明天就是let’s encrypt公測的日子了，你準備好了嗎?
先別管這個了，你有聽過安麗加密貓(cryptocat)嗎?
這是一款ISIS都愛用的加密通訊軟體(我說真的)，它那強大的保密功能真的不是蓋的
一般來說，用官方提供的伺服器就可以了(官方有提供兩個伺服，一個是是一般網路用的，另一個是給匿名網路(tor)用的)
但你有想過用自己手邊的伺服器(linux主機)架設一個嗎?沒有，因為你只想到你自己
那麼今天我就來翻譯一下官方提供的伺服架設指南吧

————————–不專業分割線————————–

原文教學指南:https://github.com/cryptocat/cryptocat/wiki/Server-Deployment-Instructions

伺服器部屬說明

部屬加密貓(Cryptocat)伺服器允許你維護自己的加密貓(Cryptocat)對話，而不經由crypto.cat(註:官方對話服務伺服器)。我們的伺服器非常的可靠，我們邀請每個人使用它，但架設屬於自己的對話服務伺服器也是件很酷的事呢!:-)

概觀

你基本上只需要架設一個有MUC (XEP-0045)和帶內註冊(In-Band Registration)(XEP-0077)的XMPP-BOSH伺服器，然後還要有個HTTPS的代理伺服，針對上述需求，我們推薦以下的伺服器組合:

ejabberd :建立XMPP-BOSH伺服器
nginx :HTTPS代理伺服器

連線到自定義伺服器

要連接到加密貓(Cryptocat)的自定義伺服器，只需在登入介面按下”Custom servers”

配置文件

這些配置文件非常方便，我們提供的配置都非常接近我們現在所使用的配置

Ejabberd需要被調整成有MUC和帶內註冊(In-Band Registration)的XMPP-BOSH伺服器，XMPP-BOSH伺服器不可以被網際網路存取，我們將使用nginx作為HTTPS代理伺服器，使用HTTPS將請求轉發至內部的BOSH伺服器。

Ejabberd的配置(ejabberd.cfg)

這項配置將會設置XMPP服務在 host.name 上，MUC服務在 conference.host.name 上，BOSH伺服器會監聽 localhost:5280 。別忘記變更 host.name 為你的主機(域名)名稱，並使用有效的ssl憑證(路徑: /etc/ejabberd/ejabberd.pem )

%% Hostname
{hosts, ["host.name"]}.

%% Logging
{loglevel, 0}.

%%% ===============
%%% LISTENING PORTS

{listen, [
    {5222, ejabberd_c2s, [
        {access, c2s},
        {shaper, c2s_shaper},
        {max_stanza_size, infinite},
        starttls_required,
        {certfile, "/etc/ejabberd/ejabberd.pem"},
        {ciphers, "HIGH:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!aNULL"}
    ]},
    {5280, ejabberd_http, [
        http_bind, http_poll
    ]}
 ]}.

%%
%% s2s_certfile: Specify a certificate file.
%%
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

%%% ==============
%%% AUTHENTICATION

{auth_method, [internal, anonymous]}.
{auth_password_format, scram}.

%%% ===============
%%% TRAFFIC SHAPERS

{shaper, normal, {maxrate, 500000000}}.
{shaper, fast, {maxrate, 500000000}}.

%%% ====================
%%% ACCESS CONTROL LISTS

{acl, local, {user_regexp, ""}}.

%%% ============
%%% ACCESS RULES

{access, max_user_sessions, [{10, all}]}.
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
{access, c2s, [{deny, blocked}, {allow, all}]}.
{access, c2s_shaper, [{none, admin}, {normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, register, [{allow, all}]}.
{registration_timeout, infinity}.

{language, "en"}.

%%% =======
%%% MODULES

{modules, [
    {mod_ping, []},
    {mod_http_bind, []},
    {mod_muc, [
        {host, "conference.@HOST@"},
        {access, muc},
        {history_size, 0},
        {access_create, muc},
        {access_persistent, muc_admin},
        {access_admin, muc_admin},
        {max_users, 9999},
        {default_room_options, [
            {allow_change_subj, false},
            {allow_private_messages, true},
            {allow_query_users, true},
            {allow_user_invites, false},
            {anonymous, true},
            {logging, false},
            {members_by_default, false},
            {members_only, false},
            {moderated, false},
            {password_protected, false},
            {persistent, false},
            {public, false},
            {public_list, false}
        ]}
    ]},
    {mod_register, [
        {welcome_message, {"Welcome!"}},
        {access, register}
    ]}
 ]}.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

%% Hostname

{hosts, ["host.name"]}.

%% Logging

{loglevel, 0}.

%%% ===============

%%% LISTENING PORTS

{listen, [

{5222, ejabberd_c2s, [

{access, c2s},

{shaper, c2s_shaper},

{max_stanza_size, infinite},

starttls_required,

{certfile, "/etc/ejabberd/ejabberd.pem"},

{ciphers, "HIGH:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!aNULL"}

]},

{5280, ejabberd_http, [

http_bind, http_poll

]}

]}.

%% s2s_certfile: Specify a certificate file.

{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

%%% ==============

%%% AUTHENTICATION

{auth_method, [internal, anonymous]}.

{auth_password_format, scram}.

%%% ===============

%%% TRAFFIC SHAPERS

{shaper, normal, {maxrate, 500000000}}.

{shaper, fast, {maxrate, 500000000}}.

%%% ====================

%%% ACCESS CONTROL LISTS

{acl, local, {user_regexp, ""}}.

%%% ============

%%% ACCESS RULES

{access, max_user_sessions, [{10, all}]}.

{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.

{access, c2s, [{deny, blocked}, {allow, all}]}.

{access, c2s_shaper, [{none, admin}, {normal, all}]}.

{access, s2s_shaper, [{fast, all}]}.

{access, announce, [{allow, admin}]}.

{access, configure, [{allow, admin}]}.

{access, muc_admin, [{allow, admin}]}.

{access, muc, [{allow, all}]}.

{access, register, [{allow, all}]}.

{registration_timeout, infinity}.

{language, "en"}.

%%% =======

%%% MODULES

{modules, [

{mod_ping, []},

{mod_http_bind, []},

{mod_muc, [

{host, "conference.@HOST@"},

{access, muc},

{history_size, 0},

{access_create, muc},

{access_persistent, muc_admin},

{access_admin, muc_admin},

{max_users, 9999},

{default_room_options, [

{allow_change_subj, false},

{allow_private_messages, true},

{allow_query_users, true},

{allow_user_invites, false},

{anonymous, true},

{logging, false},

{members_by_default, false},

{members_only, false},

{moderated, false},

{password_protected, false},

{persistent, false},

{public, false},

{public_list, false}

]}

]},

{mod_register, [

{welcome_message, {"Welcome!"}},

{access, register}

]}

]}.

Nginx的配置(nginx.conf)

這配置將會設定BOSH服務使用的HTTPS代理伺服器，你將會需要一個有效的SSL證書(憑證)。這項配置也會從 /etc/nginx/mime.types 載入 mime-types。

註:這項配置預設使用了嚴謹的通訊安全(HSTS)，如果你使用的是自行簽署的SSL證書(憑證)(不建議!)你需要將這行刪除 add_header Strict-Transport-Security max-age=31536000; 它出現兩次

worker_processes auto;
worker_rlimit_nofile 100000;
pid /var/run/nginx.pid;

events {
    worker_connections 2048;
    multi_accept on;
    use epoll;
}

http {
    include /etc/nginx/mime.types;
    sendfile on;
    tcp_nodelay on;
    tcp_nopush on;
    server_tokens off;
    access_log off;
    keepalive_timeout 20;
    client_header_timeout 20;
    client_body_timeout 20;
    reset_timedout_connection on;
    send_timeout 20;
    gzip on;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

    server {
        listen 80;
        listen [::]:80 default ipv6only=on;

        add_header Strict-Transport-Security max-age=31536000;
        add_header X-Frame-Options SAMEORIGIN;

        location / {
            root /var/www;
            index index.html index.htm;
        }

        location /http-bind {
            proxy_buffering off;
            proxy_pass https://127.0.0.1:5280/http-bind;
        }
    }

    # HTTPS server
    server {
        listen 443 ssl spdy;

        add_header Strict-Transport-Security max-age=31536000;
        add_header X-Frame-Options SAMEORIGIN;

        ssl on;
        ssl_certificate /etc/ssl/certificate.crt;
        ssl_certificate_key /etc/ssl/certificate.key;

        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;
        ssl_prefer_server_ciphers on;

        location / {
            root /var/www;
            index index.html index.htm;
        }

        location /http-bind {
            proxy_buffering off;
            proxy_pass https://127.0.0.1:5280/http-bind;
        }
    }
}

worker_processes auto;

worker_rlimit_nofile 100000;

pid /var/run/nginx.pid;

events {

worker_connections 2048;

multi_accept on;

use epoll;

}

http {

include /etc/nginx/mime.types;

sendfile on;

tcp_nodelay on;

tcp_nopush on;

server_tokens off;

access_log off;

keepalive_timeout 20;

client_header_timeout 20;

client_body_timeout 20;

reset_timedout_connection on;

send_timeout 20;

gzip on;

gzip_disable "MSIE [1-6].(?!.*SV1)";

server {

listen 80;

listen [::]:80 default ipv6only=on;

add_header Strict-Transport-Security max-age=31536000;

add_header X-Frame-Options SAMEORIGIN;

location / {

root /var/www;

index index.html index.htm;

}

location /http-bind {

proxy_buffering off;

proxy_pass https://127.0.0.1:5280/http-bind;

}

# HTTPS server

server {

listen 443 ssl spdy;

add_header Strict-Transport-Security max-age=31536000;

add_header X-Frame-Options SAMEORIGIN;

ssl on;

ssl_certificate /etc/ssl/certificate.crt;

ssl_certificate_key /etc/ssl/certificate.key;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;

ssl_prefer_server_ciphers on;

location / {

root /var/www;

index index.html index.htm;

}

location /http-bind {

proxy_buffering off;

proxy_pass https://127.0.0.1:5280/http-bind;

}

————————–不專業分割線————————–

翻譯完拉~

有翻譯錯誤的地方請在下方留言中糾正我，我會很感謝你的

好啦我承認翻譯有一部分依靠google翻譯(不打自招

還有文中提到的「有效」SSL證書(憑證)是需要錢的，但是別擔心let’s encrypt即將在2015.12.03(不就是明天嗎!!)進行公測，到時候就可以去申請一份免費的ssl證書了~~(看看我強大的舖梗能力~~

好了不抬槓了，我們下篇文章見

#其實我一直想不到文章應該怎麼結尾才不會尷尬……

[翻譯]架設加密貓(CryptoCat)伺服器 – Linux篇

伺服器部屬說明

概觀

連線到自定義伺服器

配置文件

Ejabberd的配置(ejabberd.cfg)

Nginx的配置(nginx.conf)

近期文章

分類

近期迴響

彙整

其它