1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
mod_filter - Flexible Filtering by Server Policy
Author: Magnus Henoch <henoch@dtek.chalmers.se>
Copyright (C) 2005 Magnus Henoch
This module allows the admin to specify packet filtering rules using ACL and ACCESS.
EJABBERD PATCH
==============
Since ejabberd 19.08, it is necessary to apply a small patch to ejabberd
source code in order to use complex access_rules configurations, like the
ones shown in examples 1, 2, 3, 4...
So, apply this patch your ejabberd source code.
As you can see, it only adds a line.
Then recompile ejabberd, reinstall and restart it:
diff --git a/src/acl.erl b/src/acl.erl
index d13c05601..c2a72fd9f 100644
--- a/src/acl.erl
+++ b/src/acl.erl
@@ -310,6 +310,7 @@ access_rules_validator() ->
econf:non_empty(
econf:options(
#{allow => access_validator(),
+ '_' => access_validator(),
deny => access_validator()},
[]))).
--
CONFIGURATION
=============
To use this module, follow the general build instructions.
You can modify the default module configuration file like this:
To enable the module:
modules:
mod_filter: {}
And you must also add the default access rules:
access_rules:
mod_filter:
- allow: all
mod_filter_presence:
- allow: all
mod_filter_message:
- allow: all
mod_filter_iq:
- allow: all
The configuration of rules is done using ejabberd's ACL and ACCESS,
so you should also study the corresponding section on ejabberd guide.
You can find here several examples that may help you to understand how it works.
EXAMPLE 1
=========
access_rules:
mod_filter_presence:
- allow: all
mod_filter_message:
- allow: all
mod_filter_iq:
- allow: all
## Admins can send anything. Others are restricted in various ways.
mod_filter:
- allow: admin
- restrict_local: local
- restrict_foreign: all
## Local non-admin users can only send messages to other local users.
restrict_local:
- allow: local
- deny: all
## Foreign users can only send messages to admins.
restrict_foreign:
- allow: admin
- deny: all
EXAMPLE 2
=========
On this example, the users of a private vhost (example3.org) can only chat with themselves,
so that particular vhost will have no connection to the exterior. The other vhosts on the
server are completely unrestricted. The administrators are also unrestricted.
## This ejabberd server has three virtual hosts
hosts:
- "localhost"
- "example1.org"
- "example2.org"
- "example3.org"
## This ACL will match any user or service (MUC, PubSub...) hosted on example3.org
acl:
ex3server:
server_glob:
- "*example3.org"
access_rules:
mod_filter_presence:
- allow: all
mod_filter_message:
- allow: all
mod_filter_iq:
- allow: all
## The main mod_filter rule allows any admin, but restricts example3 and the rest of packets
mod_filter:
- allow: admin
- restrict_ex3: ex3server
- restrict_nonex3: all
## This rule, which applies to packets sent from Ex3 non-admin users,
## allows packets sent to Ex3 server (packets internal to the vhost) and denies anything else.
restrict_ex3:
- allow: ex3server
- deny: all
## This rule, which applies to the rest of packets (the ones that are not sent from Ex3),
## allows all packets to admins (allowing replies to stanzas from Ex3 admins),
## denies all other access to Ex3, and allows access to anything else.
restrict_nonex3:
- allow: admin
- deny: ex3server
- allow: all
EXAMPLE 4
=========
This server has two virtual hosts, one with anonymous users. The anonymous users
cannot send or receive presence stanzas from outside their vhost.
hosts:
- "localhost"
- "anon.localhost.org"
acl:
anon_user:
server_glob:
- "*anon.localhost"
access_rules:
mod_filter:
- allow: all
mod_filter_presence:
- allow: admin
- restrict_anon: anon_user
- restrict_non_anon: all
restrict_anon:
- allow: anon_user
- deny: all
restrict_non_anon:
- allow: admin
- deny: anon_user
- allow: all
mod_filter_message:
- allow: all
mod_filter_iq:
- allow: all
|
