aboutsummaryrefslogtreecommitdiffstats
path: root/CHANGES
Commit message (Collapse)AuthorAgeFilesLines
* mod_http_file_share: Switch to the new authz API (BC)Kim Alvefur2023-09-161-0/+1
| | | | | | | | | Behavior change: It becomes up to the authorization module whether to allow requests. The default, mod_authz_internal, will allow users on the *parent* host only, breaking use by some components. Remaining question is whether to deprecate the `http_file_share_access` setting or leave as a way to complement/bypass access control?
* moduleapi: Add :get_option_integer()Kim Alvefur2023-07-171-0/+1
| | | | | | | Many options in Prosody that are treated as numbers don't make sense as floats, e.g. sizes and limits measured in bytes. Simplified implementation based on an earlier attempt dating back to 2020
* core.moduleapi: Add :get_option_period for parsing time intervalsKim Alvefur2023-07-161-0/+1
| | | | | E.g. for use in mod_mam and others that take an amount of time before some (usually cleanup) action is taken.
* core.moduleapi: Allow specifying an acceptable range for number optionsKim Alvefur2021-10-051-0/+1
|
* moduleapi: Add enum config option methodKim Alvefur2021-01-161-0/+4
| | | | For when a setting has a few fixed values it can take
* CHANGES: Move line about LuaSQLite3 to Storage sectionKim Alvefur2023-07-121-1/+1
|
* CHANGES: Mention performance improvements for internal archivesKim Alvefur2023-07-121-0/+1
| | | | | | Specifically the index and more efficient delete. These are however still in need of testing.
* mod_http: Make RFC 7239 Forwarded opt-in for now to be safeKim Alvefur2023-06-031-1/+1
| | | | | | | | | | | | | Supporting both methods at the same time may open to spoofing attacks, whereby a client sends a Forwarded header that is not stripped by a reverse proxy, leading Prosody to use that instead of the X-Forwarded-* headers actually sent by the proxy. By only supporting one at a time, it can be configured to match what the proxy uses. Disabled by default since implementations are sparse and X-Forwarded-* are everywhere.
* mod_http: Use RFC 7239 Forwarded header to find original client IPKim Alvefur2023-06-031-0/+1
| | | | | | | | | | | | | | Prefer over X-Forwarded-* since it has an actual specification. Main practical difference is that Forwarded may carry more properties than only the IP address since it is a structured header. Since we parse it into an array, it is easier to do the logical thing and iterate backwards trough proxies until an untrusted one is encountered. Compare the handling of X-Forwarded-For. The 'secure' field now accounts for the full chain of proxies, which must be secure all the way to be considered secure.
* CHANGES: The Great Rename-ning completed! #1223Kim Alvefur2023-03-171-0/+1
|
* CHANGES: Add keyval+Matthew Wild2023-03-211-0/+4
|
* CHANGES: Mention new ability to disable and enable user accountsKim Alvefur2023-02-231-0/+1
|
* mod_admin_shell: Add muc:affiliations(room) command to list membershipsKim Alvefur2023-01-291-1/+1
| | | | | Easier than going trough muc:room():each_affiliation() since you have to do fiddly things to reach the print() function.
* mod_admin_shell: Add muc:occupants(room) command to list occupantsKim Alvefur2023-01-291-0/+1
| | | | | Easier than going trough muc:room():each_occupant() since you have to do fiddly things to reach the print() function.
* mod_storage_sql: Support SQLite3 without LuaDBIKim Alvefur2023-01-191-0/+1
|
* mod_blocklist: Add option 'migrate_legacy_blocking' to disable migration ↵Kim Alvefur2022-10-171-0/+1
| | | | | | | | | | | | from mod_privacy Tiny performance improvement for new users by skipping this check. Most servers should have gone trough the migration for all active users long ago. As a suitable first step of phasing out this code, we make it possible to disable it first. Later it can be disabled by default, before finally the code is deleted.
* CHANGES: Update with MUC permission changesMatthew Wild2022-09-291-0/+10
|
* CHANGES: Add role authMatthew Wild2022-08-221-0/+1
|
* mod_time: Remove obsolete XEP-0090 supportKim Alvefur2022-08-151-0/+1
| | | | Deprecated even before Prosody even started, obsolete for over a decade.
* util.datetime: Add support for sub-second precision timestampsKim Alvefur2022-08-141-0/+4
| | | | | | Lua since 5.3 raises a fuss when time functions are handed a number with a fractional part and the underlying C functions are all based on integer seconds without support for more precision.
* mod_saslauth: Implement RFC 9266 'tls-exporter' channel binding (#1760)Kim Alvefur2022-06-011-0/+1
| | | | | | | | | | | | | Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier channel binding method being undefined for TLS 1.3, and the increasing deployment of TLS 1.3. See 1bfd238e05ad and #1542 Requires future version of LuaSec, once support for this key material export method is merged. See https://github.com/brunoos/luasec/pull/187
* CHANGES: Lua 5.1 support removed (closes #1600)Kim Alvefur2022-07-051-0/+4
|
* mod_saslauth: Advertise channel bindings via XEP-0440Kim Alvefur2020-12-061-0/+4
| | | | | This is useful when there's more than one channel binding in circulation, since perhaps there will be varying support for them.
* net.server_epoll: Add option to defer accept() until data availableKim Alvefur2022-05-151-0/+1
| | | | | | | | | | This is a Linux(?) socket option that delays the accept signal until there is data available to read. E.g. with HTTP this might mean that a whole request can be handled without going back trough another turn of the main loop, and an initial client <stream> can be responded to. This may have effects on latency and resource use, as the server does not need to allocate resources until really needed.
* net.server_epoll: Add support for TCP Fast OpenKim Alvefur2021-07-081-0/+1
| | | | | | | | | | | | | Requires a patch to LuaSocket adding this socket option, https://github.com/lunarmodules/luasocket/pull/378 sysctl tweaks net.ipv4.tcp_fastopen=3 net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0 net.ipv4.tcp_fastopen_key=$(</proc/sys/kernel/random/uuid) Disabled by default since it an advanced performance tweak unlikely to be needed by most servers.
* CHANGES: Update to add new changes in trunkMatthew Wild2022-03-191-0/+14
|
* CHANGES: Update to reflect 0.12.0 releaseMatthew Wild2022-03-191-2/+4
|
* CHANGES: Mention STUN/TURN support in 'prosodyctl check'Matthew Wild2022-03-051-0/+1
|
* Merge config-updates+check-turn from timberMatthew Wild2022-03-041-0/+2
|\
| * usermanager, mod_saslauth: Default to internal_hashed if no auth module ↵Matthew Wild2022-02-101-0/+1
| | | | | | | | | | | | | | | | | | | | specified The default config was updated in this way long ago, but if no option was present in the config, Prosody would load internal_plain. This change can result in changes (for the better) for people using very old configuration files lacking an 'authentication' setting.
| * various: Require encryption by default for realKim Alvefur2021-12-251-0/+1
| | | | | | | | | | | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.
* | util.poll: Add support for the poll() APIKim Alvefur2022-02-231-0/+1
|/ | | | Might be better than select(), more portable than epoll.
* CHANGES: Mention graceful shutdownKim Alvefur2022-02-181-0/+3
|
* mod_s2s: Enable outgoing Direct TLS connectionsKim Alvefur2022-01-211-1/+1
| | | | | | | | | | Makes it faster by cutting out the roundtrips involved in <starttls/>, at the cost of making an additional SRV lookup. Since we already ignore a missing <starttls/> offer and try anyway there is not much difference in security. The fact that XMPP is used and the hostnames involved might still be visible until the future Encrypted ClientHello extension allows hiding those too.
* mod_http: Limit unencrypted http port (5280) to loopback by defaultKim Alvefur2022-01-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | Since accessing this port directly over the wider Internet is unlikely to intentional anymore. Most uses will likely be by reverse proxies, by mistake or because of trouble configuring HTTPS. Blocking mistaken uses is just a good thing, letting users send potentially private things unencrypted tends to be Strongly Discouraged these days. Many reverse proxy setups operate over loopback, so listening there instead of all interfaces is a net improvement. Improved automatic certificate location and SNI support has mostly eliminated the need for manual certificate configuration so HTTPS should Just Work once certificates have been provided. For local testing during development, connecting over loopback is likely fine as well. When really needed, `http_interfaces` can still be set. Suggested by Link Mauve
* mod_bookmarks: Import mod_bookmarks2 from prosody-modules @ ad7767a9f3eaEmmanuel Gil Peyrot2022-01-041-0/+1
|
* mod_invites_adhoc: Import from prosody-modules@5001104f0275Kim Alvefur2022-01-051-0/+1
|
* mod_invites_register: Import from prosody-modules@797b51043767Kim Alvefur2021-12-291-0/+1
|
* mod_invites: Import from prosdy-modules@5fc306239db3Kim Alvefur2021-12-271-0/+1
|
* mod_tombstones: Remember deleted accounts #1307Kim Alvefur2021-12-231-0/+1
| | | | | | | | | Presence subscriptions are normally revoked on account deletion, which informs the contact. Sometimes this notification gets lost e.g. due to s2s problems. The accounts JID may also be present e.g. in MUC affiliations, chat group member lists, pubsub subscriptions or other systems. These may grant privileges which would fall to someone who creates the same account again, which this module is meant to prevent.
* core.certmanager: Presets based on Mozilla SSL Configuration GeneratorKim Alvefur2019-12-221-0/+1
| | | | ssl_preset = "modern"
* CHANGES: Add various thingsKim Alvefur2021-12-211-2/+14
|
* CHANGES: Reorganize by added/changed/removed to improve readabilityKim Alvefur2021-12-211-25/+48
|
* CHANGES: Mention mod_http_openmetricsKim Alvefur2021-11-241-0/+1
|
* mod_smacks: Import from prosody-modules @ eb63890ae8fcKim Alvefur2021-11-161-0/+1
|
* mod_auth_cyrus: Remove (move to community modules)Kim Alvefur2021-10-171-0/+1
| | | | mod_auth_ldap provides LDAP support without being tied to Cyrus
* CHANGES: Add mod_auth_ldapKim Alvefur2021-10-051-0/+1
|
* prosodyctl: Add external connectivity check based on observe.jabber.networkJonas Schäfer2020-05-061-0/+1
| | | | | | | This uses the (experimental) observe.jabber.network API to perform external connectivity checks. The idea is to complement the checks prosodyctl can already do with a (nearly) complete s2s/c2s handshake from a remote party to test the entire stack.
* mod_s2s: Add a Direct TLS listenerKim Alvefur2021-08-101-1/+1
| | | | | | Mirroring the c2s 'direct_tls'. Naming things is hard. direct_tls_s2s_ports = { 5269+1 }
* net.server_select: Deprecate and warn about itKim Alvefur2021-09-031-0/+1
| | | | | | | | | To be removed in the future, but not right now. Give the log warning a chance to prod anyone who might have network_backend="select" in their config first. There's also things built on Verse which uses server_select.lua, which will need to be updated somehow.