Background information
Operating System: Debian stable (9.6)
ejabberd version: 18.09-2 (from back ports)
My configuration is based on https://gitlab.com/hanno/ejabberd-config (I changed my real url to example.com)
# _%%_ Ejabberd config from schokokeks.org XMPP server.
# _%%_ We try to enable modern XMPP features and document to which XEP
# _%%_ they relate.
# _%%_ We also use a modern and secure TLS configuration where possible.
define_macro:
'CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH"
'TLSOPTS':
- "no_sslv2"
- "no_sslv3"
- "cipher_server_preference"
# generated with: openssl dhparam -out dhparams.pem 2048
'DHFILE': "/etc/ejabberd/dh2048-ejabberd.pem"
certfiles:
- "/etc/letsencrypt/live/*/fullchain.pem"
- "/etc/letsencrypt/live/*/privkey.pem"
hosts:
- "example.com"
access:
announce:
admin: allow
c2s:
blocked: deny
all: allow
c2s_shaper:
admin: none
all: normal
local:
local: allow
max_user_offline_messages:
admin: 5000
all: 100
max_user_sessions:
all: 10
muc:
all: allow
muc_admin:
admin: allow
muc_create:
local: allow
pubsub_createnode:
all: allow
register:
# _%%_ Don't allow registration
all: deny
s2s_shaper:
all: fast
acl:
admin:
user:
- "kiigass": "example.com"
local:
user_regexp:
- ""
# _%%_ We want internal authentication
auth_method:
- mnesia
# _%%_ store passwords with scram hash method.
# _%%_ no DIGEST-MD5, needs plaintext storage of passwords.
auth_password_format: scram
disable_sasl_mechanisms: "DIGEST-MD5"
language: "en"
listen:
-
ip: "0.0.0.0"
port: 5222
module: ejabberd_c2s
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
# _%%_ DEPRECATED, uses mod_stream_mgmt
# _%%_ XEP-0198, Stream Management
# _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
# stream_management: true
# _%%_ TLS compression is dangerous, see CRIME attack
tls_compression: false
# _%%_ Diffie Hellman parameters with 2048 bit, created with "openssl dhparam 2048"
dhfile: 'DHFILE'
# _%%_ We only want "HIGH" strength ciphers and explicitly disable
# _%%_ 3DES (SWEET32 attack), RSA (no forward secrecy, Bleichenbacher attacks),
# _%%_ CAMELLIA (unusual and not needed).
ciphers: 'CIPHERS'
# _%%_ We require STARTTLS for clients. No unencrypted logins
starttls_required: true
# certfile: "/etc/ejabberd/ejabberd.pem"
# _%%_ Due to DROWN (SSLv2) and POODLE (SSLv3) all old SSL versions are considered insecure
protocol_options: 'TLSOPTS'
-
ip: "0.0.0.0"
port: 5269
module: ejabberd_s2s_in
max_stanza_size: 131072
shaper: s2s_shaper
protocol_options: 'TLSOPTS'
-
port: 5280
module: ejabberd_http
web_admin: true
http_bind: true
captcha: true
# _%%_ XEP-0363, HTTP File Upload
# _%%_ Note: This only opens the port, further below is the module config itself
-
port: 5443
module: ejabberd_http
tls: true
# certfile: "/etc/ejabberd/ejabberd.pem"
# _%%_ See comments above for justification of TLS options
tls_compression: false
dhfile: 'DHFILE'
ciphers: 'CIPHERS'
protocol_options: 'TLSOPTS'
request_handlers:
"": mod_http_upload
loglevel: 4
max_fsm_queue: 1000
modules:
mod_admin_extra: []
mod_adhoc: []
mod_announce:
access: announce
# _%%_ XEP-0115, Entity Capabilities
mod_caps: []
# XEP-0157
mod_disco:
server_info:
-
modules: all
name: "abuse-addresses"
urls: ["mailto:kiigass@example.com"]
-
modules: all
name: "security-addresses"
urls: ["mailto:kiigass@example.com"]
mod_bosh: []
mod_last: []
# _%%_ XEP-0045, Mult-User Chat (MUC)
mod_muc:
access: muc
access_create: muc_create
access_persistent: muc_create
access_admin: muc_admin
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping:
send_pings: true
ping_interval: 10
ping_ack_timeout: 5
timeout_action: kill
mod_privacy: []
mod_private: []
# _%%_ XEP-0065, SOCKS5 Bytestreams (Proxy)
mod_proxy65:
host: "proxy65.example.com"
hostname: "proxy65.example.com"
ip: "0.0.0.0"
port: 7777
mod_pubsub:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: true
plugins:
- "flat"
- "hometree"
# _%%_ XEP-0163, Personal Eventing Protocol (PEP), needed for Avatars / OMEMO
- "pep"
# _%%_ XEP-0237, Roster Versioning
mod_roster:
versioning: true
mod_shared_roster: []
mod_stats: []
# _%%_ XEP-0198, Stream Management
# _%%_ Note: This is enabled by default, but we'd like to explicitly enable it
mod_stream_mgmt:
max_resume_timeout: 30
resend_on_timeout: if_offline
resume_timeout: 30
ack_timeout: 30
mod_time: []
mod_vcard: []
mod_version: []
# _%%_ XEP-0313, Message Archive Management (MAM)
mod_mam:
default: always
assume_mam_usage: true
# _%%_ XEP-0191, Blocking Command
mod_blocking: []
# _%%_ XEP-0352, Client State Indicator
mod_client_state: []
# _%%_ XEP-0280, Message Carbons
mod_carboncopy: []
# _%%_ XEP-0363, HTTP File Upload
# _%%_ This is the configuration for the module, port config above.
mod_http_upload:
# _%%_ With this configuration for each domain name there must be a subdirectory
# _%%_ in the docroot, e.g. /var/ejabberd-http-upload/example.org/
thumbnail: false
docroot: "/var/ejabberd-http-upload/"
put_url: "https://example.com:5443/@HOST@"
mod_s2s_dialback: []
mod_legacy_auth: []
shaper:
normal: 1000
fast: 50000
# _%%_ TLS settings for s2s communication
s2s_use_starttls: required
#s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_dhfile: 'DHFILE'
# _%%_ For s2s we allow RSA key exchange for more compatibility
s2s_ciphers: 'CIPHERS'
Problem
When I try to connect to https://example.com:5280/ or https://example.com:5280/admin/ I get from firefox:
Secure Connection Failed
The connection to example.com:5280 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
When I watch /var/log/ejabberd/ejabberd.log (tail -f) at the same time I get:
2018-12-09 13:24:32.021 [info] <0.353.0>@ejabberd_listener:accept:221 (<0.479.0>) Accepted connection x.x.x.x:7048 -> x.x.y.y:5280
Question
What did I misconfigure and how shall I configure it to make it work?
