ## | |
| ## PostgreSQL server: | |
| ## | |
| ## odbc_type: pgsql | |
| ## odbc_server: "server" | |
| ## odbc_database: "database" | |
| ## odbc_username: "username" | |
| ## odbc_password: "password" | |
| ## | |
| ## If you want to specify the port: | |
| ## odbc_port: 1234 | |
| ## | |
| ## If you use PostgreSQL, have a large database, and need a | |
| ## faster but inexact replacement for "select count(*) from users" | |
| ## | |
| ## pgsql_users_number_estimate: true | |
| ## | |
| ## ODBC compatible or MSSQL server: | |
| ## | |
| ## odbc_type: odbc | |
| ## odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd" | |
| ##odbc_type: sqlite | |
| ##odbc_server: "DNS=ejabberd;" | |
| ## {database_type, "sqlite"}, | |
| ## {default_auto_save, true}, | |
| ## {enforce_default_auto_save, true}, | |
| ## {save_default, false}, | |
| ## {odbc_server, "DSN=ejabberd;"}, | |
| ## {odbc_keepalive_interval, 3600} | |
| ## | |
| ## Number of connections to open to the database for each virtual host | |
| ## | |
| ## odbc_pool_size: 10 | |
| ## | |
| ## Interval to make a dummy SQL request to keep the connections to the | |
| ## database alive. Specify in seconds: for example 28800 means 8 hours | |
| ## | |
| ## odbc_keepalive_interval: undefined | |
| ### =============== | |
| ### TRAFFIC SHAPERS | |
| shaper: | |
| ## | |
| ## The "normal" shaper limits traffic speed to 1000 B/s | |
| ## | |
| normal: 1000 | |
| ## | |
| ## The "fast" shaper limits traffic speed to 50000 B/s | |
| ## | |
| fast: 50000 | |
| ## | |
| ## This option specifies the maximum number of elements in the queue | |
| ## of the FSM. Refer to the documentation for details. | |
| ## | |
| max_fsm_queue: 1000 | |
| ###. ==================== | |
| ###' ACCESS CONTROL LISTS | |
| acl: | |
| ## | |
| ## The 'admin' ACL grants administrative privileges to XMPP accounts. | |
| ## You can put here as many accounts as you want. | |
| ## | |
| admin: | |
| user: | |
| - "TODO USER": "TODO DOMAIN" | |
| ## | |
| ## Blocked users | |
| ## | |
| ## blocked: | |
| ## user: | |
| ## - "baduser": "example.org" | |
| ## - "test" | |
| ## Local users: don't modify this. | |
| ## | |
| local: | |
| user_regexp: "" | |
| ## | |
| ## Loopback network | |
| ## | |
| loopback: | |
| ip: | |
| - "127.0.0.0/8" | |
| ## | |
| ## Bad XMPP servers | |
| ## TODO: Remove gmail if you want to be able to connect with it... it was spamming me after I disabled unencrypted S2S connections. | |
| ## | |
| bad_servers: | |
| server: | |
| - "gmail.com" | |
| ### ============ | |
| ### ACCESS RULES | |
| access: | |
| ## Maximum number of simultaneous sessions allowed for a single user: | |
| max_user_sessions: | |
| all: 10 | |
| ## Maximum number of offline messages that users can have: | |
| max_user_offline_messages: | |
| admin: 5000 | |
| all: 100 | |
| ## This rule allows access only for local users: | |
| local: | |
| local: allow | |
| ## Only non-blocked users can use c2s connections: | |
| c2s: | |
| blocked: deny | |
| all: allow | |
| ## For C2S connections, all users except admins use the "normal" shaper | |
| c2s_shaper: | |
| admin: none | |
| all: normal | |
| ## All S2S connections use the "fast" shaper | |
| s2s_shaper: | |
| all: fast | |
| ## Only admins can send announcement messages: | |
| announce: | |
| admin: allow | |
| ## Only admins can use the configuration interface: | |
| configure: | |
| admin: allow | |
| ## Admins of this server are also admins of the MUC service: | |
| muc_admin: | |
| admin: allow | |
| ## Only accounts of the local ejabberd server can create rooms: | |
| muc_create: | |
| local: allow | |
| ## All users are allowed to use the MUC service: | |
| muc: | |
| all: allow | |
| ## Only accounts on the local ejabberd server can create Pubsub nodes: | |
| pubsub_createnode: | |
| local: allow | |
| ## In-band registration allows registration of any possible username. | |
| ## To disable in-band registration, replace 'allow' with 'deny'. | |
| register: | |
| all: deny | |
| ## Only allow to register from localhost | |
| trusted_network: | |
| loopback: allow | |
| ## | |
| ## Define specific Access Rules in a virtual host. | |
| ## TODO: If you want to configure a specific host | |
| host_config: | |
| "todo.net": | |
| access: | |
| s2s: | |
| all: deny | |
| register: | |
| all: deny | |
| ### ================ | |
| ### DEFAULT LANGUAGE | |
| ## | |
| ## language: Default language used for server messages. | |
| ## | |
| language: "en" | |
| ### ======= | |
| ### MODULES | |
| ## | |
| ## Modules enabled in all ejabberd virtual hosts. | |
| ## | |
| modules: | |
| mod_adhoc: {} | |
| mod_announce: # recommends mod_adhoc | |
| access: announce | |
| mod_blocking: {} # requires mod_privacy | |
| mod_caps: {} | |
| mod_carboncopy: {} | |
| mod_client_state: | |
| drop_chat_states: true | |
| queue_presence: true | |
| mod_configure: {} # requires mod_adhoc | |
| mod_disco: {} | |
| ## mod_echo: {} | |
| mod_irc: {} | |
| mod_http_bind: {} | |
| ## mod_http_fileserver: | |
| ## docroot: "/var/www" | |
| ## accesslog: "/var/log/ejabberd/access.log" | |
| mod_last: {} | |
| mod_muc: | |
| ## host: "conference.@HOST@" | |
| access: muc | |
| access_create: muc_create | |
| access_persistent: muc_create | |
| access_admin: muc_admin | |
| ## mod_muc_log: {} | |
| mod_offline: | |
| access_max_user_messages: max_user_offline_messages | |
| store_empty_body: false | |
| mod_ping: {} | |
| ## mod_pres_counter: | |
| ## count: 5 | |
| ## interval: 60 | |
| mod_privacy: {} | |
| mod_private: {} | |
| ## mod_proxy65: {} | |
| mod_pubsub: | |
| access_createnode: pubsub_createnode | |
| ## reduces resource comsumption, but XEP incompliant | |
| ignore_pep_from_offline: true | |
| ## XEP compliant, but increases resource comsumption | |
| ## ignore_pep_from_offline: false | |
| last_item_cache: false | |
| plugins: | |
| - "flat" | |
| - "hometree" | |
| - "pep" # pep requires mod_caps | |
| mod_register: | |
| ## | |
| ## Protect In-Band account registrations with CAPTCHA. | |
| ## | |
| ## captcha_protected: true | |
| ## | |
| ## Set the minimum informational entropy for passwords. | |
| ## | |
| ## password_strength: 32 | |
| ## | |
| ## After successful registration, the user receives | |
| ## a message with this subject and body. | |
| ## | |
| welcome_message: | |
| subject: "Welcome!" | |
| body: |- | |
| Hi. | |
| Welcome to the XMPP server hosted by TODO. | |
| ## | |
| ## When a user registers, send a notification to | |
| ## these XMPP accounts. | |
| ## | |
| registration_watchers: | |
| - "TODO" | |
| ## | |
| ## Only clients in the server machine can register accounts | |
| ## | |
| ip_access: trusted_network | |
| ## | |
| ## Local c2s or remote s2s users cannot register accounts | |
| ## | |
| access_from: deny | |
| access: register | |
| mod_roster: | |
| versioning: true | |
| store_current_id: true | |
| mod_shared_roster: {} | |
| mod_stats: {} | |
| mod_time: {} | |
| mod_vcard: {} | |
| mod_version: {} | |
| ### Local Variables: | |
| ### mode: yaml | |
| ### End: | |
| ### vim: set filetype=yaml tabstop=8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment