Bob Mottram 11 vuotta sitten
vanhempi
commit
c1398649d2
1 muutettua tiedostoa jossa 68 lisäystä ja 1 poistoa
  1. 68
    1
      beaglebone.txt

+ 68
- 1
beaglebone.txt Näytä tiedosto

@@ -1026,12 +1026,13 @@ The Apache configuration for the site should look something like the following.
1026 1026
     SSLProtocol All -SSLv2 -SSLv3
1027 1027
     SSLHonorCipherOrder On
1028 1028
     SSLCompression off
1029
+    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
1030
+
1029 1031
     # Add six earth month HSTS header for all users ...
1030 1032
     Header add Strict-Transport-Security "max-age=15768000"
1031 1033
     # If you want to protect all subdomains , use the following header
1032 1034
     # ALL subdomains HAVE TO support https if you use this !
1033 1035
     # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
1034
-    # SSLCipherSuite ’EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA’
1035 1036
 
1036 1037
 	#   SSL Engine Options:
1037 1038
 	#   Set various options for the SSL engine.
@@ -1892,6 +1893,71 @@ It should look something like this:
1892 1893
 
1893 1894
 If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes".
1894 1895
 
1896
+** Install a Jabber/XMPP server
1897
+*** The Server
1898
+
1899
+Generate a SSL certificate.
1900
+
1901
+#+BEGIN_SRC: bash
1902
+openssl ecparam -out /etc/ssl/private/xmpp.pem -name prime256v1
1903
+openssl genpkey -paramfile /etc/ssl/private/xmpp.pem -out /etc/ssl/private/xmpp.key
1904
+openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
1905
+#+END_SRC
1906
+
1907
+The above uses a Diffie-Hellman elliptic curve (ECDH P-256) algorithm.  It is apparent that amongst crypographers there are differences of opinion about the security of elliptic curves, so if you prefer there is also a more traditional RSA way to generate an SSL certificate:
1908
+
1909
+#+BEGIN_SRC: bash
1910
+openssl genrsa -out /etc/ssl/private/xmpp.key 4096
1911
+openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
1912
+#+END_SRC
1913
+
1914
+Install Prosody.
1915
+
1916
+#+BEGIN_SRC: bash
1917
+apt-get install prosody
1918
+cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
1919
+emacs /etc/prosody/conf.avail/.cfg.lua
1920
+#+END_SRC
1921
+
1922
+Change the *VirtualHost* name to your domain name and remove the line below it.
1923
+
1924
+Set the ssl section to:
1925
+
1926
+#+BEGIN_SRC: bash
1927
+	ssl = {
1928
+		key = "/etc/ssl/private/xmpp.key";
1929
+		certificate = "/etc/ssl/certs/xmpp.crt";
1930
+		}
1931
+#+END_SRC
1932
+
1933
+Save and exit.  Create a symbolic link.
1934
+
1935
+#+BEGIN_SRC: bash
1936
+ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
1937
+#+END_SRC
1938
+
1939
+Add a user.  You will be prompted to specify a password.  You can repeat the process for as many users as needed.
1940
+
1941
+#+BEGIN_SRC: bash
1942
+prosodyctl adduser myusername@mydomainname.com
1943
+#+END_SRC
1944
+
1945
+Restart the server
1946
+
1947
+#+BEGIN_SRC: bash
1948
+service prosody restart
1949
+#+END_SRC
1950
+
1951
+On your internet router/firewall open ports 5222 and 5223 and forward them to the BBB.
1952
+
1953
+It's possible to test that your XMPP server is working at https://xmpp.net.  It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating.
1954
+
1955
+*** Using it with Ubuntu
1956
+Open *System Settings* and select *Online Accounts*, *Add account*  and then *Jabber*.
1957
+
1958
+Enter your username (myusername@mydomainname.com) and password.
1959
+
1960
+Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked.  Ignoring the certificate errors will allow you to use the self-signed certificate created earlier.  Then click *Done* and set your Jabber account and Empathy to *On*.
1895 1961
 ** Install Gopher
1896 1962
 Gopher is an old internet protocol which originated a few years before the web and is purely text based.  It can be quite fun to build a gopher site and browse the gopherverse.  One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection.
1897 1963
 
@@ -2420,6 +2486,7 @@ The following ports on your internet router/firewall should be forwarded to the
2420 2486
 | SMTP     |         25 |
2421 2487
 | SMTPS    |        465 |
2422 2488
 | SSH      |         22 |
2489
+| XMPP     | 5222..5223 |
2423 2490
 
2424 2491
 * Hints and Tips
2425 2492
 ** Messaging security