-
Notifications
You must be signed in to change notification settings - Fork 6
/
README.txt
158 lines (129 loc) · 5.76 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
http://www.ejabberd.im/mod_filter
mod_filter
==========
Flexible filtering by server policy
This module allows the admin to specify packet filtering rules using ACL and ACCESS.
## Install
Clone into ~/.ejabberd-modules/sources and run `ejabberdctl module_install mod_filter`
If you run into issues, first make sure the module shows up in the list of available modules via `ejabberdct modules_available`. Next, check if `ejabberdctl module_check mod_filter` explains the problem. It should say "OK" if the module is ready to install.
Add the module to the list of modules on ejabberd.cfg:
```erlang
{modules, [
...
{mod_filter, []},
...
]}.
```
Add to ejabberd.cfg the default ACCESS configuration:
```
{access, mod_filter, [{allow, all}]}.
{access, mod_filter_presence, [{allow, all}]}.
{access, mod_filter_message, [{allow, all}]}.
{access, mod_filter_iq, [{allow, all}]}.
```
Then modify those ACCESS rules to your needs. You can see examples below.
Recompile and restart ejabberd.
##Configuration examples
The configuration of rules is done using ejabberd's ACL and ACCESS, so you should also study the corresponding section on ejabberd guide. This are examples that may help you to understand how it works.
###Example 1
```
%% Admins can send anything. Others are restricted in various ways.
{access, mod_filter, [{allow, admin},
{restrict_local, local},
{restrict_foreign, all}]}.
%% Local non-admin users can only send messages to other local users.
{access, restrict_local, [{allow, local},
{deny, all}]}.
%% Foreign users can only send messages to admins.
{access, restrict_foreign, [{allow, admin},
{deny, all}]}.
```
###Example 2
On this example, the users of a private vhost (example3.org) can only chat with themselves, so that particular vhost will have no connection to the exterior. The other vhosts on the server are completely unrestricted. The administrators are also unrestricted.
```
% This ejabberd server has three virtual hosts
{hosts, ["example1.org", "example2.org", "example3.org"]}.
% This ACL will match any user or service (MUC, PubSub...) hosted on example3.org
{acl, ex3server, {server_glob, "*example3.net"}}.
% The main mod_filter rule allows any admin, but restricts example3 and the rest of packets
{access, mod_filter, [{allow, admin},
{restrict_ex3, ex3server},
{restrict_nonex3, all}]}.
% This rule, which applies to packets sent from Ex3 non-admin users,
% allows packets sent to Ex3 server (packets internal to the vhost) and denies anything else.
{access, restrict_ex3, [{allow, ex3server},
{deny, all}]}.
% This rule, which applies to the rest of packets (the ones that are not sent from Ex3),
% allows all packets to admins (allowing replies to stanzas from Ex3 admins),
% denies all other access to Ex3, and allows access to anything else.
{access, restrict_nonex3, [{allow, admin},
{deny, ex3server},
{allow, all}]}.
```
###Example 3
Allow just some MSN users (romeo and juliet) using the transport msn.example.com to comunicate with the users of the server.
```
{acl, good_msn_users, {user, "romeo%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "juliet%hotmail.com", "msn.example.com"}}.
{acl, good_msn_users, {user, "", "msn.example.com"}}.
{acl, msn_users, {server_glob, "msn*"}}.
{access, mod_filter, [
% Filter incoming messages; allow only good messages
{allow, good_msn_users},
{deny, msn_users},
% Filter the rest, including outgoing messages
{filter_msn, all}
]}.
{access, filter_msn, [
% Users can send messages to good MSN users
{allow, good_msn_users},
% but not to other MSN users
{deny, msn_users},
% All non-MSN traffic is allowed
{allow, all}
]}.
```
###Example 4
This server has two virtual hosts, one is typical and the other has only anonymous users. The anonymous users cannot send or receive presence stanzas from outside their vhost.
```
{hosts, ["localhost", "anon.localhost"]}.
{auth_method, [internal]}.
{host_config, "anon.localhost", [{auth_method, anonymous},
{anonymous_protocol, both}]}.
{acl, anon_user, {server_glob, "*anon.localhost"}}.
{access, mod_filter, [{allow, all}]}.
{access, mod_filter_presence, [{allow, admin},
{restrict_anon, anon_user},
{restrict_no_anon, all}]}.
{access, restrict_anon, [{allow, anon_user}, {deny, all}]}.
{access, restrict_no_anon, [{allow, admin}, {deny, anon_user}, {allow, all}]}.
{access, mod_filter_message, [{allow, all}]}.
{access, mod_filter_iq, [{allow, all}]}.
```
###Example 5
This server has three virtual hosts. The first and second are incommunicated between them. The admins do not have such restriction.
```
{hosts, ["domain1.localhost", "domain2.localhost", "domain3.localhost"]}.
{acl, domain1, {server_glob, "*domain1.localhost"}}.
{acl, domain2, {server_glob, "*domain2.localhost"}}.
{access, mod_filter, [{allow, admin},
{restrict_dom1, domain1},
{restrict_dom2, domain2},
{allow, all}]}.
{access, mod_filter_presence, [{allow, admin},
{restrict_dom1, domain1},
{restrict_dom2, domain2},
{allow, all}]}.
{access, mod_filter_message, [{allow, admin},
{restrict_dom1, domain1},
{restrict_dom2, domain2},
{allow, all}]}.
{access, mod_filter_iq, [{allow, admin},
{restrict_dom1, domain1},
{restrict_dom2, domain2},
{allow, all}]}.
{access, restrict_dom1, [{allow, domain1},
{deny, all}]}.
{access, restrict_dom2, [{allow, domain2},
{deny, all}]}.
```