Skip to content
Repository with copies of my XMPP server configuration for public interest / investigation.
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
root Add ipv6 support for prosody-filer May 15, 2019
LICENSE Initial commit May 4, 2019 Initial commit May 4, 2019

Repository with copies of my XMPP server configuration for public interest / investigation.

Notes on this setup

  • Database backend: PostgreSQL
  • Admin web interface and API are disabled
  • In-Band registration and web registration are enabled
  • Captchas enabled
  • Nginx is used as HTTP / Websocket Proxy
  • Port 5223 used as TLS port for "XMPP over TLS" feature (Port 443 is forwarded to 5223)

OS and Ejabberd version

I'm using Debian 9 Stretch as an OS. Ejabberd 18.12 was installed from the stretch-backports repo:

nano /etc/apt/sources.list
# Stretch Backports
deb stretch-backports main
apt update
apt install -t stretch-backports ejabberd erlang-p1-pgsql
apt install imagemagick

Make sure you install erlang-p1-pgsql from the backport repo!

TLS certificates and Diffie Hellman parameters

I'm using for Let's Encrypt:

DH parameters have been generated via:

openssl dhparam -out /etc/ejabberd/dh4096.pem 4096


Creation and setup of the Postgres database:

su -c "psql" - postgres
create user ejabberd with password 'ejabberdpassword';
create database ejabberd_trashserver;
alter database ejabberd_trashserver owner to ejabberd;
su -c "psql ejabberd_trashserver < /usr/share/ejabberd/sql/" - ejabberd

Nginx HTTP / WS Proxy

Nginx terminates TLS and provides nice URLs without any port notation. It listens on the primary IP address and the host name "" as well as the hostname "" for file upload processing.

HTTP Upload

Ejabberd is using Prosody Filer for file upload processing.


Port 443 of a second IP address (just for that purpose) is forwarded to port 5223 (TLS) on Ejabberd. Necessary iptables rules:

Origin address (sec) Origin port Destination address (prim) Destination port
2a01:360:50e:1::252 443 2a01:360:50e:1::251 5223 443 5223


ip6tables -t nat -A PREROUTING -d 2a01:360:50e:1::252/128 -p tcp -m tcp --dport 443 -j DNAT --to-destination [2a01:360:50e:1::251]:5223
ip6tables -t nat -A POSTROUTING -d 2a01:360:50e:1::252/128 -p tcp -m tcp --dport 5223 -j SNAT --to-source [2a01:360:50e:1::251]:5223


iptables -t nat -A PREROUTING -d -p tcp -m tcp --dport 443 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -d -p tcp -m tcp --dport 5223 -j SNAT --to-source

I recommend iptables-persistent to save iptables:

You can’t perform that action at this time.