赞
踩
prosody xmpp
The author selected the Open Internet/Free Speech Fund to receive a donation as part of the Write for DOnations program.
作者选择了“ 开放互联网/言论自由基金会”作为“ Write for DOnations”计划的一部分来接受捐赠。
Prosody is an XMPP chat server that supports TLS encrypted one-to-one chat and group chat rooms. XMPP (Extensible Messaging and Presence Protocol) is an open messaging protocol formally known as Jabber. This means that any XMPP chat client will be able to connect to a Prosody server and start chatting.
Prosody是XMPP聊天服务器,它支持TLS加密的一对一聊天室和群组聊天室。 XMPP (可扩展消息和状态协议)是一种开放消息协议,正式称为Jabber。 这意味着任何XMPP聊天客户端都将能够连接到Prosody服务器并开始聊天。
XMPP is a mature and open standard maintained by the Internet Engineering Task Force (IETF). It is actively maintained and deployed in many applications, such as Google Talk, which is used by millions of users. XMPP servers, like Prosody, are a flexible option for a chat server that has been around for over two decades.
XMPP是由Internet工程任务组(IETF)维护的成熟且开放的标准。 它在许多应用程序中得到了积极的维护和部署,例如数百万用户使用的Google Talk 。 XMPP服务器(如Prosody)是已经存在了二十多年的聊天服务器的灵活选择。
In this tutorial, you will install and configure a Prosody server that supports one-to-one and group chat sessions and the ability to upload files into the chat panel to share. All of the chat sessions will be protected by a TLS cryptographic certificate so your personal data stays private.
在本教程中,您将安装和配置Prosody服务器,该服务器支持一对一和小组聊天会话,并能够将文件上传到聊天面板以进行共享。 所有聊天会话都将受到TLS加密证书的保护,因此您的个人数据将保持私密性。
Before you begin this guide you’ll need the following:
在开始本指南之前,您需要满足以下条件:
One Ubuntu 18.04 server with at least 512MB of RAM set up by following the Initial Server Setup with Ubuntu 18.04 guide, including a sudo-enabled, non-root user and a firewall.
按照《 Ubuntu 18.04 初始服务器设置》指南设置一台至少具有512MB RAM的Ubuntu 18.04服务器,包括启用sudo的非root用户和防火墙。
An XMPP chat client installed on your local system. Any of the chat applications listed on this XMPP Clients page will be compatible with your Prosody server.
在本地系统上安装的XMPP聊天客户端。 此XMPP客户端页面上列出的任何聊天应用程序都将与您的Prosody服务器兼容。
chat.your-domain
: The one-to-one chat hostname.
chat.your-domain
:一对一的聊天主机名。
room.your-domain
: The group chat room hostname.
room.your-domain
:群组聊天室主机名。
Two hostnames that point to your server. You need two hostnames because Prosody uses one for direct chat and another for group chat rooms. Learn how to point hostnames to DigitalOcean Droplets by following our DNS How-Tos. This guide will use the following two example hostnames:
指向您的服务器的两个主机名。 您需要两个主机名,因为Prosody使用一个主机名进行直接聊天,使用另一个主机名进行群聊。 通过遵循我们的DNS方法,了解如何将主机名指向DigitalOcean Droplet。 本指南将使用以下两个示例主机名:
Log in to your server as the sudo-enabled, non-root user to start this guide.
以启用了sudo的非root用户身份登录到服务器,以开始本指南。
In this step, you will add the custom Prosody APT repository to your server and then install Prosody from it. You’re using the Prosody repository to ensure installation of the most up-to-date packages.
在此步骤中,您将自定义Prosody APT存储库添加到服务器,然后从该服务器安装Prosody。 您正在使用Prosody存储库来确保安装了最新的软件包。
First, create and open a new repository file with your text editor. This file holds the Prosody repository information for the APT package manager:
首先,使用文本编辑器创建并打开一个新的存储库文件。 此文件包含APT软件包管理器的Prosody存储库信息:
Add the following line into your file:
将以下行添加到您的文件中:
deb https://packages.prosody.im/debian bionic main
Now, you need to download and install the Prosody APT public key. Your server will use this to confirm that the Prosody package was created by the Prosody team and has not been tampered with.
现在,您需要下载并安装Prosody APT公钥。 您的服务器将使用它来确认Prosody程序包是由Prosody团队创建的,并且未被篡改。
The following command uses the wget
utility to download the key to your current directory:
以下命令使用wget
实用程序将密钥下载到当前目录:
Use the apt-key add
command to add Prosody’s key to APT’s keyring:
使用apt-key add
命令将Prosody的密钥添加到APT的密钥环中:
You can now delete the key as you no longer need it:
现在,您可以删除密钥,因为不再需要它:
Update your server’s package database so that it includes the newer package versions from the Prosody repository:
更新服务器的软件包数据库,使其包含Prosody存储库中的较新软件包版本:
You are now ready to install the Prosody server package and some additional optional packages:
现在,您准备安装Prosody服务器软件包和一些其他可选软件包:
The packages you installed are as follows:
您安装的软件包如下:
prosody
: The prosody server.
prosody
:韵律服务器。
prosody-modules
: Additional Prosody modules that extend the functionality of the Prosody server.
prosody-modules
:扩展Prosody服务器功能的其他Prosody模块。
lua-dbi-sqlite3
: Enables Prosody to use an SQLite database.
lua-dbi-sqlite3
:使Prosody可以使用SQLite数据库。
lua-event
: Enables Prosody to handle more simultaneous clients.
lua-event
:使Prosody可以处理更多的并发客户端。
You have now completed the installation of Prosody. In the next step, you will get two TLS certificates that Prosody will use to encrypt your data as it crosses the internet to and from the Prosody server.
您现在已经完成了Prosody的安装。 在下一步中,您将获得两个TLS证书,当Prosody跨Internet往返于Prosody服务器时,该证书将用于加密您的数据。
Prosody uses TLS certificates to encrypt the connections between the server and the clients. These certificates are the same ones that you use any time you visit a website with an HTTPS
URL. Let’s Encrypt is a non-profit organization that supplies free TLS certificates. They also provide the certbot
utility to get and manage their certificates. In this step, you will install the certbot
utility and use it to get a pair of certificates for the two hostnames you pointed to your server.
Prosody使用TLS证书来加密服务器与客户端之间的连接。 这些证书与您每次使用HTTPS
URL访问网站时使用的证书相同。 让我们加密是一个提供免费TLS证书的非营利组织。 他们还提供certbot
实用程序来获取和管理其证书。 在此步骤中,您将安装certbot
实用程序,并使用它来为您指向服务器的两个主机名获取一对证书。
You’ll install certbot
from the Let’s Encrypt Ubuntu PPA repository to ensure you’re using the latest packages.
您将从“让我们加密Ubuntu PPA”存储库中安装certbot
,以确保您使用的是最新软件包。
First, run the following command to add the custom repository:
首先,运行以下命令以添加定制存储库:
Now, install certbot
:
现在,安装certbot
:
Next, allow HTTP traffic through the UFW so that certbot
can validate your certificate application:
接下来,允许通过UFW的HTTP通信,以便certbot
可以验证您的证书应用程序:
Run the following certbot
command, which will get the certificate for one of your hostnames:
运行以下certbot
命令,它将为您的主机名之一获取证书:
sudo certbot certonly --standalone --agree-tos --email your_email -d chat.your-domain
sudo certbot certonly --standalone --agree-tos-通过电子邮件发送your_email -d chat。您的域
These options are:
这些选项是:
--certonly
: Get the certificate and do not make any other changes on the server.
--certonly
:获取证书,并且不对服务器进行任何其他更改。
--standalone
: Start a temporary web server for the certificate validation.
--standalone
:启动一个临时Web服务器以进行证书验证。
--agree-tos
: Automatically agrees to the Let’s Encrypt Terms of Service.
--agree-tos
:自动同意“让我们加密服务条款”。
--email your_email
: The email address that you will submit to Let’s Encrypt that they will use to notify you about security issues, certificate expiry notices, and other important information.
--email your_email
:您将提交给Let's Encrypt的电子邮件地址,该电子邮件地址将用于通知您有关安全问题,证书到期通知和其他重要信息。
-d chat.your-domain
: The hostname that you intend to use for your Prosody server.
-d chat.your-domain
:您打算用于-d chat.your-domain
服务器的主机名。
When you run this command you will be asked if you want to share your email address with the Electronic Frontier Foundation, which is optional. Then the registration of the certificate will continue with the following output:
运行此命令时,系统将询问您是否要与电子前沿基金会共享电子邮件地址,这是可选的。 然后,证书的注册将继续以下输出:
-
-
-
-
- Output
-
- Saving debug log to /var/log/letsencrypt/letsencrypt.log
- Plugins selected: Authenticator standalone, Installer None
- Obtaining a new certificate
-
- IMPORTANT NOTES:
- - Congratulations! Your certificate and chain have been saved at:
- /etc/letsencrypt/live/chat.your-domain/fullchain.pem
- Your key file has been saved at:
- /etc/letsencrypt/live/chat.your-domain/privkey.pem
- Your cert will expire on 2020-07-26. To obtain a new or tweaked
- version of this certificate in the future, simply run certbot
- again. To non-interactively renew *all* of your certificates, run
- "certbot renew"
- - If you like Certbot, please consider supporting our work by:
-
- Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
- Donating to EFF: https://eff.org/donate-le
Run the same command again to get a certificate for your second hostname.
再次运行相同的命令以获取第二个主机名的证书。
You now have two directories at:
现在,您在以下位置有两个目录:
/etc/letsencrypt/live/room.your-domain
/etc/letsencrypt/live/ room.your-domain
/etc/letsencrypt/live/chat.your-domain
/etc/letsencrypt/live/ chat.your-domain
These contain the certificate and key files for your hostnames.
这些文件包含您的主机名的证书和密钥文件。
As the Prosody server does not run as the root
user, the ownership and permissions of the directories and the key files need changing so that the Prosody server can read and use them.
由于Prosody服务器没有以root
用户身份运行,因此目录和密钥文件的所有权和权限需要更改,以便Prosody服务器可以读取和使用它们。
The permissions of files and directories on Linux allow control of which users and processes can read, write, and execute directories and folders. This control protects the system from being modified by a non-authorized user and also protects private files, such as the TLS private key, from being read by a non-authorized user.
Linux上文件和目录的权限允许控制哪些用户和进程可以读取,写入和执行目录和文件夹。 此控件可以防止未经授权的用户修改系统,也可以防止未经授权的用户读取诸如TLS私钥之类的私有文件。
If you are unfamiliar with Linux users and permissions the article An Introduction to Linux Permissions provides an excellent introduction.
如果您不熟悉Linux用户和权限,那么“ Linux权限简介 ”一文将提供出色的介绍。
The first step is to change the group owner of the private keys to the Prosody server’s group prosody
with the following commands:
第一步是使用以下命令将私钥的组所有者更改为Prosody服务器的组prosody
:
sudo chgrp prosody /etc/letsencrypt/live/room.your-domain/privkey.pem
sudo chgrp韵律/ etc / letsencrypt / live / room.your-domain /privkey.pem
sudo chgrp prosody /etc/letsencrypt/live/chat.your-domain/privkey.pem
sudo chgrp韵律/ etc / letsencrypt / live / chat。您的域 /privkey.pem
The chgrp
utility changes the group owner of files and directories. Here, you changed the group from the default root
to prosody
.
chgrp
实用程序更改文件和目录的组所有者。 在这里,您将组从默认root
更改为prosody
。
Next, change the permissions of the directories that contain the TLS certificate files to 0755
. These directories are owned by the root
user and the root
group. The following command will change the permissions on these directories:
接下来,将包含TLS证书文件的目录的权限更改为0755
。 这些目录归root
用户和root
组所有。 以下命令将更改这些目录的权限:
The new permissions of 0755
on these directories mean that the root user has read, write, and execute permissions. Members of the root group have read and execute permissions. All other users and groups on the system have read and execute permissions.
这些目录上的新权限0755
意味着root用户具有读取,写入和执行权限。 根组的成员具有读取和执行权限。 系统上的所有其他用户和组均具有读取和执行权限。
Now, change the permissions of the TLS private keys:
现在,更改TLS私钥的权限:
sudo chmod 0640 /etc/letsencrypt/live/room.your-domain/privkey.pem
sudo chmod 0640 / etc / letsencrypt / live / room.your-domain /privkey.pem
sudo chmod 0640 /etc/letsencrypt/live/chat.your-domain/privkey.pem
sudo chmod 0640 / etc / letsencrypt / live / chat。您的域 /privkey.pem
The 0640
permissions on these files mean that the root user has read and write permissions on the file. Members of the prosody
group have read permissions on the file. The prosody
group has one member, the prosody
user. This is the user that the Prosody server runs as and the user it will access the file as. All other users on the system have no permission to access the file.
这些文件的0640
权限意味着root用户具有对该文件的读写权限。 prosody
组的成员对该文件具有读取权限。 prosody
组只有一个成员,即prosody
用户。 Prosody服务器将以该用户身份运行,并且该用户将以该身份访问文件。 系统上的所有其他用户均无权访问该文件。
These two commands use the chmod
utility that modifies which users and groups have read, write, and execute permissions on files and directories.
这两个命令使用chmod
实用程序,该实用程序修改哪些用户和组具有文件和目录的读取,写入和执行权限。
You can test that Prosody can read the private keys by using sudo
to read the private key files with cat
as the prosody
user:
您可以通过使用sudo
以cat
作为prosody
用户读取私钥文件来测试Prosody是否可以读取私钥:
sudo -u prosody cat /etc/letsencrypt/live/chat.your-domain/privkey.pem
sudo -u prosody cat / etc / letsencrypt / live / chat。您的域 /privkey.pem
If this is successful then you will see the contents of the key file displayed on your screen.
如果成功,那么您将在屏幕上看到密钥文件的内容。
Prosody uses a single file containing the certificate and private key to encrypt the file upload and download connections. This file is not created by certbot
automatically so you must create it manually.
Prosody使用包含证书和私钥的单个文件来加密文件上载和下载连接。 该文件不是certbot
自动创建的,因此您必须手动创建。
You will first move into the directory that contains the key and certificate files, then use cat
to combine their contents into a new file key-and-cert.pem
:
您将首先进入包含密钥和证书文件的目录,然后使用cat
将其内容合并到一个新文件key-and-cert.pem
:
cd /etc/letsencrypt/live/chat.your-domain/
cd / etc / letsencrypt / live / chat。您的域 /
The beginning of this command, sudo sh -c
, opens a new sub-shell that has root
user’s permissions and so can write the new file to /etc/letsencrypt/live/chat.your-domain/
.
该命令的开头sudo sh -c
打开具有root
用户权限的新子shell,因此可以将新文件写入/etc/letsencrypt/live/ chat.your-domain /
。
Now, change the group and permissions of this new file to match the group and permission that you set for the other private key file with the following command:
现在,使用以下命令更改此新文件的组和权限,以匹配您为另一个私钥文件设置的组和权限:
Move back to your user’s home directory:
返回到用户的主目录:
Finally, this file must be re-created every time the certificate is renewed or it will contain an expired certificate.
最后,每次更新证书时都必须重新创建此文件,否则它将包含过期的证书。
certbot
comes with a mechanism called a “hook” that allows a script to be run before or after a certificate is renewed. You can use this mechanism to run a script that will re-create the command you ran after every certificate renewal.
certbot
带有一种称为“挂钩”的机制,该机制允许在证书更新之前或之后运行脚本。 您可以使用此机制来运行脚本,该脚本将在每次证书续订后重新创建您运行的命令。
Open the new script file called /etc/letsencrypt/renewal-hooks/post/key-and-cert-combiner.sh
with a text editor:
使用文本编辑器打开名为/etc/letsencrypt/renewal-hooks/post/key-and-cert-combiner.sh
的新脚本文件:
Then, add the following into the editor:
然后,将以下内容添加到编辑器中:
- #!/usr/bin/env bash
- set -e
-
- # combines the certificate and key into a single file with cat
- cat /etc/letsencrypt/live/chat.your-domain/privkey.pem \
- /etc/letsencrypt/live/chat.your-domain/fullchain.pem \
- >/etc/letsencrypt/live/chat.your-domain/key-and-cert.pem
This is how your Bash script breaks down:
这是您的Bash脚本分解的方式:
#!/usr/bin/env bash
: Tells the system to use the Bash interpreter to run the script.
#!/usr/bin/env bash
:告诉系统使用Bash解释器运行脚本。
set -e
: Causes the script to exit if any command fails.
set -e
:如果任何命令失败,则导致脚本退出。
>
: Redirects the output of the cat
command into the new file on the right.
>
:将cat
命令的输出重定向到右侧的新文件中。
The script can’t be run until you give it execute permissions with the following command:
在使用以下命令授予脚本执行权限之前,脚本无法运行:
The +x
gives the script execute permissions.
+x
赋予脚本执行权限。
Next, test that the certificates are installed correctly and that the post-renewal hook script is working by running the following certbot
command:
接下来,通过运行以下certbot
命令,测试证书是否已正确安装以及续订后挂钩脚本是否正常运行:
This command tells certbot
to renew the certificates but with the --dry-run
option that stops certbot
from making any changes. If everything is successful then you will see the following output:
此命令告诉certbot
续订证书,但是带有--dry-run
选项,该选项可阻止certbot
进行任何更改。 如果一切成功,那么您将看到以下输出:
-
-
-
-
- Output
-
- Congratulations, all renewals succeeded. The following certs have been renewed:
- /etc/letsencrypt/live/chat.your-domain/fullchain.pem (success)
- /etc/letsencrypt/live/room.your-domain/fullchain.pem (success)
- ** DRY RUN: simulating 'certbot renew' close to cert expiry
- ** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Running post-hook command: /etc/letsencrypt/renewal-hooks/post/key-and-cert-combiner.sh
You have now got the TLS certificates for your Prosody server. In the next step, you will edit Prosody’s main configuration file.
现在,您已经为Prosody服务器获得了TLS证书。 在下一步中,您将编辑Prosody的主要配置文件。
Prosody has a lot of configuration options and this is reflected in the large size of the main configuration file /etc/prosody/prosody.cfg.lua
. To keep this section manageable you will work from the start of the file downward, making edits to the file.
Prosody具有许多配置选项,这反映在主要配置文件/etc/prosody/prosody.cfg.lua
的大/etc/prosody/prosody.cfg.lua
。 为了使此部分易于管理,您将从文件开头向下进行编辑。
Before you start editing a large configuration file it is a good idea to make a copy so that you have the original to refer to and to restore from. Make a copy of the configuration file with the cp
command:
在开始编辑大型配置文件之前,最好复制一个副本,以便您可以参考原始文件并从中还原原始文件。 使用cp
命令复制配置文件:
You now have a copy of the original file at /etc/prosody/prosody.cfg.lua.original
.
现在,您在/etc/prosody/prosody.cfg.lua.original
中具有原始文件的副本。
Next, open the configuration file with a text editor:
接下来,使用文本编辑器打开配置文件:
The configuration changes are broken into smaller tasks in the following sections.
在以下部分中,配置更改分为较小的任务。
Prosody administrators are users that can make changes to the Prosody server from their chat client, message all users, and complete other privileged actions.
Prosody管理员是可以从其聊天客户端更改Prosody服务器,向所有用户发送消息并完成其他特权操作的用户。
The Prosody server administrators are set with the following line:
Prosody服务器管理员设置为以下行:
- ...
- admins = { }
- ...
In this example line, the user admin
will be added to the example serverchat.your-domain
:
在此示例行中,将用户admin
添加到示例服务器chat.your-domain
:
- ...
- admins = { "admin@chat.your-domain" }
- ...
If you want to add another user then you must put a comma after the first:
如果要添加其他用户,则必须在第一个用户后添加逗号:
- ...
- admins = { "admin@chat.your-domain", "sammy@chat.your-domain" }
- ...
The Prosody developers put many features into modules that can be enabled or disabled.
Prosody开发人员将许多功能添加到可以启用或禁用的模块中。
A module is enabled by removing the --
that precedes it. For example, here, the tls
module is disabled:
通过删除模块前面的--
启用模块。 例如,在这里,禁用了tls
模块:
-
-
-
-
- Module Disabled
-
- --"tls"; -- Add support for secure TLS on c2s/s2s connections
And here it is enabled:
在这里启用:
-
-
-
-
- Module Enabled
-
- "tls"; -- Add support for secure TLS on c2s/s2s connections
Following this paragraph is the edited modules section of the Prosody configuration file with the edited lines highlighted:
此段之后是Prosody配置文件的“编辑模块”部分,突出显示了编辑的行:
- ...
- modules_enabled = {
-
- -- Generally required
- "roster"; -- Allow users to have a roster. Recommended ;)
- "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
- "tls"; -- Add support for secure TLS on c2s/s2s connections
- "dialback"; -- s2s dialback support
- "disco"; -- Service discovery
-
- -- Not essential, but recommended
- "carbons"; -- Keep multiple clients in sync
- "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
- "private"; -- Private XML storage (for room bookmarks, etc.)
- "blocklist"; -- Allow users to block communications with other users
- "vcard4"; -- User profiles (stored in PEP)
- "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
-
- -- Nice to have
- "version"; -- Replies to server version requests
- "uptime"; -- Report how long server has been running
- "time"; -- Let others know the time here on this server
- "ping"; -- Replies to XMPP pings with pongs
- "register"; -- Allow users to register on this server using a client and change passwords
- "mam"; -- Store messages in an archive and allow users to access it
- "csi_simple"; -- Simple Mobile optimizations
-
- -- Admin interfaces
- "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
- --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-
- -- HTTP modules
- --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
- --"websocket"; -- XMPP over WebSockets
- "http_files"; -- Serve static files from a directory over HTTP
- "http_upload"; -- Enables file sharing between users
-
- -- Other specific functionality
- --"limits"; -- Enable bandwidth limiting for XMPP connections
- "groups"; -- Shared roster support
- --"server_contact_info"; -- Publish contact information for this service
- "announce"; -- Send announcement to all online users
- --"welcome"; -- Welcome users who register accounts
- --"watchregistrations"; -- Alert admins of registrations
- --"motd"; -- Send a message to users when they log in
- --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
- --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
- }
- ...
The modules you enabled are the following:
您启用的模块如下:
mam
: Stores chat messages on the server so users can retrieve them.
mam
:将聊天消息存储在服务器上,以便用户可以检索它们。
csi_simple
: Enables optimizations for mobile clients.
csi_simple
:对移动客户端启用优化。
http_files
: Enables file sharing.
http_files
:启用文件共享。
http_uploads
: Enables file sharing.
http_uploads
:启用文件共享。
groups
: Enables user visibility.
groups
:启用用户可见性。
announce
: Enables admins to send announcements to all users.
announce
:允许管理员向所有用户发送公告。
The next section that you need to edit sets where Prosody saves users’ messages and other data. The default setting is to use text files, but a more scaleable configuration is to save the messages in a database.
您需要编辑的下一部分设置了Prosody用来保存用户消息和其他数据的位置。 默认设置是使用文本文件,但是更可伸缩的配置是将消息保存在数据库中。
Prosody offers three choices for databases; MySQL, PostgreSQL, and SQLite. SQLite is the easiest to set up and maintain, uses the fewest resources, and is suitable for smaller deployments.
Prosody提供了三种数据库选择: MySQL,PostgreSQL和SQLite 。 SQLite是最容易设置和维护的,使用最少的资源,并且适合于较小的部署。
Enable the following two lines by removing the leading --
as shown following:
删除开头的行以启用以下两行--
如下所示:
- ...
- storage = "sql" -- Default is "internal"
- ...
- sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
- ...
You can decide how long the server will store old chat messages by editing the following line:
您可以通过编辑以下行来确定服务器将旧聊天消息存储多长时间:
- ...
- archive_expires_after = "1w" -- Remove archived messages after 1 week
- ...
The default period of 1w
(one week) is shown. Use d
for days, w
for weeks, and y
for years.
显示默认周期1w
(一周)。 使用d
代表几天,使用w
代表星期,使用y
代表几年。
The https_certificate
line tells Prosody where to look for the combined certificate and key you created earlier to use for file transfers.
https_certificate
行告诉https_certificate
在何处查找您之前创建的用于文件传输的组合证书和密钥。
Edit it so that it uses the path to your combined file:
编辑它,以便它使用您的组合文件的路径:
- ...
- https_certificate = "/etc/letsencrypt/live/chat.your-domain/key-and-cert.pem"
- ...
localhost
(Removing localhost
)In the default configuration, Prosody listens on localhost
or 127.0.0.1
for chat connections. This is not needed on a remote server.
在默认配置中,Prosody在localhost
或127.0.0.1
上侦听聊天连接。 在远程服务器上不需要。
Disable this behavior by adding --
to the line so that it looks like the following after editing:
通过在行中添加--
来禁用此行为,以便在编辑后如下所示:
- ...
- --VirtualHost "localhost"
- ...
Your Prosody server supports users sharing files by attaching them into chat windows. The default maximum size of files that users can share is 1MB.
您的Prosody服务器通过将文件附加到聊天窗口中来支持用户共享文件。 用户可以共享的文件的默认最大大小为1MB。
Set this to a higher value by adding the following line to the end of the configuration:
通过在配置末尾添加以下行,将其设置为更高的值:
- ...
- http_upload_file_size_limit = 10485760
- ...
The number at the end of the line is the maximum file size in bytes. The size shown here is 10485760
Bytes or 10MB. The GbMb website provides a handy tool for converting MB to Bytes.
行尾的数字是最大文件大小(以字节为单位)。 此处显示的大小为10485760
字节或10MB。 GbMb网站提供了一个方便的工具,可以将MB转换为Bytes。
If you want to allow uploads of files larger than 10MB then you must add another line that sets the http_max_content_size
variable. The http_max_content_size
must be larger than the maximum file upload size.
如果要允许上传大于10MB的文件,则必须添加另一行来设置http_max_content_size
变量。 http_max_content_size
必须大于最大文件上传大小。
Here, the maximum file size is set to 20MB (20971520 Bytes) and the http_max_content_size
is set to 30MB:
在这里,最大文件大小设置为20MB(20971520字节),而http_max_content_size
设置为30MB:
- ...
- http_upload_file_size_limit = 20971520
- http_max_content_size = 31457280
- ...
Set http_max_content_size
to be 50% larger than the maximum file size.
将http_max_content_size
设置为比最大文件大小大50%。
Thegroups
module that you enabled in the modules section allows chat clients to see each other.
该groups
模块,您在模块部分启用允许聊天客户端看到对方。
The groups
module reads a file that holds the group names and their members. Set the location and name of the file by adding the following line to the bottom of the configuration:
groups
模块读取包含组名称及其成员的文件。 通过在配置底部添加以下行来设置文件的位置和名称:
- ...
- groups_file = "/etc/prosody/sharedgroups.txt"
- ...
This line configures Prosody to read a file at /etc/prosody/sharedgroups.txt
to gather group information. You will populate this file with users and groups in Step 4.
此行将Prosody配置为读取/etc/prosody/sharedgroups.txt
以收集组信息。 您将在步骤4中使用用户和组填充此文件。
Create this file with the following command in a different terminal:
在其他终端中使用以下命令创建此文件:
The touch
utility creates an empty file when no additional options are used.
当不使用其他选项时, touch
实用程序将创建一个空文件。
Prosody uses a block of configuration that begins with VirtualHost
to start the chat server that uses your hostname.
Prosody使用以VirtualHost
开头的配置块来启动使用您的主机名的聊天服务器。
Add the following configuration block to the bottom of the configuration:
将以下配置块添加到配置的底部:
- ...
- VirtualHost "chat.your-domain"
- ssl = {
- key = "/etc/letsencrypt/live/chat.your-domain/privkey.pem";
- certificate = "/etc/letsencrypt/live/chat.your-domain/fullchain.pem";
- }
- ...
The configuration options:
配置选项:
VirtualHost
: The hostname that Prosody will use for the chat server.
VirtualHost
:Prosody将用于聊天服务器的主机名。
key
: The TLS private key to use to secure the chat connections.
key
:用于保护聊天连接的TLS私钥。
certificate
: The TLS private certificate to use to secure the chat connections.
certificate
:用于保护聊天连接的TLS专用证书。
This configuration enables Prosody to offer multi-user chat rooms to your users. Add the following block of configuration to the bottom of the configuration file in a new section:
通过此配置,Prosody可以为您的用户提供多用户聊天室。 在新部分的配置文件底部添加以下配置块:
- ...
- Component "room.your-domain" "muc"
- modules_enabled = { "mam_muc"; }
- storage = { muc_log = "sql"; }
- ssl = {
- key = "/etc/letsencrypt/live/room.your-domain/privkey.pem";
- certificate = "/etc/letsencrypt/live/room.your-domain/fullchain.pem";
- }
- ...
The options used:
使用的选项:
Component
: Enables the muc
(Multi-User Chat) group chat module to use the room.your-domain
hostname.
Component
:启用muc
(多用户聊天)群聊模块以使用room.your-domain
主机名。
modules_enabled = { "mam_muc"; }
: Enables message archiving of the group chats.
modules_enabled = { "mam_muc"; }
modules_enabled = { "mam_muc"; }
:启用群组聊天的消息存档。
storage
: Archives chat messages into the SQLite database.
storage
:将聊天消息存档到SQLite数据库中。
key
: The TLS private key to use to secure the chat connections.
key
:用于保护聊天连接的TLS私钥。
certificate
: The TLS private certificate to use to secure the chat connections.
certificate
:用于保护聊天连接的TLS专用证书。
Save and exit the editor.
保存并退出编辑器。
Now, restart Prosody to put the new configuration live:
现在,重新启动Prosody以使新配置生效:
You have now completed editing Prosody’s main configuration file. In the next step, you will add a Prosody user and add them to a group.
现在,您已完成编辑Prosody的主配置文件。 在下一步中,您将添加一个Prosody用户并将其添加到组中。
You have to add Prosody users to your Prosody server on the command line before they can log in. You’ll use the prosodyctl
tool that was supplied with the prosody
package to help manage the Prosody server.
您必须先在命令行prosodyctl
用户添加到Prosody服务器,然后才能登录。您将使用prosody
软件包随附的prosodyctl
工具来帮助管理Prosody服务器。
Use the following prosodyctl
command to add a new user:
使用以下prosodyctl
命令添加新用户:
sudo prosodyctl register sammy chat.your-domain password
sudo prosodyctl注册sammy chat。您的域 密码
This user can now connect to your Prosody server.
现在,该用户可以连接到您的Prosody服务器。
Your users will appreciate it if you create some groups that allow them to see each other and see their status. You do this by creating groups and adding users to them with the group file you defined earlier.
如果您创建一些允许他们互相看到并查看其状态的组,您的用户将不胜感激。 为此,您可以创建组,并使用前面定义的组文件向其中添加用户。
Open the group file:
打开组文件:
A group is set by putting its name between square brackets. The members of the group are placed on a new line under the group name. You can create as many groups as you want and users can be members of more than one group.
通过将其名称放在方括号之间来设置组。 组的成员位于组名称下的新行中。 您可以根据需要创建任意多个组,并且用户可以是多个组的成员。
Here, is a group called Everyone
that has two members: sammy and admin.
这里是一个名为Everyone
的组,该组有两个成员: sammy和admin 。
- [Everyone]
- sammy@chat.your-domain
- admin@chat.your-domain
All the members of the same group will be able to “see” the other members whether they are online or not.
同一组中的所有成员都可以“查看”其他成员,无论他们是否在线。
You must restart the Prosody server any time you add new users or modify the group information:
每当您添加新用户或修改组信息时,都必须重新启动Prosody服务器:
All that remains for server configuration is to allow Prosody to communicate through the firewall, which you will do in the next section.
服务器配置所剩下的就是允许Prosody通过防火墙进行通信,这将在下一部分中进行。
Prosody listens for connections from clients on TCP ports 5222
and 5322
. Use the following command to open these ports in your UFW:
Prosody在TCP端口5222
和5322
上侦听来自客户端的连接。 使用以下命令在UFW中打开这些端口:
The prosody server is now fully installed and configured.
现在,韵律服务器已完全安装和配置。
You can now connect to your Prosody server with a chat client. In the next step, you will configure an XMPP client on your local system or smart phone to connect to your Prosody server.
现在,您可以使用聊天客户端连接到Prosody服务器。 在下一步中,您将在本地系统或智能手机上配置XMPP客户端以连接到Prosody服务器。
In this step, you will configure your XMPP client to your Prosody server. You’ll need to enter your username, server hostname, and password to connect.
在此步骤中,您将XMPP客户端配置为Prosody服务器。 您需要输入用户名,服务器主机名和密码才能连接。
You configured your Prosody server to use the standard XMPP ports and the TLS security will be taken care of automatically so you will not need to set them to connect to your client.
您已将Prosody服务器配置为使用标准XMPP端口,并且TLS安全将自动处理,因此您无需设置它们即可连接到客户端。
Different chat clients may ask for the username, password, and server hostname in different formats. The username and server hostname are sometimes put together like an email address, like sammy@chat.your-domain
. The email-like address can be called the Username or an XMPP Address.
不同的聊天客户端可能会要求使用不同格式的用户名,密码和服务器主机名。 用户名和服务器主机名有时像电子邮件地址一样被放在一起,例如sammy@chat.your-domain
。 类似于电子邮件的地址可以称为用户名或XMPP地址 。
This image shows the login screen for the PSI client that requires the username and server hostname to be entered in email address form.
此图显示了PSI客户端的登录屏幕,该屏幕要求以电子邮件地址形式输入用户名和服务器主机名。
Whereas, the following screenshot of the account login screen for the Linux XMPP client Gajim shows the username and hostname are given separate input fields.
而Linux XMPP客户端Gajim的帐户登录屏幕的以下屏幕截图显示了分别为用户名和主机名输入的字段。
XMPP clients do not need any more details than the username, password, and server hostname to log in. After you have logged in you will be able to find the other members of the chat group and you will also be able to create group chat rooms where this is supported by your client.
XMPP客户端只需要输入用户名,密码和服务器主机名,便不需要任何其他详细信息。登录后,您将能够找到聊天组的其他成员,并且还能够创建聊天室。客户支持的地方。
In this article you set up a Prosody server with the following features:
在本文中,您将设置具有以下功能的Prosody服务器:
You also configured an XMPP chat client to use all of these features giving you a feature-rich chat with your friends and colleagues.
您还配置了XMPP聊天客户端以使用所有这些功能,从而使您可以与朋友和同事进行功能丰富的聊天。
If you’re looking for further open-source alternatives to remote communication, check out our How To Install Jitsi Meet tutorials.
如果您正在寻找远程通信的其他开源替代方案,请查看我们的“ 如何安装Jitsi Meet”教程 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-install-prosody-on-ubuntu-18-04
prosody xmpp
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。