问题描述
位于 192.168.7.5 IP 上的 LAN 主机上的 ejabberd 服务器。
在面向 Internet 的计算机上,防火墙将端口 5222,5269,5443,5280,3478,5349,49152:65535
重定向到 ejabberd 服务器。
我已经阅读了 spam in creating accounts,但我不确定该选择什么。
想拥有 trusted_network: loopback
,但允许使用 captcha 服务从所有 IP 注册(稍后将在防火墙基础上进行限制)。
尝试从 Gajim 注册时,该过程似乎一直在尝试。 在 ejabberd 的日志中:
2021-07-27 16:53:42.970 [info] <0.383.0>@ejabberd_listener:accept:273 (<0.581.0>) Accepted connection 11.12.13.14:51267 -> 192.168.7.5:5222
这是我的ejabberd.yml
:
hosts:
- "example.cyou"
captcha_cmd: "/usr/local/bin/captcha.sh"
captcha_url: "http://example.cyou:5280/captcha"
captcha_limit: 20
loglevel: 4
certfiles:
- "/usr/local/etc/ejabberd/certs/example.pem"
- "/usr/local/etc/ejabberd/certs/example.cyou.key"
listen:
-
port: 5222
ip: "192.168.7.5"
module: ejabberd_c2s
max_stanza_size: 262144
shaper: c2s_shaper
access: c2s
tls: true
starttls: true
starttls_required: true
protocol_options:
- "no_sslv2"
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_1"
- "no_tlsv1_3"
ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-poly1305:ECDHE-RSA-CHACHA20-poly1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
dhfile:
"/usr/local/etc/ejabberd/certs/c2s_dh2048.pem"
-
port: 5269
ip: "192.168.7.5"
module: ejabberd_s2s_in
max_stanza_size: 524288
dhfile:
"/usr/local/etc/ejabberd/certs/s2s_dh2048.pem"
-
port: 5443
ip: "192.168.7.5"
module: ejabberd_http
tls: true
request_handlers:
/admin: ejabberd_web_admin
/api: mod_http_api
/bosh: mod_bosh
/captcha: ejabberd_captcha
/upload: mod_http_upload
/ws: ejabberd_http_ws
-
port: 5280
ip: "192.168.7.5"
module: ejabberd_http
web_admin: true
http_bind: true
register: true
request_handlers:
/admin: ejabberd_web_admin
-
port: 3478
ip: "192.168.7.5"
transport: udp
module: ejabberd_stun
use_turn: true
turn_min_port: 49152
turn_max_port: 65535
turn_ipv4_address: 22.33.44.55
-
port: 1883
ip: "192.168.7.5"
module: mod_mqtt
backlog: 1000
-
port: 5349
transport: tcp
module: ejabberd_stun
use_turn: true
tls: true
turn_min_port: 49152
turn_max_port: 65535
ip: 192.168.7.5
turn_ipv4_address: 22.33.44.55
s2s_use_starttls: optional
acl:
local:
user_regexp: ""
loopback:
ip:
- 127.0.0.0/8
admin:
user:
- "admin@example.cyou"
access_rules:
local:
allow: local
c2s:
deny: blocked
allow: all
announce:
allow: admin
configure:
allow: admin
muc_create:
allow: local
pubsub_createnode:
allow: local
trusted_network:
allow: all
register:
- allow: all
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
access:
allow:
- acl: loopback
- acl: admin
oauth:
scope: "ejabberd:admin"
access:
allow:
- acl: loopback
- acl: admin
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
ip: 127.0.0.1/8
what:
- status
- connected_users_number
shaper:
normal:
rate: 3000
burst_size: 20000
fast: 100000
shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
5000: admin
100: all
c2s_shaper:
none: admin
normal: all
s2s_shaper: fast
modules:
mod_adhoc: {}
mod_admin_extra: {}
mod_announce:
access: announce
mod_avatar: {}
mod_blocking: {}
mod_bosh: {}
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {}
mod_disco: {}
mod_fail2ban: {}
mod_http_api: {}
mod_http_upload:
docroot: "/var/spool/ejabberd/upload"
put_url: "https://upload.@HOST@:5443"
max_size: 10000000 #10MB
file_mode: "0644"
dir_mode: "0744"
thumbnail: false
access: local
mod_last: {}
mod_mam:
assume_mam_usage: true
default: always
mod_mqtt: {}
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
default_room_options:
mam: true
mod_muc_admin: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: {}
mod_private: {}
mod_proxy65:
access: local
max_connections: 5
mod_pubsub:
access_createnode: pubsub_createnode
plugins:
- flat
- pep
force_node_config:
storage:bookmarks:
access_model: whitelist
mod_push: {}
mod_push_keepalive: {}
mod_register:
ip_access: all
captcha_protected: true
password_strength: 0
registration_watchers:
-
"admin@example.cyou"
access_from: register_from
access: register
welcome_message:
subject: "Welcome!"
body: |-
Hi.
Welcome to this XMPP server.
mod_roster:
versioning: true
mod_s2s_dialback: {}
mod_shared_roster: {}
mod_stream_mgmt:
resend_on_timeout: if_offline
mod_stun_disco:
credentials_lifetime: 12h
services:
-
host: 192.168.7.5
port: 3478
type: stun
transport: udp
restricted: false
-
host: 192.168.7.5
port: 3478
type: turn
transport: udp
restricted: true
-
host: example.cyou
port: 5349
type: stuns
transport: tcp
restricted: false
-
host: example.cyou
port: 5349
type: turns
transport: tcp
restricted: true
mod_vcard: {}
mod_vcard_xupdate: {}
mod_version:
show_os: false
除此之外,对于反向代理(Nginx)
server {
listen 5280 ;
server_name example.cyou;
root /usr/local/www/Nginx/example.cyou;
index captcha.html;
location /captcha {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.7.5:5280;
}
}
所以我的问题是:
- 如何更正配置
- 如果 ejabberd 为多个主机提供服务,根据 ejabberd 所服务的主机,如何在
mod_register
中放置不同的选项,例如,example.cyou 具有所述选项,但对于主机foobar.org 仅针对本地网络开放注册并根据每个主机指定registration_watchers
。
解决方法
- 如果 ejabberd 为多个主机提供服务,根据 ejabberd 所服务的主机,如何在 mod_register 中放置不同的选项,例如,example.cyou 具有所述选项,但主机 foobar.org 具有register 仅针对本地网络开放,并根据每个主机指定了 registration_watchers。
使用 append_host_config。里面有一个例子 https://docs.ejabberd.im/admin/configuration/basic/#virtual-hosting 为每个虚拟主机配置不同的 mod_muc。