This article is part of an ongoing series of posts, there’s an index here.
I was originally going to make this post about SRV records and SSL certificates at this point, but StartSSL won’t issue me a certificate for chinwag.im until the domain is older than three days (at the time of writing it’s only two days old). I don’t really get what three days old gives us that two days doesn’t, but they’re handing out SSL certificates for free so I can’t really complain too much.
In the last post I mentioned I was glossing over an error about LuaExpat that’ll be showing up in your logs about now if you’re literally just copying and pasting what I write, so let’s kill that off for a start.
The version of LuaExpat on your system does not support stanza size limits, which may leave servers on untrusted networks (e.g. the internet) vulnerable to denial-of-service attacks. You should upgrade to LuaExpat 1.3.0 or higher as soon as possible. See http://prosody.im/doc/depends#luaexpat for more information.
Like the link says, Prosody will work with the version we have, but we really should upgrade that because nobody wants a potential DoS vulnerability sitting there waiting to bite them. The easiest way to deal with this on our Ubuntu 14.04 system is just to install LuaRocks and use that to pull in a newer version. So here’s what we’re going to do.
# apt-get install luarocks libexpat-dev
# luarocks install luaexpat
...
luaexpat 1.3.0-1 is now built and installed in /usr/local/ (license: MIT/X11)
# service prosody restart
Bang. Done. No more LuaExpat errors, no fidding about, no mess, no fuss. Now, also let’s add lua-zlib for mod_compression that we’ll be turning on soon too, since that’s not pulled in automatically at any point. Also, we’re going to install Mercurial so we can easily pull a current copy of the prosody-modules project.
# apt-get install lua-zlib mercurial
Due to the imminent shutdown of Google Code, that last bit’s going to need editing soon, as Prosody and all its related sources will be relocating at some point. Right now let’s roll with it as is.
I’m going to keep my local copy of prosody-modules under /usr/share which probably violates some part of someone’s filesystem heirarchy standard, but it’s convenient and I like it there. You can put yours anywhere you like.
# cd /usr/share/
# hg clone https://code.google.com/p/prosody-modules/
And then add this to your /etc/prosody/prosody.cfg.lua:
plugin_paths = { "/usr/share/prosody-modules/" }
Specifying a plugin_paths parameter in the config file is in addition to the default modules, you’re not replacing that. Run prosodyctl about at any time to check the full module path(s) in use.
So here’s the state of our configuration at this point. I’m going to be holding at this point now until I get an SSL certificate, at which point we’ll take it live, log in from a real XMPP client and talk to some people on other servers.
admins = { "admin@chinwag.im" }
use_libevent = true
plugin_paths = { "/usr/share/prosody-modules/" }
modules_enabled = {
"roster";
"saslauth";
"tls";
"dialback";
"disco";
"private";
"vcard";
"compression";
"version";
"uptime";
"time";
"ping";
"pep";
"admin_adhoc";
}
modules_disabled = {
--
}
allow_registration = false
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
}
c2s_require_encryption = true
s2s_secure_auth = false
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_plain"
storage = "sql"
sql = {
driver = "MySQL",
database = "prosody",
username = "prosody",
password = "secret",
host = "localhost"
}
log = {
info = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
"*syslog";
}
VirtualHost "chinwag.im"
enabled = true