Background information
Operating System: Debian stable (9.6)
ejabberd version: 18.09-2 (from back ports)
My configuration is based on https://gitlab.com/hanno/ejabberd-config (I changed my real url to example.com)
# _%%_ Ejabberd config from schokokeks.org XMPP server. # _%%_ We try to enable modern XMPP features and document to which XEP # _%%_ they relate. # _%%_ We also use a modern and secure TLS configuration where possible. define_macro: 'CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH" 'TLSOPTS': - "no_sslv2" - "no_sslv3" - "cipher_server_preference" # generated with: openssl dhparam -out dhparams.pem 2048 'DHFILE': "/etc/ejabberd/dh2048-ejabberd.pem" certfiles: - "/etc/letsencrypt/live/*/fullchain.pem" - "/etc/letsencrypt/live/*/privkey.pem" hosts: - "example.com" access: announce: admin: allow c2s: blocked: deny all: allow c2s_shaper: admin: none all: normal local: local: allow max_user_offline_messages: admin: 5000 all: 100 max_user_sessions: all: 10 muc: all: allow muc_admin: admin: allow muc_create: local: allow pubsub_createnode: all: allow register: # _%%_ Don't allow registration all: deny s2s_shaper: all: fast acl: admin: user: - "kiigass": "example.com" local: user_regexp: - "" # _%%_ We want internal authentication auth_method: - mnesia # _%%_ store passwords with scram hash method. # _%%_ no DIGEST-MD5, needs plaintext storage of passwords. auth_password_format: scram disable_sasl_mechanisms: "DIGEST-MD5" language: "en" listen: - ip: "0.0.0.0" port: 5222 module: ejabberd_c2s max_stanza_size: 65536 shaper: c2s_shaper access: c2s # _%%_ DEPRECATED, uses mod_stream_mgmt # _%%_ XEP-0198, Stream Management # _%%_ Note: This is enabled by default, but we'd like to explicitly enable it # stream_management: true # _%%_ TLS compression is dangerous, see CRIME attack tls_compression: false # _%%_ Diffie Hellman parameters with 2048 bit, created with "openssl dhparam 2048" dhfile: 'DHFILE' # _%%_ We only want "HIGH" strength ciphers and explicitly disable # _%%_ 3DES (SWEET32 attack), RSA (no forward secrecy, Bleichenbacher attacks), # _%%_ CAMELLIA (unusual and not needed). ciphers: 'CIPHERS' # _%%_ We require STARTTLS for clients. No unencrypted logins starttls_required: true # certfile: "/etc/ejabberd/ejabberd.pem" # _%%_ Due to DROWN (SSLv2) and POODLE (SSLv3) all old SSL versions are considered insecure protocol_options: 'TLSOPTS' - ip: "0.0.0.0" port: 5269 module: ejabberd_s2s_in max_stanza_size: 131072 shaper: s2s_shaper protocol_options: 'TLSOPTS' - port: 5280 module: ejabberd_http web_admin: true http_bind: true captcha: true # _%%_ XEP-0363, HTTP File Upload # _%%_ Note: This only opens the port, further below is the module config itself - port: 5443 module: ejabberd_http tls: true # certfile: "/etc/ejabberd/ejabberd.pem" # _%%_ See comments above for justification of TLS options tls_compression: false dhfile: 'DHFILE' ciphers: 'CIPHERS' protocol_options: 'TLSOPTS' request_handlers: "": mod_http_upload loglevel: 4 max_fsm_queue: 1000 modules: mod_admin_extra: [] mod_adhoc: [] mod_announce: access: announce # _%%_ XEP-0115, Entity Capabilities mod_caps: [] # XEP-0157 mod_disco: server_info: - modules: all name: "abuse-addresses" urls: ["mailto:[email protected]"] - modules: all name: "security-addresses" urls: ["mailto:[email protected]"] mod_bosh: [] mod_last: [] # _%%_ XEP-0045, Mult-User Chat (MUC) mod_muc: access: muc access_create: muc_create access_persistent: muc_create access_admin: muc_admin mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: send_pings: true ping_interval: 10 ping_ack_timeout: 5 timeout_action: kill mod_privacy: [] mod_private: [] # _%%_ XEP-0065, SOCKS5 Bytestreams (Proxy) mod_proxy65: host: "proxy65.example.com" hostname: "proxy65.example.com" ip: "0.0.0.0" port: 7777 mod_pubsub: access_createnode: pubsub_createnode ignore_pep_from_offline: false last_item_cache: true plugins: - "flat" - "hometree" # _%%_ XEP-0163, Personal Eventing Protocol (PEP), needed for Avatars / OMEMO - "pep" # _%%_ XEP-0237, Roster Versioning mod_roster: versioning: true mod_shared_roster: [] mod_stats: [] # _%%_ XEP-0198, Stream Management # _%%_ Note: This is enabled by default, but we'd like to explicitly enable it mod_stream_mgmt: max_resume_timeout: 30 resend_on_timeout: if_offline resume_timeout: 30 ack_timeout: 30 mod_time: [] mod_vcard: [] mod_version: [] # _%%_ XEP-0313, Message Archive Management (MAM) mod_mam: default: always assume_mam_usage: true # _%%_ XEP-0191, Blocking Command mod_blocking: [] # _%%_ XEP-0352, Client State Indicator mod_client_state: [] # _%%_ XEP-0280, Message Carbons mod_carboncopy: [] # _%%_ XEP-0363, HTTP File Upload # _%%_ This is the configuration for the module, port config above. mod_http_upload: # _%%_ With this configuration for each domain name there must be a subdirectory # _%%_ in the docroot, e.g. /var/ejabberd-http-upload/example.org/ thumbnail: false docroot: "/var/ejabberd-http-upload/" put_url: "https://example.com:5443/@HOST@" mod_s2s_dialback: [] mod_legacy_auth: [] shaper: normal: 1000 fast: 50000 # _%%_ TLS settings for s2s communication s2s_use_starttls: required #s2s_certfile: "/etc/ejabberd/ejabberd.pem" s2s_dhfile: 'DHFILE' # _%%_ For s2s we allow RSA key exchange for more compatibility s2s_ciphers: 'CIPHERS' Problem
When I try to connect to https://example.com:5280/ or https://example.com:5280/admin/ I get from firefox:
Secure Connection Failed
The connection to example.com:5280 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
When I watch /var/log/ejabberd/ejabberd.log (tail -f) at the same time I get:
2018-12-09 13:24:32.021 [info] <0.353.0>@ejabberd_listener:accept:221 (<0.479.0>) Accepted connection x.x.x.x:7048 -> x.x.y.y:5280
Question
What did I misconfigure and how shall I configure it to make it work?
