From 3078c28d1a99e391d369d40296373de15d059dfb Mon Sep 17 00:00:00 2001 From: Badlop Date: Tue, 11 Aug 2009 13:22:39 +0000 Subject: [PATCH] Document STUN server (thanks to Evgeniy Khramtsov), and minor doc enhancements. * Add stun listener to example config file, disabled. * Improve enumeration of listeners options SVN Revision: 2460 --- doc/guide.html | 437 +++++++++++++++++++++++---------------- doc/guide.tex | 56 ++++- src/ejabberd.cfg.example | 5 + 3 files changed, 312 insertions(+), 186 deletions(-) diff --git a/doc/guide.html b/doc/guide.html index 310abe64a..4770c5308 100644 --- a/doc/guide.html +++ b/doc/guide.html @@ -6,7 +6,7 @@ - ejabberd 3.0.0-alpha + ejabberd 2.1.0-alpha Installation and Operation Guide @@ -76,7 +76,7 @@ BLOCKQUOTE.figure DIV.center DIV.center HR{display:none;}


- +
ejabberd 3.0.0-alpha
ejabberd 2.1.0-alpha
 
Installation and Operation Guide

@@ -144,80 +144,81 @@ BLOCKQUOTE.figure DIV.center DIV.center HR{display:none;}
  • 3.3.5  mod_echo
  • 3.3.6  mod_http_bind
  • 3.3.7  mod_http_fileserver -
  • 3.3.8  mod_last -
  • 3.3.9  mod_muc -
  • 3.3.10  mod_muc_log -
  • 3.3.11  mod_offline -
  • 3.3.12  mod_ping -
  • 3.3.13  mod_privacy -
  • 3.3.14  mod_private -
  • 3.3.15  mod_proxy65 -
  • 3.3.16  mod_pubsub -
  • 3.3.17  mod_register -
  • 3.3.18  mod_roster -
  • 3.3.19  mod_service_log -
  • 3.3.20  mod_shared_roster -
  • 3.3.21  mod_stats -
  • 3.3.22  mod_time -
  • 3.3.23  mod_vcard -
  • 3.3.24  mod_vcard_ldap -
  • 3.3.25  mod_version +
  • 3.3.8  mod_irc +
  • 3.3.9  mod_last +
  • 3.3.10  mod_muc +
  • 3.3.11  mod_muc_log +
  • 3.3.12  mod_offline +
  • 3.3.13  mod_ping +
  • 3.3.14  mod_privacy +
  • 3.3.15  mod_private +
  • 3.3.16  mod_proxy65 +
  • 3.3.17  mod_pubsub +
  • 3.3.18  mod_register +
  • 3.3.19  mod_roster +
  • 3.3.20  mod_service_log +
  • 3.3.21  mod_shared_roster +
  • 3.3.22  mod_stats +
  • 3.3.23  mod_time +
  • 3.3.24  mod_vcard +
  • 3.3.25  mod_vcard_ldap +
  • 3.3.26  mod_version
  • -
  • Chapter 4  Managing an ejabberd Server +
  • Chapter 4  Managing an ejabberd Server -
  • Chapter 5  Securing ejabberd +
  • Chapter 5  Securing ejabberd -
  • Chapter 6  Clustering +
  • Chapter 6  Clustering -
  • Chapter 7  Debugging +
  • Chapter 7  Debugging -
  • Appendix A  Internationalization and Localization -
  • Appendix B  Release Notes -
  • Appendix C  Acknowledgements -
  • Appendix D  Copyright Information +
  • Appendix A  Internationalization and Localization +
  • Appendix B  Release Notes +
  • Appendix C  Acknowledgements +
  • Appendix D  Copyright Information
  • Chapter 1  Introduction

    -

    ejabberd is a free and open source instant messaging server written in Erlang/OTP.

    ejabberd is cross-platform, distributed, fault-tolerant, and based on open standards to achieve real-time communication.

    ejabberd is designed to be a rock-solid and feature rich XMPP server.

    ejabberd is suitable for small deployments, whether they need to be scalable or not, as well as extremely big deployments.

    +

    ejabberd is a free and open source instant messaging server written in Erlang.

    ejabberd is cross-platform, distributed, fault-tolerant, and based on open standards to achieve real-time communication.

    ejabberd is designed to be a rock-solid and feature rich XMPP server.

    ejabberd is suitable for small deployments, whether they need to be scalable or not, as well as extremely big deployments.

    1.1  Key Features

    ejabberd is: @@ -268,12 +269,13 @@ Internal Authentication.

  • Others
  • @@ -336,14 +338,16 @@ as long as your system have all the dependencies.

    2.4.2  Download Source Code

    Released versions of ejabberd are available in the ProcessOne ejabberd downloads page: @@ -458,25 +462,31 @@ for example:

    Requirements

    To compile ejabberd on a Microsoft Windows system, you need:

    Compilation

    We assume that we will try to put as much library as possible into C:\sdk\ to make it easier to track what is install for ejabberd.

    1. -Install Erlang emulator (for example, into C:\sdk\erl5.6.5). +Install Erlang emulator (for example, into C:\sdk\erl5.5.5).
    2. Install Expat library into C:\sdk\Expat-2.0.0 directory.

      Copy file C:\sdk\Expat-2.0.0\Libs\libexpat.dll to your Windows system directory (for example, C:\WINNT or C:\WINNT\System32) -Note: instead of copying libexpat.dll to the Windows -directory, you can add the directory C:\sdk\Expat-2.0.0\Libs -to the PATH environment variable. +

    3. Build and install the Iconv library into the directory +C:\sdk\GnuWin32.

      Copy file C:\sdk\GnuWin32\bin\lib*.dll to your +Windows system directory (more installation instructions can be found in the +file README.woe32 in the iconv distribution).

      Note: instead of copying libexpat.dll and iconv.dll to the Windows +directory, you can add the directories +C:\sdk\Expat-2.0.0\Libs and +C:\sdk\GnuWin32\bin to the PATH environment +variable.

    4. Install OpenSSL in C:\sdk\OpenSSL and add C:\sdk\OpenSSL\lib\VC to your path or copy the binaries to your system directory.
    5. Install ZLib in C:\sdk\gnuWin32. Copy -C:\sdk\GnuWin32\bin\zlib1.dll to your system directory. +C:\sdk\GnuWin32\bin\zlib1.dll to your system directory. If you change your path it should already be set after libiconv install.
    6. Make sure the you can access Erlang binaries from your path. For example: set PATH=%PATH%;"C:\sdk\erl5.6.5\bin"
    7. Depending on how you end up actually installing the library you might need to check and tweak the paths in the file configure.erl.
    8. While in the directory ejabberd\src run: @@ -493,7 +503,7 @@ There are two ways to register a Jabber account:
      1. Using ejabberdctl (see section 4.1):
        ejabberdctl register admin1 example.org FgT5bk3
        -
      2. Using a Jabber client and In-Band Registration (see section 3.3.17). +
      3. Using a Jabber client and In-Band Registration (see section 3.3.18).
    9. Edit the ejabberd configuration file to give administration rights to the Jabber account you created:
      {acl, admins, {user, "admin1", "example.org"}}.
      @@ -667,7 +677,7 @@ Handles incoming s2s connections.
      Options: max_stanza_size
      ejabberd_service
      Interacts with an external component -(as defined in the Jabber Component Protocol (XEP-0114).
      +(as defined in the Jabber Component Protocol (XEP-0114).
      Options: access, hosts, shaper, service_check_from
      ejabberd_http
      @@ -685,7 +695,7 @@ To define a certificate file specific for a given domain, use the global option This option can be used with ejabberd_service only. It is used to disable control on the from field on packets send by an external components. The option can be either true or -false. The default value is true which conforms to XEP-0114. +false. The default value is true which conforms to XEP-0114.
      {hosts, [Hostnames], [HostOptions]}
      The external Jabber component that connects to this ejabberd_service can serve one or more hostnames. @@ -698,7 +708,7 @@ as seen in an example below.
      captcha
      Simple web page that allows a user to fill a CAPTCHA challenge (see section 3.1.8).
      http_bind
      -This option enables HTTP Binding (XEP-0124 and XEP-0206) support. HTTP Bind +This option enables HTTP Binding (XEP-0124 and XEP-0206) support. HTTP Bind enables access via HTTP requests to ejabberd from behind firewalls which do not allow outgoing sockets on port 5222.

      Remember that you must also install and enable the module mod_http_bind.

      If HTTP Bind is enabled, it will be available at http://server:port/http-bind/. Be aware that support for HTTP Bind @@ -709,7 +719,7 @@ interesting to host a web-based Jabber client such as embedded local web server or Apache).

      http_poll
      -This option enables HTTP Polling (XEP-0025) support. HTTP Polling +This option enables HTTP Polling (XEP-0025) support. HTTP Polling enables access via HTTP requests to ejabberd from behind firewalls which do not allow outgoing sockets on port 5222.

      If HTTP Polling is enabled, it will be available at http://server:port/http-poll/. Be aware that support for HTTP Polling @@ -735,7 +745,7 @@ and you also want mod_http_bind to serve the URIs /http-bind/, use this option: {request_handlers, [{["a", "b"], mod_foo}, {["http-bind"], mod_http_bind}]}

      {service_check_from, true|false}
      By enabling this option, ejabberd allows the component to send packets with any arbitrary domain in the ’from’ attribute. -Note that XEP-0114 requires that the domain must match the hostname of the component. +Note that XEP-0114 requires that the domain must match the hostname of the component. Only enable this option if you are completely sure you need to enable it. Default value: false.
      {shaper, <access rule>}
      This option defines a @@ -756,7 +766,7 @@ This was the traditional encryption method in the early Jabber software, commonly on port 5223 for client-to-server communications. But this method is nowadays deprecated and not recommended. The preferable encryption method is STARTTLS on port 5222, as defined -RFC 3920: XMPP Core, +RFC 3920: XMPP Core, which can be enabled in ejabberd with the option starttls. If this option is set, you should also set the certfile option.
      web_admin
      This option @@ -765,7 +775,7 @@ at http://server:port/admin/. Login and password are the username a password of one of the registered users who are granted access by the ‘configure’ access rule.
      zlib
      This -option specifies that Zlib stream compression (as defined in XEP-0138) +option specifies that Zlib stream compression (as defined in XEP-0138) is available on connections to the port. Client connections cannot use stream compression and stream encryption simultaneously. Hence, if you specify both starttls (or tls) and zlib, the latter @@ -1216,7 +1226,7 @@ can be seen by Jabber clients. If a Jabber client does not support

      Appendix A provides more details about internationalization and localization.

      3.1.8  CAPTCHA

      Some ejabberd modules can be configured to require a CAPTCHA challenge on certain actions. -If the client does not support CAPTCHA Forms (XEP-0158), +If the client does not support CAPTCHA Forms (XEP-0158), a web link is provided so the user can fill the challenge in a web browser.

      An example script is provided that generates the image using ImageMagick’s Convert program.

      The configurable options are:

      @@ -1616,7 +1626,7 @@ user’s part of a JID. For example, "%u@example.org". The default value is "%u".
      ldap_filter
      -RFC 4515 LDAP filter. The +RFC 2254 LDAP filter. The default is none. Example: "(&(objectClass=shadowAccount)(memberOf=Jabber Users))". Please, do not forget to close brackets and do not use superfluous whitespaces. Also you @@ -1775,37 +1785,38 @@ all entries end with a comma:

      3.3.1  Modules Overview

      The following table lists all modules included in ejabberd.


      - + - + - + - - - + + + + - - - + + + - - - - - + + + + + - - - - - - + + + + + +
      ModuleFeatureDependencies
      mod_adhocAd-Hoc Commands (XEP-0050) 
      mod_adhocAd-Hoc Commands (XEP-0050) 
      mod_announceManage announcementsrecommends mod_adhoc
      mod_capsEntity Capabilities (XEP-0115) 
      mod_capsEntity Capabilities (XEP-0115) 
      mod_configureServer configuration using Ad-Hocmod_adhoc
      mod_discoService Discovery (XEP-0030) 
      mod_discoService Discovery (XEP-0030) 
      mod_echoEchoes Jabber packets 
      mod_lastLast Activity (XEP-0012) 
      mod_last_odbcLast Activity (XEP-0012)supported DB (*)
      mod_mucMulti-User Chat (XEP-0045) 
      mod_ircIRC transport 
      mod_lastLast Activity (XEP-0012) 
      mod_last_odbcLast Activity (XEP-0012)supported DB (*)
      mod_mucMulti-User Chat (XEP-0045) 
      mod_muc_logMulti-User Chat room loggingmod_muc
      mod_offlineOffline message storage (XEP-0160) 
      mod_offline_odbcOffline message storage (XEP-0160)supported DB (*)
      mod_pingXMPP Ping and periodic keepalives (XEP-0199) 
      mod_offlineOffline message storage (XEP-0160) 
      mod_offline_odbcOffline message storage (XEP-0160)supported DB (*)
      mod_pingXMPP Ping and periodic keepalives (XEP-0199) 
      mod_privacyBlocking Communication (XMPP IM) 
      mod_privacy_odbcBlocking Communication (XMPP IM)supported DB (*)
      mod_privatePrivate XML Storage (XEP-0049) 
      mod_private_odbcPrivate XML Storage (XEP-0049)supported DB (*)
      mod_proxy65SOCKS5 Bytestreams (XEP-0065) 
      mod_pubsubPub-Sub (XEP-0060), PEP (XEP-0163)mod_caps
      mod_registerIn-Band Registration (XEP-0077) 
      mod_privatePrivate XML Storage (XEP-0049) 
      mod_private_odbcPrivate XML Storage (XEP-0049)supported DB (*)
      mod_proxy65SOCKS5 Bytestreams (XEP-0065) 
      mod_pubsubPub-Sub (XEP-0060), PEP (XEP-0163)mod_caps
      mod_registerIn-Band Registration (XEP-0077) 
      mod_rosterRoster management (XMPP IM) 
      mod_roster_odbcRoster management (XMPP IM)supported DB (*)
      mod_service_logCopy user messages to logger service 
      mod_shared_rosterShared roster managementmod_roster or
        mod_roster_odbc
      mod_statsStatistics Gathering (XEP-0039) 
      mod_timeEntity Time (XEP-0202) 
      mod_vcardvcard-temp (XEP-0054) 
      mod_vcard_ldapvcard-temp (XEP-0054)LDAP server
      mod_vcard_odbcvcard-temp (XEP-0054)supported DB (*)
      mod_versionSoftware Version (XEP-0092) 
      mod_statsStatistics Gathering (XEP-0039) 
      mod_timeEntity Time (XEP-0202) 
      mod_vcardvcard-temp (XEP-0054) 
      mod_vcard_ldapvcard-temp (XEP-0054)LDAP server
      mod_vcard_odbcvcard-temp (XEP-0054)supported DB (*)
      mod_versionSoftware Version (XEP-0092) 

      • (*) This module requires a supported database. For a list of supported databases, see section 3.2. @@ -1902,7 +1913,7 @@ message is sent to all registered users. If the user is online and connected to several resources, only the resource with the highest priority will receive the message. If the registered user is not connected, the message will be stored offline in assumption that offline storage -(see section 3.3.11) is enabled. +(see section 3.3.12) is enabled.
      example.org/announce/online (example.org/announce/all-hosts/online)
      The message is sent to all connected users. If the user is online and connected to several resources, all resources will receive the message. @@ -1955,11 +1966,11 @@ disabled for instances of ejabberd with hundreds of thousands users.

      This module adds support for Service Discovery (XEP-0030). With +

      This module adds support for Service Discovery (XEP-0030). With this module enabled, services on your server can be discovered by Jabber clients. Note that ejabberd has no modules with support -for the superseded Jabber Browsing (XEP-0011) and Agent Information -(XEP-0094). Accordingly, Jabber clients need to have support for +for the superseded Jabber Browsing (XEP-0011) and Agent Information +(XEP-0094). Accordingly, Jabber clients need to have support for the newer Service Discovery protocol if you want them be able to discover the services you offer.

      Options:

      @@ -1970,7 +1981,7 @@ the processing discipline for Service Discovery (http://jabber.org/protocol/ you can specify a list of extra domains that are added to the Service Discovery item list.
      {server_info, [ {Modules, Field, [Value]} ]}
      Specify additional information about the server, -as described in Contact Addresses for XMPP Services (XEP-0157). +as described in Contact Addresses for XMPP Services (XEP-0157). Modules can be the keyword ‘all’, in which case the information is reported in all the services; or a list of ejabberd modules, @@ -2046,7 +2057,7 @@ of them all?

      3.3.6  mod_http_bind

      This module implements XMPP over Bosh (formerly known as HTTP Binding) -as defined in XEP-0124 and XEP-0206. +as defined in XEP-0124 and XEP-0206. It extends ejabberd’s built in HTTP service with a configurable resource at which this service will be hosted.

      To use HTTP-Binding, enable the module:

      {modules,
      @@ -2154,9 +2165,69 @@ To use this module you must enable it:
         },
         ...
       ]}.
      -

      -

      3.3.8  mod_last

      -

      This module adds support for Last Activity (XEP-0012). It can be used to +

      +

      3.3.8  mod_irc

      +

      This module is an IRC transport that can be used to join channels on IRC +servers.

      End user information: + +

      • +A Jabber client with ‘groupchat 1.0’ support or Multi-User +Chat support (XEP-0045) is necessary to join IRC channels. +
      • An IRC channel can be joined in nearly the same way as joining a +Jabber Multi-User Chat room. The difference is that the room name will +be ‘channel%irc.example.org’ in case irc.example.org is +the IRC server hosting ‘channel’. And of course the host should point +to the IRC transport instead of the Multi-User Chat service. +
      • You can register your nickame by sending ‘IDENTIFY password’ to
        + nickserver!irc.example.org@irc.jabberserver.org. +
      • Entering your password is possible by sending ‘LOGIN nick password’
        + to nickserver!irc.example.org@irc.jabberserver.org. +
      • The IRC transport provides Ad-Hoc Commands (XEP-0050) +to join a channel, and to set custom IRC username and encoding. +
      • When using a popular Jabber server, it can occur that no +connection can be achieved with some IRC servers because they limit the +number of conections from one IP. +

      Options: +

      + +host
      This option defines the Jabber ID of the +service. If the host option is not specified, the Jabber ID will be the +hostname of the virtual host with the prefix ‘irc.’. The keyword "@HOST@" +is replaced at start time with the real virtual host name. + +
      access
      This option can be used to specify who +may use the IRC transport (default value: all). +
      default_encoding
      Set the default IRC encoding (default value: "koi8-r"). +

      Examples: +

      • +In the first example, the IRC transport is available on (all) your +virtual host(s) with the prefix ‘irc.’. Furthermore, anyone is +able to use the transport. The default encoding is set to "iso8859-15". +
        {modules,
        + [
        +  ...
        +  {mod_irc, [{access, all}, {default_encoding, "iso8859-15"}]},
        +  ...
        + ]}.
        +
      • In next example the IRC transport is available with JIDs with prefix irc-t.net. +Moreover, the transport is only accessible to two users +of example.org, and any user of example.com: +
        {acl, paying_customers, {user, "customer1", "example.org"}}.
        +{acl, paying_customers, {user, "customer2", "example.org"}}.
        +{acl, paying_customers, {server, "example.com"}}.
        +
        +{access, irc_users, [{allow, paying_customers}, {deny, all}]}.
        +
        +{modules,
        + [
        +  ...
        +  {mod_irc, [{access, irc_users},
        +             {host, "irc.example.net"}]},
        +  ...
        + ]}.
        +

      +

      3.3.9  mod_last

      +

      This module adds support for Last Activity (XEP-0012). It can be used to discover when a disconnected user last accessed the server, to know when a connected user was last active on the server, or to query the uptime of the ejabberd server.

      Options: @@ -2164,8 +2235,8 @@ connected user was last active on the server, or to query the uptime of the iqdisc

      This specifies the processing discipline for Last activity (jabber:iq:last) IQ queries (see section 3.3.2).

      -

      3.3.9  mod_muc

      -

      This module provides a Multi-User Chat (XEP-0045) service. +

      3.3.10  mod_muc

      +

      This module provides a Multi-User Chat (XEP-0045) service. Users can discover existing rooms, join or create them. Occupants of a room can chat in public or have private chats.

      Some of the features of Multi-User Chat:

      • @@ -2387,7 +2458,7 @@ the newly created rooms have by default those options. ... ]}.

      -

      3.3.10  mod_muc_log

      +

      3.3.11  mod_muc_log

      This module enables optional logging of Multi-User Chat (MUC) public conversations to HTML. Once you enable this module, users can join a room using a MUC capable Jabber client, and if they have enough privileges, they can request the @@ -2397,7 +2468,7 @@ Room details are added on top of each page: room title, JID, author, subject and configuration.

    10. The room JID in the generated HTML is a link to join the room (using -XMPP URI). +XMPP URI).
    11. Subject and room configuration changes are tracked and displayed.
    12. Joins, leaves, nick changes, kicks, bans and ‘/me’ are tracked and displayed, including the reason if available. @@ -2507,8 +2578,8 @@ top link will be the default <a href="/">Home</a>. ... ]}.
    13. -

      3.3.11  mod_offline

      -

      This module implements offline message storage (XEP-0160). +

      3.3.12  mod_offline

      +

      This module implements offline message storage (XEP-0160). This means that all messages sent to an offline user will be stored on the server until that user comes online again. Thus it is very similar to how email works. Note that @@ -2539,8 +2610,8 @@ and all the other users up to 100. ... ]}.

      -

      3.3.12  mod_ping

      -

      This module implements support for XMPP Ping (XEP-0199) and periodic keepalives. +

      3.3.13  mod_ping

      +

      This module implements support for XMPP Ping (XEP-0199) and periodic keepalives. When this module is enabled ejabberd responds correctly to ping requests, as defined in the protocol.

      Configuration options:

      @@ -2567,7 +2638,7 @@ and if a client does not answer to the ping in less than 32 seconds, its connect ... ]}.

      -

      3.3.13  mod_privacy

      +

      3.3.14  mod_privacy

      This module implements Blocking Communication (also known as Privacy Rules) as defined in section 10 from XMPP IM. If end users have support for it in their Jabber client, they will be able to: @@ -2589,26 +2660,26 @@ or subscription type (or globally).

    14. Allowing or blocking all communications based on JID, group, or subscription type (or globally).
    15. -(from http://xmpp.org/specs/rfc3921.html#privacy) +(from http://www.xmpp.org/specs/rfc3921.html#privacy)

      Options:

      iqdisc
      This specifies the processing discipline for Blocking Communication (jabber:iq:privacy) IQ queries (see section 3.3.2).

      -

      3.3.14  mod_private

      -

      This module adds support for Private XML Storage (XEP-0049): +

      3.3.15  mod_private

      +

      This module adds support for Private XML Storage (XEP-0049):

      Using this method, Jabber entities can store private data on the server and retrieve it whenever necessary. The data stored might be anything, as long as it is valid XML. One typical usage for this namespace is the server-side storage -of client-specific preferences; another is Bookmark Storage (XEP-0048). +of client-specific preferences; another is Bookmark Storage (XEP-0048).

      Options:

      iqdisc
      This specifies the processing discipline for Private XML Storage (jabber:iq:private) IQ queries (see section 3.3.2).

      -

      3.3.15  mod_proxy65

      -

      This module implements SOCKS5 Bytestreams (XEP-0065). +

      3.3.16  mod_proxy65

      +

      This module implements SOCKS5 Bytestreams (XEP-0065). It allows ejabberd to act as a file transfer proxy between two XMPP clients.

      Options:

      @@ -2662,10 +2733,10 @@ The simpliest configuration of the module: ... ]}.

      -

      3.3.16  mod_pubsub

      -

      This module offers a Publish-Subscribe Service (XEP-0060). +

      3.3.17  mod_pubsub

      +

      This module offers a Publish-Subscribe Service (XEP-0060). The functionality in mod_pubsub can be extended using plugins. -The plugin that implements PEP (Personal Eventing via Pubsub) (XEP-0163) +The plugin that implements PEP (Personal Eventing via Pubsub) (XEP-0163) is enabled in the default ejabberd configuration file, and it requires mod_caps.

      Options:

      @@ -2708,8 +2779,8 @@ The following example will use node_tune instead of node_pep for every PEP node ... ]}.

      -

      3.3.17  mod_register

      -

      This module adds support for In-Band Registration (XEP-0077). This protocol +

      3.3.18  mod_register

      +

      This module adds support for In-Band Registration (XEP-0077). This protocol enables end users to use a Jabber client to:

      • Register a new account on the server. @@ -2781,10 +2852,10 @@ Also define a registration timeout of one hour: ... ]}.

      -

      3.3.18  mod_roster

      +

      3.3.19  mod_roster

      This module implements roster management as defined in -RFC 3921: XMPP IM. -It also supports Roster Versioning (XEP-0237).

      Options: +RFC 3921: XMPP IM. +It also supports Roster Versioning (XEP-0237).

      Options:

      iqdisc
      This specifies the processing discipline for Roster Management (jabber:iq:roster) IQ queries (see section 3.3.2). @@ -2807,7 +2878,7 @@ Important: if you use mod_shared_roster, you must disable this option. ... ]}.

      -

      3.3.19  mod_service_log

      +

      3.3.20  mod_service_log

      This module adds support for logging end user packets via a Jabber message auditing service such as Bandersnatch. All user @@ -2837,7 +2908,7 @@ To log all end user packets to the Bandersnatch service running on ... ]}.

      -

      3.3.20  mod_shared_roster

      +

      3.3.21  mod_shared_roster

      This module enables you to create shared roster groups. This means that you can create groups of people that can see members from (other) groups in their rosters. The big advantages of this feature are that end users do not need to @@ -2912,8 +2983,8 @@ roster groups as shown in the following table:


      -

      3.3.21  mod_stats

      -

      This module adds support for Statistics Gathering (XEP-0039). This protocol +

      3.3.22  mod_stats

      +

      This module adds support for Statistics Gathering (XEP-0039). This protocol allows you to retrieve next statistics from your ejabberd deployment:

      • Total number of registered users on the current virtual host (users/total). @@ -2944,16 +3015,16 @@ by sending: </query> </iq>

      -

      3.3.22  mod_time

      -

      This module features support for Entity Time (XEP-0202). By using this XEP, +

      3.3.23  mod_time

      +

      This module features support for Entity Time (XEP-0202). By using this XEP, you are able to discover the time at another entity’s location.

      Options:

      iqdisc
      This specifies the processing discipline for Entity Time (jabber:iq:time) IQ queries (see section 3.3.2).

      -

      3.3.23  mod_vcard

      +

      3.3.24  mod_vcard

      This module allows end users to store and retrieve their vCard, and to retrieve -other users vCards, as defined in vcard-temp (XEP-0054). The module also +other users vCards, as defined in vcard-temp (XEP-0054). The module also implements an uncomplicated Jabber User Directory based on the vCards of these users. Moreover, it enables the server to send its vCard when queried.

      Options:

      @@ -3006,7 +3077,7 @@ and that all virtual hosts will be searched instead of only the current one: ... ]}.

      -

      3.3.24  mod_vcard_ldap

      +

      3.3.25  mod_vcard_ldap

      ejabberd can map LDAP attributes to vCard fields. This behaviour is implemented in the mod_vcard_ldap module. This module does not depend on the authentication method (see 3.2.5).

      Note that ejabberd treats LDAP as a read-only storage: @@ -3040,7 +3111,7 @@ all search results are reported. The default value is 30. set the table that maps LDAP attributes to vCard fields. The format is: [Name_of_vCard_field, Pattern, List_of_LDAP_attributes, ...]. Name_of_vcard_field is the type name of the vCard as defined in -RFC 2426. Pattern is a +RFC 2426. Pattern is a string which contains pattern variables "%u", "%d" or "%s". List_of_LDAP_attributes is the list containing LDAP attributes. The pattern variables "%s" will be sequentially replaced @@ -3182,8 +3253,8 @@ searching his info in LDAP.

    16. ldap_vcard_map
    17. -

      3.3.25  mod_version

      -

      This module implements Software Version (XEP-0092). Consequently, it +

      3.3.26  mod_version

      +

      This module implements Software Version (XEP-0092). Consequently, it answers ejabberd’s version when queried.

      Options:

      show_os
      Should the operating system be revealed or not. @@ -3191,8 +3262,8 @@ The default value is true.
      iqdisc
      This specifies the processing discipline for Software Version (jabber:iq:version) IQ queries (see section 3.3.2).

      -

      Chapter 4  Managing an ejabberd Server

      -

      4.1  ejabberdctl

      With the ejabberdctl command line administration script +

      Chapter 4  Managing an ejabberd Server

      +

      4.1  ejabberdctl

      With the ejabberdctl command line administration script you can execute ejabberdctl commands (described in the next section, 4.1.1) and also many general ejabberd commands (described in section 4.2). This means you can start, stop and perform many other administrative tasks @@ -3204,7 +3275,7 @@ and other codes may be used for specific results. This can be used by other scripts to determine automatically if a command succeeded or failed, for example using: echo $?

      -

      4.1.1  ejabberdctl Commands

      When ejabberdctl is executed without any parameter, +

      4.1.1  ejabberdctl Commands

      When ejabberdctl is executed without any parameter, it displays the available options. If there isn’t an ejabberd server running, the available parameters are:

      @@ -3240,7 +3311,7 @@ robot1 testuser1 testuser2

      -

      4.1.2  Erlang Runtime System

      ejabberd is an Erlang/OTP application that runs inside an Erlang runtime system. +

      4.1.2  Erlang Runtime System

      ejabberd is an Erlang/OTP application that runs inside an Erlang runtime system. This system is configured using environment variables and command line parameters. The ejabberdctl administration script uses many of those possibilities. You can configure some of them with the file ejabberdctl.cfg, @@ -3313,7 +3384,7 @@ Starts the Erlang system detached from the system console.

      Note that some characters need to be escaped when used in shell scripts, for instance " and {}. You can find other options in the Erlang manual page (erl -man erl).

      -

      4.2  ejabberd Commands

      An ejabberd command is an abstract function identified by a name, +

      4.2  ejabberd Commands

      An ejabberd command is an abstract function identified by a name, with a defined number and type of calling arguments and type of result that is registered in the ejabberd_commands service. Those commands can be defined in any Erlang module and executed using any valid frontend.

      ejabberd includes a frontend to execute ejabberd commands: the script ejabberdctl. @@ -3321,7 +3392,7 @@ Other known frontends that can be installed to execute ejabberd commands in diff ejabberd_xmlrpc (XML-RPC service), mod_rest (HTTP POST service), mod_shcommands (ejabberd WebAdmin page).

      -

      4.2.1  List of ejabberd Commands

      ejabberd includes a few ejabberd Commands by default. +

      4.2.1  List of ejabberd Commands

      ejabberd includes a few ejabberd Commands by default. When more modules are installed, new commands may be available in the frontends.

      The easiest way to get a list of the available commands, and get help for them is to use the ejabberdctl script:

      $ ejabberdctl help
      @@ -3356,7 +3427,7 @@ This is not recommended for big databases, as it will consume much time,
       memory and processor. In that case it’s preferable to use backup and install_fallback.
       
      import_piefxis, export_piefxis, export_piefxis_host
      These options can be used to migrate accounts -using XEP-0227 formatted XML files +using XEP-0227 formatted XML files from/to other Jabber/XMPP servers or move users of a vhost to another ejabberd installation. See also @@ -3371,7 +3442,7 @@ There exist tutorials to in offline storage. This might be useful when the number of offline messages is very high.

      -

      4.2.2  Restrict Execution with AccessCommands

      The frontends can be configured to restrict access to certain commands. +

      4.2.2  Restrict Execution with AccessCommands

      The frontends can be configured to restrict access to certain commands. In that case, authentication information must be provided. In each frontend the AccessCommands option is defined in a different place. But in all cases the option syntax is the same: @@ -3417,7 +3488,7 @@ and the provided arguments do not contradict Arguments.

      As an example to u {_bot_reg_test, [register, unregister], [{host, "test.org"}]} ]

      -

      4.3  Web Admin

      +

      4.3  Web Admin

      The ejabberd Web Admin allows to administer most of ejabberd using a web browser.

      This feature is enabled by default: a ejabberd_http listener with the option web_admin (see section 3.1.3) is included in the listening ports. Then you can open @@ -3489,13 +3560,13 @@ The file is searched by default in The directory of the documentation can be specified in the environment variable EJABBERD_DOC_PATH. See section 4.1.2.

      -

      4.4  Ad-hoc Commands

      If you enable mod_configure and mod_adhoc, +

      4.4  Ad-hoc Commands

      If you enable mod_configure and mod_adhoc, you can perform several administrative tasks in ejabberd with a Jabber client. -The client must support Ad-Hoc Commands (XEP-0050), +The client must support Ad-Hoc Commands (XEP-0050), and you must login in the Jabber server with an account with proper privileges.

      -

      4.5  Change Computer Hostname

      ejabberd uses the distributed Mnesia database. +

      4.5  Change Computer Hostname

      ejabberd uses the distributed Mnesia database. Being distributed, Mnesia enforces consistency of its file, so it stores the name of the Erlang node in it (see section 5.4). The name of an Erlang node includes the hostname of the computer. @@ -3532,8 +3603,8 @@ mv /var/lib/ejabberd/*.* /var/lib/ejabberd/oldfiles/

    18. Check that the information of the old database is available: accounts, rosters... After you finish, remember to delete the temporary backup files from public directories.

    -

    Chapter 5  Securing ejabberd

    -

    5.1  Firewall Settings

    +

    Chapter 5  Securing ejabberd

    +

    5.1  Firewall Settings

    You need to take the following TCP ports in mind when configuring your firewall:


    @@ -3544,7 +3615,7 @@ After you finish, remember to delete the temporary backup files from public dire
    PortDescription
    port rangeUsed for connections between Erlang nodes. This range is configurable (see section 5.2).

    -

    5.2  epmd

    epmd (Erlang Port Mapper Daemon) +

    5.2  epmd

    epmd (Erlang Port Mapper Daemon) is a small name server included in Erlang/OTP and used by Erlang programs when establishing distributed Erlang communications. ejabberd needs epmd to use ejabberdctl and also when clustering ejabberd nodes. @@ -3569,7 +3640,7 @@ but can be configured in the file ejabberdctl.cfg. The Erlang command-line parameter used internally is, for example:

    erl ... -kernel inet_dist_listen_min 4370 inet_dist_listen_max 4375
     

    -

    5.3  Erlang Cookie

    The Erlang cookie is a string with numbers and letters. +

    5.3  Erlang Cookie

    The Erlang cookie is a string with numbers and letters. An Erlang node reads the cookie at startup from the command-line parameter -setcookie. If not indicated, the cookie is read from the cookie file $HOME/.erlang.cookie. If this file does not exist, it is created immediately with a random cookie. @@ -3583,7 +3654,7 @@ to prevent unauthorized access or intrusion to an Erlang node. The communication between Erlang nodes are not encrypted, so the cookie could be read sniffing the traffic on the network. The recommended way to secure the Erlang node is to block the port 4369.

    -

    5.4  Erlang Node Name

    An Erlang node may have a node name. +

    5.4  Erlang Node Name

    An Erlang node may have a node name. The name can be short (if indicated with the command-line parameter -sname) or long (if indicated with the parameter -name). Starting an Erlang node with -sname limits the communication between Erlang nodes to the LAN.

    Using the option -sname instead of -name is a simple method @@ -3592,7 +3663,7 @@ However, it is not ultimately effective to prevent access to the Erlang node, because it may be possible to fake the fact that you are on another network using a modified version of Erlang epmd. The recommended way to secure the Erlang node is to block the port 4369.

    -

    5.5  Securing Sensible Files

    ejabberd stores sensible data in the file system either in plain text or binary files. +

    5.5  Securing Sensible Files

    ejabberd stores sensible data in the file system either in plain text or binary files. The file system permissions should be set to only allow the proper user to read, write and execute those files and directories.

    ejabberd configuration file: /etc/ejabberd/ejabberd.cfg
    @@ -3612,9 +3683,9 @@ so it is preferable to secure the whole /var/lib/ejabberd/ directory.
    Erlang cookie file: /var/lib/ejabberd/.erlang.cookie
    See section 5.3.

    -

    Chapter 6  Clustering

    +

    Chapter 6  Clustering

    -

    6.1  How it Works

    +

    6.1  How it Works

    A Jabber domain is served by one or more ejabberd nodes. These nodes can be run on different machines that are connected via a network. They all must have the ability to connect to port 4369 of all another nodes, and must @@ -3628,29 +3699,29 @@ router,

  • session manager,
  • s2s manager.
  • -

    6.1.1  Router

    +

    6.1.1  Router

    This module is the main router of Jabber packets on each node. It routes them based on their destination’s domains. It uses a global routing table. The domain of the packet’s destination is searched in the routing table, and if it is found, the packet is routed to the appropriate process. If not, it is sent to the s2s manager.

    -

    6.1.2  Local Router

    +

    6.1.2  Local Router

    This module routes packets which have a destination domain equal to one of this server’s host names. If the destination JID has a non-empty user part, it is routed to the session manager, otherwise it is processed depending on its content.

    -

    6.1.3  Session Manager

    +

    6.1.3  Session Manager

    This module routes packets to local users. It looks up to which user resource a packet must be sent via a presence table. Then the packet is either routed to the appropriate c2s process, or stored in offline storage, or bounced back.

    -

    6.1.4  s2s Manager

    +

    6.1.4  s2s Manager

    This module routes packets to other Jabber servers. First, it checks if an opened s2s connection from the domain of the packet’s source to the domain of the packet’s destination exists. If that is the case, the s2s manager routes the packet to the process serving this connection, otherwise a new connection is opened.

    -

    6.2  Clustering Setup

    +

    6.2  Clustering Setup

    Suppose you already configured ejabberd on one machine named (first), and you need to setup another one to make an ejabberd cluster. Then do following steps:

    1. @@ -3684,14 +3755,14 @@ the Erlang shell. This probably can take some time if Mnesia has not yet transfered and processed all data it needed from first.
    2. Now run ejabberd on second with a configuration similar as on first: you probably do not need to duplicate ‘acl’ and ‘access’ options because they will be taken from -first. If you installed mod_irc, notice that it should be +first; and mod_irc should be enabled only on one machine in the cluster.

    You can repeat these steps for other machines supposed to serve this domain.

    -

    6.3  Service Load-Balancing

    +

    6.3  Service Load-Balancing

    -

    6.3.1  Components Load-Balancing

    -

    6.3.2  Domain Load-Balancing Algorithm

    +

    6.3.1  Components Load-Balancing

    +

    6.3.2  Domain Load-Balancing Algorithm

    ejabberd includes an algorithm to load balance the components that are plugged on an ejabberd cluster. It means that you can plug one or several instances of the same component on each ejabberd cluster and that the traffic will be automatically distributed.

    The default distribution algorithm try to deliver to a local instance of a component. If several local instances are available, one instance is chosen randomly. If no instance is available locally, one instance is chosen randomly among the remote component instances.

    If you need a different behaviour, you can change the load balancing behaviour with the option domain_balancing. The syntax of the option is the following:

    {domain_balancing, "component.example.com", <balancing_criterium>}.
     

    Several balancing criteria are available:

    • @@ -3700,13 +3771,13 @@ domain.

      -

      6.3.3  Load-Balancing Buckets

      +

      6.3.3  Load-Balancing Buckets

      When there is a risk of failure for a given component, domain balancing can cause service trouble. If one component is failing the service will not work correctly unless the sessions are rebalanced.

      In this case, it is best to limit the problem to the sessions handled by the failing component. This is what the domain_balancing_component_number option does, making the load balancing algorithm not dynamic, but sticky on a fix number of component instances.

      The syntax is the following:

      {domain_balancing_component_number, "component.example.com", N}
       

      -

      Chapter 7  Debugging

      +

      Chapter 7  Debugging

      -

      7.1  Log Files

      An ejabberd node writes two log files: +

      7.1  Log Files

      An ejabberd node writes two log files:

      ejabberd.log
      is the ejabberd service log, with the messages reported by ejabberd code
      sasl.log
      is the Erlang/OTP system log, with the messages reported by Erlang/OTP using SASL (System Architecture Support Libraries) @@ -3728,12 +3799,12 @@ The ejabberdctl command reopen-log (please refer to section 4.1.1) reopens the log files, and also renames the old ones if you didn’t rename them.

      -

      7.2  Debug Console

      The Debug Console is an Erlang shell attached to an already running ejabberd server. +

      7.2  Debug Console

      The Debug Console is an Erlang shell attached to an already running ejabberd server. With this Erlang shell, an experienced administrator can perform complex tasks.

      This shell gives complete control over the ejabberd server, so it is important to use it with extremely care. There are some simple and safe examples in the article Interconnecting Erlang Nodes

      To exit the shell, close the window or press the keys: control+c control+c.

      -

      7.3  Watchdog Alerts

      +

      7.3  Watchdog Alerts

      ejabberd includes a watchdog mechanism that may be useful to developers when troubleshooting a problem related to memory usage. If a process in the ejabberd server consumes more memory than the configured threshold, @@ -3751,7 +3822,7 @@ or in a conversation with the watchdog alert bot.

      Example configuration: To remove all watchdog admins, set the option with an empty list:

      {watchdog_admins, []}.
       

      -

      Appendix A  Internationalization and Localization

      +

      Appendix A  Internationalization and Localization

      The source code of ejabberd supports localization. The translators can edit the gettext .po files @@ -3786,9 +3857,9 @@ HTTP header ‘Accept-Language: ru’


      -

      Appendix B  Release Notes

      +

      Appendix B  Release Notes

      Release notes are available from ejabberd Home Page

      -

      Appendix C  Acknowledgements

      Thanks to all people who contributed to this guide: +

      Appendix C  Acknowledgements

      Thanks to all people who contributed to this guide:

      -

      Appendix D  Copyright Information

      Ejabberd Installation and Operation Guide.
      +

      Appendix D  Copyright Information

      Ejabberd Installation and Operation Guide.
      Copyright © 2003 — 2009 ProcessOne

      This document is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 diff --git a/doc/guide.tex b/doc/guide.tex index cc703fccc..f21af0e4e 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -720,11 +720,11 @@ other different modules for some specific virtual hosts: \makesubsection{listened}{Listening Ports} \ind{options!listen} -The option \option{listen} defines for which addresses and ports \ejabberd{} +The option \option{listen} defines for which ports, addresses and network protocols \ejabberd{} will listen and what services will be run on them. Each element of the list is a tuple with the following elements: \begin{itemize} -\item Port number. Optionally also the IP address. +\item Port number. Optionally also the IP address and/or a transport protocol. \item Listening module that serves this port. \item Options for the TCP socket and for the listening module. \end{itemize} @@ -742,10 +742,12 @@ With the basic syntax the ports will listen on all IPv4 network addresses: It is possible to specify the IP address for a port using the full syntax: \begin{verbatim} {{, }, , []} + {{, }, , []} + {{, , }, , []} \end{verbatim} -\makesubsubsection{listened-port}{Port Number and IP Address} +\makesubsubsection{listened-port}{Port Number, IP Address and Transport Protocol} The port number defines which port to listen for incoming connections. It can be a Jabber/XMPP standard port @@ -769,6 +771,9 @@ Some example values for IP address: \item \verb|{16#fdca, 16#8ab6, 16#a243, 16#75ef, 0, 0, 0, 1}| is the IPv6 address \verb|FDCA:8AB6:A243:75EF::1/128| \end{itemize} +The transport protocol can be \term{tcp} or \term{udp}. +Default is \term{tcp}. + \makesubsubsection{listened-module}{Listening Module} @@ -789,6 +794,10 @@ The available modules, their purpose and the options allowed by each one are: (as defined in the Jabber Component Protocol (\xepref{0114}).\\ Options: \texttt{access}, \texttt{hosts}, \texttt{shaper}, \texttt{service\_check\_from} + \titem{\texttt{ejabberd\_stun}} + Handles STUN Binding requests as defined in + \footahref{http://tools.ietf.org/html/rfc5389}{RFC 5389}.\\ + Options: \texttt{certfile} \titem{\texttt{ejabberd\_http}} Handles incoming HTTP connections.\\ Options: \texttt{captcha}, \texttt{certfile}, \texttt{http\_bind}, \texttt{http\_poll}, @@ -944,6 +953,7 @@ However, the c2s and s2s connections to the domain \term{example.com} use the fi and also allows plain connections for old clients. \item Port 5223 listens for c2s connections with the old SSL. \item Port 5269 listens for s2s connections with STARTTLS. The socket is set for IPv6 instead of IPv4. +\item Port 3478 listens for STUN requests over UDP. \item Port 5280 listens for HTTP requests, and serves the HTTP Poll service. \item Port 5281 listens for HTTP requests, and serves the Web Admin using HTTPS as explained in section~\ref{webadmin}. The socket only listens connections to the IP address 127.0.0.1. @@ -968,6 +978,7 @@ However, the c2s and s2s connections to the domain \term{example.com} use the fi {shaper, s2s_shaper}, {max_stanza_size, 131072} ]}, + {{3478, udp}, ejabberd_stun, []}, {5280, ejabberd_http, [ http_poll ]}, @@ -1548,6 +1559,45 @@ Example configuration: ]}. \end{verbatim} +\makesubsection{stun}{STUN} +\ind{options!stun}\ind{stun} + +\ejabberd{} is able to act as a stand-alone STUN server +(\footahref{http://tools.ietf.org/html/rfc5389}{RFC 5389}). Currently only Binding usage +is supported. In that role \ejabberd{} helps clients with Jingle ICE (\xepref{0176}) support to discover their external addresses and ports. + +You should configure \term{ejabberd\_stun} listening module as described in \ref{listened} section. +If \option{certfile} option is defined, \ejabberd{} multiplexes TCP and +TLS over TCP connections on the same port. Obviously, \option{certfile} option +is defined for \term{tcp} only. Note however that TCP or TLS over TCP +support is not required for Binding usage and is reserved for +\footahref{http://tools.ietf.org/html/draft-ietf-behave-turn-16}{TURN} +functionality. Feel free to configure \term{udp} transport only. + +Example configuration: +\begin{verbatim} +{listen, + [ + ... + {{3478, udp}, ejabberd_stun, []}, + {3478, ejabberd_stun, []}, + {5349, ejabberd_stun, [{certfile, "/etc/ejabberd/server.pem"}]}, + ... + ] +}. +\end{verbatim} + +You also need to configure DNS SRV records properly so clients can easily discover a +STUN server serving your XMPP domain. Refer to section +\footahref{http://tools.ietf.org/html/rfc5389\#section-9}{DNS Discovery of a Server} +of \footahref{http://tools.ietf.org/html/rfc5389}{RFC 5389} for details. + +Example DNS SRV configuration: +\begin{verbatim} +_stun._udp IN SRV 0 0 3478 stun.example.com. +_stun._tcp IN SRV 0 0 3478 stun.example.com. +_stuns._tcp IN SRV 0 0 5349 stun.example.com. +\end{verbatim} \makesubsection{includeconfigfile}{Include Additional Configuration Files} \ind{options!includeconfigfile}\ind{includeconfigfile} diff --git a/src/ejabberd.cfg.example b/src/ejabberd.cfg.example index a23b714be..a083613a1 100644 --- a/src/ejabberd.cfg.example +++ b/src/ejabberd.cfg.example @@ -149,6 +149,11 @@ %% } %% ]}, + %% + %% ejabberd_stun: Handles STUN Binding requests + %% + %%{{3478, udp}, ejabberd_stun, []}, + {5280, ejabberd_http, [ %%{request_handlers, %% [