### ### ejabberd configuration file ### ### The parameters used in this configuration file are explained at ### ### https://docs.ejabberd.im/admin/configuration ### ### The configuration file is written in YAML. ### ******************************************************* ### ******* !!! WARNING !!! ******* ### ******* YAML IS INDENTATION SENSITIVE ******* ### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY ******* ### ******************************************************* ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. ### However, ejabberd treats different literals as different types: ### ### - unquoted or single-quoted strings. They are called "atoms". ### Example: dog, 'Jupiter', '3.14159', YELLOW ### ### - numeric literals. Example: 3, -45.0, .0 ### ### - quoted or folded strings. ### Examples of quoted string: "Lizzard", "orange". ### Example of folded string: ### > Art thou not Romeo, ### and a Montague? ### hosts: - "domain1.com" - "domain2.com" - "pub.domain1.com" ## rotation: Disable ejabberd's internal log rotation, as the Debian package ## uses logrotate(8). loglevel: 4 log_rotate_count: 0 certfiles: - "/etc/ejabberd/xmpp.pem" - "/etc/ejabberd/xmpp_domain2.pem" - "/etc/ejabberd/xmpp_pub.pem" ## TLS configuration define_macro: 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 'TLS_OPTIONS': - "no_sslv3" - "cipher_server_preference" - "no_compression" ## 'DH_FILE': "/path/to/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048 c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' ## c2s_dhfile: 'DH_FILE' ## s2s_dhfile: 'DH_FILE' listen: - port: 5222 ip: "::" module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s starttls_required: true protocol_options: 'TLS_OPTIONS' - port: 5269 ip: "::" module: ejabberd_s2s_in max_stanza_size: 524288 - port: 5443 ip: "::" module: ejabberd_http request_handlers: "/api": mod_http_api "/bosh": mod_bosh "/upload": mod_http_upload "/ws": ejabberd_http_ws web_admin: true captcha: true tls: true protocol_options: 'TLS_OPTIONS' - port: 3478 transport: udp module: ejabberd_stun - port: 3478 module: ejabberd_stun - port: 5349 module: ejabberd_stun certfile: "/etc/ejabberd/xmpp.pem" certfile: "/etc/ejabberd/xmpp_domain2.pem" ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text ## password storage (see auth_password_format option). disable_sasl_mechanisms: - "digest-md5" - "X-OAUTH2" s2s_use_starttls: required ## Store the plain passwords or hashed for SCRAM: auth_password_format: scram ## Full path to a script that generates the image. ## captcha_cmd: "/usr/share/ejabberd/captcha.sh" acl: admin: user: - "admin@domain1.com" local: user_regexp: "" loopback: ip: - "127.0.0.0/8" - "::1/128" - "::FFFF:127.0.0.1/128" access_rules: local: - allow: local c2s: - deny: blocked - allow announce: - allow: admin configure: - allow: admin muc_create: - allow: local pubsub_createnode: - allow: local register: - deny trusted_network: - allow: loopback api_permissions: "console commands": from: - ejabberd_ctl who: all what: "*" "admin access": who: - access: - allow: - acl: loopback - acl: admin - oauth: - scope: "ejabberd:admin" - access: - allow: - acl: loopback - acl: admin what: - "*" - "!stop" - "!start" "public commands": who: - ip: "127.0.0.1/8" what: - "status" - "connected_users_number" shaper: normal: 1000 fast: 50000 shaper_rules: max_user_sessions: 10 max_user_offline_messages: - 5000: admin - 100 c2s_shaper: - none: admin - normal s2s_shaper: fast modules: mod_adhoc: {} mod_admin_extra: {} mod_announce: access: announce mod_avatar: {} mod_block_strangers: {} mod_blocking: {} mod_bosh: {} mod_caps: {} mod_carboncopy: {} mod_client_state: {} mod_configure: {} mod_delegation: {} # for xep0356 mod_disco: {} mod_fail2ban: {} mod_http_api: {} mod_http_fileserver: docroot: "/files/" accesslog: "/var/log/ejabberd/access.log" mod_http_upload: docroot: "/files/" put_url: "https://@HOST@:5443/upload" thumbnail: false # otherwise needs the identify command from ImageMagick installed custom_headers: "Access-Control-Allow-Origin": "*" "Access-Control-Allow-Methods": "PUT" "Access-Control-Allow-Headers": "content-type" mod_http_upload_quota: max_days: 30 mod_last: {} mod_pres_counter: count: 5 interval: 60 mod_mam: ## Mnesia is limited to 2GB, better to use an SQL backend ## For small servers SQLite is a good fit and is very easy ## to configure. Uncomment this when you have SQL configured: ## db_type: sql assume_mam_usage: true default: always mod_muc: access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create default_room_options: mam: true mod_muc_admin: {} mod_muc_log: access_log: muc dirtype: plain dirname: room_jid file_format: html outdir: "/var/log/ejabberd/muclog" timezone: local mod_multicast: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_privacy: {} mod_private: {} mod_pubsub: access_createnode: pubsub_createnode plugins: - "flat" - "pep" force_node_config: ## Comment out the following lines to enable OMEMO support ## See https://github.com/processone/ejabberd/issues/2425 "eu.siacs.conversations.axolotl.*": access_model: open ## Avoid buggy clients to make their bookmarks public "storage:bookmarks": access_model: whitelist mod_push: {} mod_push_keepalive: {} mod_register: ## Only accept registration requests from the "trusted" ## network (see access_rules section above). ## Think twice before enabling registration from any ## address. See the Jabber SPAM Manifesto for details: ## https://github.com/ge0rg/jabber-spam-fighting-manifesto access: deny mod_roster: versioning: true mod_s2s_dialback: {} mod_shared_roster: {} mod_sic: {} mod_stats: {} mod_stream_mgmt: resend_on_timeout: if_offline mod_time: {} mod_vcard: {} mod_vcard_xupdate: {} mod_version: show_os: false mod_stream_mgmt: resend_on_timeout: if_offline ### Local Variables: ### mode: yaml ### End: ### vim: set filetype=yaml tabstop=8 allow_contrib_modules: true host_config: "pub.domain1.com": auth_method: [anonymous] anonymous_protocol: both