| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
These options have been specified (and enabled) in the default config file for
a long time. However if unspecified in the config, they were not enabled. Now
they are.
This may result in a change of behaviour for people using very old config
files that lack the require_encryption options. But that's what we want.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Makes it faster by cutting out the roundtrips involved in <starttls/>,
at the cost of making an additional SRV lookup.
Since we already ignore a missing <starttls/> offer and try anyway there
is not much difference in security. The fact that XMPP is used and the
hostnames involved might still be visible until the future Encrypted
ClientHello extension allows hiding those too.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since accessing this port directly over the wider Internet is unlikely
to intentional anymore. Most uses will likely be by reverse proxies, by
mistake or because of trouble configuring HTTPS.
Blocking mistaken uses is just a good thing, letting users send
potentially private things unencrypted tends to be Strongly Discouraged
these days.
Many reverse proxy setups operate over loopback, so listening there
instead of all interfaces is a net improvement.
Improved automatic certificate location and SNI support has mostly
eliminated the need for manual certificate configuration so HTTPS should
Just Work once certificates have been provided.
For local testing during development, connecting over loopback is likely
fine as well. When really needed, `http_interfaces` can still be set.
Suggested by Link Mauve
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Presence subscriptions are normally revoked on account deletion, which
informs the contact. Sometimes this notification gets lost e.g. due to
s2s problems. The accounts JID may also be present e.g. in MUC
affiliations, chat group member lists, pubsub subscriptions or other
systems. These may grant privileges which would fall to someone who
creates the same account again, which this module is meant to prevent.
|
|
|
|
| |
ssl_preset = "modern"
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
mod_auth_ldap provides LDAP support without being tied to Cyrus
|
| |
|
|
|
|
|
|
|
| |
This uses the (experimental) observe.jabber.network API to
perform external connectivity checks. The idea is to complement
the checks prosodyctl can already do with a (nearly) complete
s2s/c2s handshake from a remote party to test the entire stack.
|
|
|
|
|
|
| |
Mirroring the c2s 'direct_tls'. Naming things is hard.
direct_tls_s2s_ports = { 5269+1 }
|
|
|
|
|
|
|
|
|
| |
To be removed in the future, but not right now. Give the log warning a
chance to prod anyone who might have network_backend="select" in their
config first.
There's also things built on Verse which uses server_select.lua, which
will need to be updated somehow.
|
|
|
|
|
|
|
|
| |
MattJ on 09:34:24
> Zash: I think as a first step, offline messages should not be sent to
> clients that request MAM
https://chat.modernxmpp.org/log/modernxmpp/2021-08-31#2021-08-31-8518a542bd283686
|
|
|
|
|
| |
Previous commit adds a workaround, so this doesn't mutate global state
anymore, only per-connection 'extra' state as originally intended.
|
|
|
|
|
|
|
|
| |
Since there is now support for SNI with per-host certificates as well as
support in `prosodyctl check dns`.
Previous "support" was just the 'legacy_ssl' option, which didn't have
much other supporting code.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When set, no periodic statistics collection is done by
core.statsmanager, instead some module is expected to call collect()
when it suits. Obviously only one such module should be enabled.
Quoth jonas’
> correct way is to scrape the internal sources on each call to /metrics
> in the context of Prometheus
"manual" as opposed to "automatic", from the point of view of
statsmanager.
|
|
|
|
|
| |
Turns out 'extra' is, at least for mod_s2s, the same table for *all*
connections.
|
|
|
|
|
|
| |
Disabled DANE by default, since it needs extra steps to be useful. The
built-in DNS stub resolver does not support DNSSEC so having DANE
enabled by default only leads to an extra wasted DNS request.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This variant is meant to improve upon mod_http_upload in some ways:
* Handle files much of arbitrary size efficiently
* Allow GET and PUT URLs to be different
* Remember Content-Type sent by client
* Avoid dependency on mod_http_files
* Built-in way to delegate storage to another httpd
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
RFC 6331 lists several problems with this outdated authentication
mechanism. The code here was also completely ignored by lint checks and
has probably not been used for a long time, as it is incompatible with
SCRAM-hashed password storage.
|
| |
|
|
|
|
|
|
|
| |
Potentially a bit more efficient since it can jump to the selected
protocol on connect instead of waiting for some data to look at.
Adds a 'protocol' field to net providers for this purpose.
|
| |
|
|
|
|
|
|
| |
BC: This overloads the GET event.
Previous commit ensures HEAD requests are sent without a body.
|
| |
|
|
|
|
|
|
|
| |
instead of SHA-1
This will currently require a hard reset of all passwords back to plain.
This will be least painful on new deployments.
|
|
|
|
|
| |
This allows migrating to and from any storage module that supports the
right methods. Based on experimental mod_migrate work.
|
|
|
|
| |
(fixes #1347)
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|