apache - jsxc/xmpp-cloud-auth GitHub Wiki
Setting up Apache with a Let's Encrypt certificate
Run this on the Nextcloud host, if you have two separate servers.
Create the following files
/etc/apache/sites-available/example-org.conf
<VirtualHost *:80>
ServerName example.org
ServerAdmin [email protected]
DocumentRoot /var/www/nextcloud
ErrorLog ${APACHE_LOG_DIR}/nc_error.log
CustomLog ${APACHE_LOG_DIR}/nc_access.log combined
ProxyPass /http-bind/ https://xmpp.example.org:5281/http-bind/
ProxyPassReverse /http-bind/ https://xmpp.example.org:5281/http-bind/
ProxyPreserveHost On
SSLProxyEngine On
</VirtualHost>
(Based on the JSXC documentation.)
If Nextcloud and Prosody are on the same host, you can replace the Proxy URLs with
http://localhost:5280/http-bind/ and remove SSLProxyEngine On. This can help improve
the performance.
/etc/apache/sites-available/www-example-org.conf
<VirtualHost *:80>
ServerName www.example.org
ServerAdmin [email protected]
DocumentRoot /var/www/nextcloud
ErrorLog ${APACHE_LOG_DIR}/nc_error.log
CustomLog ${APACHE_LOG_DIR}/nc_access.log combined
Redirect permanent / https://example.org
</VirtualHost>
Activate the sites and modules
a2enmod proxy proxy_http
a2ensite www-example-org example-org
Obtain the certificate and make HTTPS default
…and fix the strange permissions letsencrypt creates.
letsencrypt -d example.org -d www.example.org -d userdata.example.org -d conference.example.org -d pubsub.example.org -m [email protected] --redirect --hsts --uir --staple-ocsp
chgrp -R ssl-cert /etc/letsencrypt/{archive,live}
chmod -R g+rX /etc/letsencrypt/{archive,live}
Make sure your certificate is renewed in time
Make the command executable and run it at a random time every night between 00:00 and 05:59 (to be easy on the Let's Encrypt servers).
echo $(($RANDOM % 60)) $((RANDOM % 6)) "* * * root letsencrypt renew" > /etc/cron.d/auto-renew-letsencrypt
:warning: The above code assumes to be run from bash (this is the default shell, so you only have to care if you changed your default shell)
Activate changes and certificate for Apache
…after giving Apache the permission read the private key associated with the certificate.
adduser www-data ssl-cert
service apache2 restart
Separate Nextcloud and XMPP hosts
If you have two hosts, then at this point, you need to rsync (or similar) /etc/letsencrypt to the XMPP server. Also replace the service prosody reload line in the cron job above with a command that syncs the certificates and reloads them on the XMPP server.
Next: Configuring either Prosody or ejabberd (without authentication)