Server Deployment Instructions - Gordin/cryptocat GitHub Wiki

Deploying a Cryptocat server allows you to maintain Cryptocat conversations on your own network, without relying on the network at crypto.cat. Our network is pretty reliable, we invite everyone to use it - but it's cool to set up your own network too! :-)

Overview

You basically just need to set up a XMPP-BOSH server with MUC (XEP-0045) and anonymous SASL authentication enabled, and then have a front-facing HTTPS proxy for it. For this setup, we recommend the following software:

• prosody for establishing the XMPP server,
• nginx for establishing an HTTPS proxy for BOSH and WebSockets.

Connecting to Custom Servers

To connect to a custom server from Cryptocat, simply click on "Custom servers" on the login screen. The BOSH/WebSocket URL for this setup will be

• https://host.name/http-bind for BOSH
• wss://host.name/xmpp-websocket for WebSockets

Configuration files

These configuration files are provided for convenience. They are very similar to the ones we use ourselves.

Prosody needs to be configured to be an XMPP server with MUC and anonymous SASL authentication enabled. The BOSH server should not point outwards - we will establish an HTTPS proxy using nginx that listens outward using HTTPS and relays the requests internally to BOSH.

Prosody Configuration (prosody.cfg.lua)

This configuration will set up an XMPP server on host.name, with MUC server conference.host.name and a BOSH and WebSocket server on localhost:5280. Don't forget to replace host.name with your hostname. If you want to use WebSockets you'll need to uncomment some things in the config. Search for WEBSOCKET in the config and follow the instructions.

admins = { '[email protected]' }
daemonize = true
pidfile = "/var/run/prosody/prosody.pid"

-- WEBSOCKET Clone the prosody-modules repo (hg clone https://code.google.com/p/prosody-modules/) and set the path to where you cloned it (don't forget to uncomment the next line)
--plugin_paths = { "/path/to/prosody-modules" }

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
use_libevent = true

modules_enabled = {
	-- Generally required
		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
		"tls"; -- Add support for secure TLS on c2s/s2s connections
		"dialback"; -- s2s dialback support
		"disco"; -- Service discovery
		"compression"; -- Stream compression
	-- Nice to have
		"version"; -- Replies to server version requests
		"uptime"; -- Report how long server has been running
		"time"; -- Let others know the time here on this server
		"ping"; -- Replies to XMPP pings with pongs
		"pep"; -- Enables users to publish their mood, activity, playing music and more
	-- Admin interface
		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
	-- HTTP modules
		"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
		--"websocket"; -- Uncomment to enable WEBSOCKET connections
	-- Other specific functionality
		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
}

-- Allow the Chrome extension to make requests to this server
cross_domain_bosh = { "chrome-extension://gonbigodpnfghidmnphnadhepmbabhij"}
cross_domain_websocket = { "chrome-extension://gonbigodpnfghidmnphnadhepmbabhij"}
-- If you want to develop cryptocat, uncomment the next lines
--cross_domain_bosh = true
--cross_domain_websocket = true

-- Consider BOSH and WebSocets secure (nginx handles the TLS for us)
consider_bosh_secure = true
consider_websocket_secure = true

-- These modules are auto-loaded, but we don't need them for cryptocat
modules_disabled = {
	"offline"; -- Store offline messages
	"s2s"; -- Handle server-to-server connections
}

-- Force clients to use encrypted connections
c2s_require_encryption = true

-- Logging configuration
log = {
	info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
	error = "/var/log/prosody/prosody.err";
}

VirtualHost "host.name"
		--enable anonymous SASL authentication
		authentication = "anonymous"

---Set up a MUC (multi-user chat) room server on conference.host.name:
Component "conference.host.name" "muc"

Nginx configuration (nginx.conf)

This configuration will set up an front-facing HTTPS proxy for BOSH and WebSockets. You will also need to specify valid SSL certificate files. This configuration file also loads mime-types from /etc/nginx/mime.types.

Note: This configuration employs Strict Transport Security (HSTS) by default — if you are using a self-signed certificate (not recommended!) you will want to remove the line add_header Strict-Transport-Security max-age=31536000; which appears twice.

worker_processes auto;
worker_rlimit_nofile 100000;
pid /var/run/nginx.pid;

events {
	worker_connections 2048;
	multi_accept on;
	use epoll;
}

http {
	include /etc/nginx/mime.types;
	sendfile on;
	tcp_nodelay on;
	tcp_nopush on;
	server_tokens off;
	access_log off;
	keepalive_timeout 20;
	client_header_timeout 20;
	client_body_timeout 20;
	reset_timedout_connection on;
	send_timeout 20;
	gzip on;
	gzip_disable "MSIE [1-6]\.(?!.*SV1)";

	server {
		listen 80;
		listen [::]:80 default ipv6only=on;

		add_header Strict-Transport-Security max-age=31536000;
		add_header X-Frame-Options SAMEORIGIN;

		location / {
			root /var/www;
			index index.html index.htm;
		}

		location /http-bind {
			proxy_buffering off;
			proxy_pass http://localhost:5280/http-bind;
		}
	}

	# HTTPS server
	server {
		listen 443;

		add_header Strict-Transport-Security max-age=31536000;
		add_header X-Frame-Options SAMEORIGIN;

		ssl	on;
		ssl_certificate	/etc/ssl/certificate.crt;
		ssl_certificate_key /etc/ssl/certificate.key;

		ssl_session_cache shared:SSL:10m;
		ssl_session_timeout 5m;

		ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA;
		ssl_prefer_server_ciphers on;

		location / {
			root /var/www;
			index index.html index.htm;
		}

		location /xmpp-websocket {
			proxy_buffering off;
			proxy_pass http://localhost:5280/xmpp-websocket;

			proxy_http_version 1.1;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
		}

		location /http-bind {
			proxy_buffering off;
			proxy_pass http://localhost:5280/http-bind;
		}
	}
}