Options: Listen
The listen
section specifies how MongooseIM handles incoming connections.
-
Syntax: Each listener is specified in a subsection starting with
[[listen.type]]
wheretype
is one of the allowed listener types, handling different types of incoming connections:c2s
- client-to-server XMPP connections,s2s
- server-to-server XMPP connections,service
- XMPP connections from external components,http
- HTTP connections from clients or other services.
The double-bracket syntax is used because there can be multiple listeners of a given type, so for each listener type there is a TOML array of one or more tables (subsections).
- Default: None - each listener needs to be enabled explicitly. Typical listeners are already specified in the example configuration file.
- Example: The simplest XMPP listener configuration, handling only incoming XMPP client connections:
1 2 |
|
General listener options
The options listed below are the same for all listener types. They set the basic listening socket options. Only port
is required, the rest can be used to change the default settings.
listen.*.port
- Syntax: integer, port number
- Default: no default, this option is mandatory.
- Example:
port = 5222
The port number to which the listening socket is bound.
listen.*.ip_address
- Syntax: string with the IP address
- Default: all-zeros address (e.g.
"0.0.0.0"
for IPv4) - Example:
ip_address = "127.0.0.1"
The IP address to which the listening socket is bound.
listen.*.proto
- Syntax: string, only
"tcp"
is accepted - Default:
"tcp"
- Example:
proto = "tcp"
The protocol, which is TCP by default. Currently this is the only valid option.
listen.*.ip_version
- Syntax: integer,
4
or6
- Default: if
ip_address
is specified, the IP version is determined from that address, otherwise it is4
- Example:
ip_version = 6
Allows to set the IP version to IPv6. Does not need to be set if ip_address
is defined.
XMPP listener options
The options listed below can be set for the c2s
, s2s
and service
listeners to adjust their parameters.
listen.*.backlog
- Syntax: positive integer
- Default:
1024
- Example:
backlog = 1000
Overrides the default TCP backlog value.
listen.*.proxy_protocol
- Syntax: boolean
- Default:
false
- Example:
proxy_protocol = true
When set to true
, Proxy Protocol is enabled and each connecting client has to provide a proxy header. Use only with a proxy (or a load balancer) to allow it to provide the connection details (including the source IP address) of the original client. Versions 1 and 2 of the protocol are supported.
listen.*.hibernate_after
- Syntax: non-negative integer or the string
"infinity"
- Default:
0
- Example:
hibernate_after = 10
Time in milliseconds after which a client process spawned by this listener will hibernate. Hibernation greatly reduces memory consumption of client processes, but may result in increased CPU consumption if a client is used very frequently. The default, recommended value of 0 means that the client processes will hibernate at every opportunity.
listen.*.max_stanza_size
- Syntax: positive integer or the string
"infinity"
- Default:
"infinity"
- Example:
max_stanza_size = 10_000
Maximum allowed incoming stanza size in bytes.
Warning
This limit is checked after the input data parsing, so it does not apply to the input data size itself.
listen.*.num_acceptors
- Syntax: positive integer
- Default:
100
- Example:
num_acceptors = 200
The number of processes accepting new connections on the listening socket.
Client-to-server (C2S): [[listen.c2s]]
Handles XMPP client-to-server (C2S) connections. The recommended port number for a C2S listener is 5222 as registered in the XMPP protocol. The following options are supported for each C2S listener:
listen.c2s.access
- Syntax: string, rule name or
"all"
- Default:
"all"
- Example:
access = "c2s"
The rule that determines who is allowed to connect. By default the rule is "all"
, which means that anyone can connect. The rule referenced here needs to be defined in the access
configuration section.
listen.c2s.shaper
- Syntax: string, rule name
- Default:
"none"
(no shaper) - Example:
shaper = "c2s_shaper"
The rule that determines what traffic shaper is used to limit the incoming XMPP traffic to prevent the server from being flooded with incoming data.
The rule referenced here needs to be defined in the access
configuration section.
The value of the access rule needs to be either the shaper name or the string "none"
, which means no shaper.
listen.c2s.max_connections
- Syntax: positive integer or the string
"infinity"
- Default:
"infinity"
- Example:
max_connections = 10000
Maximum number of open connections. This is a soft limit according to the Ranch documentation.
listen.c2s.c2s_state_timeout
- Syntax: non-negative integer or the string
"infinity"
- Default:
5000
- Example:
c2s_state_timeout = 10_000
Timeout value (in milliseconds) used by the C2S state machine when waiting for the connecting client to respond during stream negotiation and SASL authentication. After the timeout the server responds with the connection-timeout
stream error and closes the connection.
listen.c2s.reuse_port
- Syntax: boolean
- Default:
false
- Example:
reuse_port = true
Enables linux support for SO_REUSEPORT
, see Stack Overflow for more details.
listen.c2s.backwards_compatible_session
- Syntax: boolean
- Default:
true
- Example:
backwards_compatible_session = false
Enables backward-compatible session establishement IQs. See https://www.rfc-editor.org/rfc/rfc6121.html#section-1.4:
[RFC3921] specified one additional precondition: formal establishment of an instant messaging and presence session. Implementation and deployment experience has shown that this additional step is unnecessary. However, for backward compatibility an implementation MAY still offer that feature. This enables older software to connect while letting newer software save a round trip.
listen.c2s.allowed_auth_methods
- Syntax: array of strings. Allowed values:
"internal"
,"rdbms"
,"external"
,"anonymous"
,"ldap"
,"jwt"
,"http"
,"pki"
,"dummy"
- Default: not set
- Example:
allowed_auth_methods = ["internal"]
A subset of enabled methods to login with for this listener.
This option allows to enable only some backends.
It is useful, if you want to have several listeners for different type of users (for example, some users use PKI while other users use LDAP auth).
Same syntax as for auth.methods
option.
TLS options for C2S
To enable TLS, a TOML subsection called tls
has to be present in the listener options.
To disable TLS, make sure that the section is not present, and no TLS options are set.
You can set the following options in this section:
listen.c2s.tls.mode
- Syntax: string, one of
"tls"
,"starttls"
,"starttls_required"
- Default:
"starttls"
- Example:
tls.mode = "starttls"
This option determines how clients are supposed to set up the TLS encryption:
tls
- clients must initiate a TLS session immediately after connecting, before beginning the normal XML stream,starttls
- enables StartTLS support; requirescertfile
,starttls_required
- enables and enforces StartTLS usage.
listen.c2s.tls.module
- Syntax: string, one of
"just_tls"
,"fast_tls"
- Default:
"fast_tls"
- Example:
tls.module = "just_tls"
By default the TLS library used for C2S connections is fast_tls
, which uses OpenSSL-based NIFs. It is possible to change it to just_tls
- Erlang TLS implementation provided by OTP. Some TLS-related options described here have different formats for these two libraries.
listen.c2s.tls.verify_mode
- Syntax: string, one of
"peer"
,"selfsigned_peer"
,"none"
- Default:
"peer"
- Example:
tls.verify_mode = "none"
Specifies the way client certificate verification works:
peer
- makes sure the client certificate is valid and signed by a trusted CA. Requires a validcacertfile
.selfsigned_peer
- makes sure the client certificate is valid, but allows self-signed certificates; supported only byjust_tls
. Requires a validcacertfile
.none
- client certificate is not checked.
listen.c2s.tls.certfile
- Syntax: string, path in the file system
- Default: not set
- Example:
tls.certfile = "server.pem"
Path to the X509 PEM file with a certificate and a private key (not protected by a password). If the certificate is signed by an intermediate CA, you should specify here the whole CA chain by concatenating all public keys together and appending the private key after that.
Note
For just_tls
this file should only contain the certificate and the path to the private key can be provided separately as keyfile
.
listen.c2s.tls.cacertfile
- Syntax: string, path in the file system
- Default: not set
- Example:
tls.cacertfile = "ca.pem"
Path to the X509 PEM file with a CA chain that will be used to verify clients. It won't have any effect if verify_mode
is "none"
.
listen.c2s.tls.dhfile
- Syntax: string, path in the file system
- Default: not set
- Example:
tls.dhfile = "dh.pem"
Path to the Diffie-Hellman parameter file.
listen.c2s.tls.ciphers
- Syntax: string with the OpenSSL cipher suite specification
- Default: for
fast_tls
the default is"TLSv1.2:TLSv1.3"
. Forjust_tls
this option is not set by default - all supported suites are accepted. - Example:
tls.ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384"
Cipher suites to use with StartTLS or TLS. Please refer to the OpenSSL documentation for the cipher string format. For fast_tls
, this string can be used to specify versions as well. For just_tls
, see the Erlang/OTP SSL documentation for allowed values.
listen.c2s.tls.protocol_options
- only for fast_tls
- Syntax: array of strings
- Default:
["no_sslv2", "no_sslv3", "no_tlsv1", "no_tlsv1_1"]
- Example:
tls.protocol_options = ["no_tlsv1", "no_tlsv1_1"]
A list of OpenSSL options for FastTLS. You can find the mappings between supported options and actual OpenSSL flags in the fast_tls
source code.
listen.c2s.tls.keyfile
- only for just_tls
- Syntax: string, path in the file system
- Default: not set
- Example:
tls.keyfile = "key.pem"
Path to the X509 PEM file with the private key.
listen.c2s.tls.password
- only for just_tls
- Syntax: string
- Default: not set
- Example:
tls.password = "secret"
Password to the X509 PEM file with the private key.
listen.c2s.tls.disconnect_on_failure
- only for just_tls
- Syntax: boolean
- Default:
true
- Example:
tls.disconnect_on_failure = false
listen.c2s.tls.versions
- only for just_tls
- Syntax: array of strings
- Default: not set, all supported versions are accepted
- Example:
tls.versions = ["tlsv1.2", "tlsv1.3"]
TLS versions to use with StartTLS or TLS. For allowed values, see the Erlang/OTP SSL documentation
listen.c2s.tls.crl_files
- only for just_tls
- Syntax: array of strings, paths in the file system
- Default: not set
- Example:
tls.crl_files = ["certs.crl"]
Specifies the paths to Certificate Revocation Lists.
C2S Example
The following section configures two C2S listeners.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
- One at port 5222, which accepts a plain TCP connection and allows to use StartTLS for upgrading it to an encrypted one. The files containing the certificate and the DH parameter are also provided.
- One at port 5223, which accepts only encrypted TLS connections - this is the legacy method as StartTLS is preferred.
Both listeners use c2s
and c2s_shaper
rules for access management and traffic shaping, respectively.
Server-to-server (S2S): [[listen.s2s]]
Handles incoming server-to-server (S2S) connections (federation). The recommended port number for an S2S listener is 5269 as registered in the XMPP protocol.
Note
Many S2S options are configured in the s2s
section of the configuration file, and they apply to both incoming and outgoing connections.
listen.s2s.shaper
- Syntax: string, name of the shaper rule or
"none"
- Default:
"none"
- no shaper - Example:
shaper = "s2s_shaper"
Name of the rule that determines what traffic shaper is used to limit the incoming XMPP traffic to prevent the server from being flooded with incoming data. The rule referenced here needs to be defined in the access
config section and it should return the shaper name or the value "none"
.
TLS options for S2S
S2S connections do not use TLS encryption unless enabled with the use_starttls
option in the s2s
section.
You can specify additional options of the TLS encryption in the tls
subsection of the listener configuration. Accepted options are: verify_mode
, certfile
, cacertfile
, dhfile
, ciphers
and protocol_options
. They have the same semantics as the corresponding c2s options for fast_tls
.
S2S Example
The following section configures an S2S listener with some basic settings set up.
The s2s_shaper
access rule is used, which requires a definition in the access
section.
1 2 3 4 5 |
|
XMPP Components: [[listen.service]]
Interface for external services acting as XMPP components (XEP-0114: Jabber Component Protocol), enabling communication between MongooseIM and external services over the XMPP network. The recommended port number for a component listener is 8888.
According to XEP-0114: Jabber Component Protocol the component's hostname should be given in the
Warning
This interface does not support dynamic domains. Do not use them both at the same time.
listen.service.access
- Syntax: string, rule name or
"all"
- Default:
"all"
- Example:
access = "component"
Determines who is allowed to send data to external components. By default the rule is all
, which means that anyone can communicate with the components.
listen.service.password
- Syntax: string
- Default: no default, this option is mandatory
- Example:
password = "secret"
The external component needs to authenticate with this password to connect.
listen.service.shaper_rule
- Syntax: string, name of the shaper
- Default:
"none"
- Example:
shaper = "component_shaper"
The traffic shaper used to limit the XMPP traffic to prevent the server from being flooded with incoming data.
Contrary to the C2S and S2S shapers, here the shaper name directly references the shaper that needs to be defined in the shaper
section.
listen.service.check_from
- Syntax: boolean
- Default:
true
- Example:
check_from = false
Specifies whether the server should verify the "from" field in stanzas from the component.
listen.service.hidden_components
- Syntax: boolean
- Default:
false
- Example:
hidden_components = true
All components connected to an endpoint with this option enabled will be considered "hidden".
Hidden components have a special flag enabled in the internal component table.
Alone, it doesn't change the server behaviour in any way, but it may be used by other modules and extensions to execute special logic.
An example would be mod_disco
, which may be configured to filter out hidden components from disco results, so they won't be discoverable by clients.
A reason to do so could be reduced traffic - systems with many components could return very long disco responses.
Also, some deployments would like to avoid revealing some services; not because it is a security threat (this method does not prevent clients from communicating with hidden components), but rather because they are not meant to interact with clients directly (e.g. helper components for other components).
listen.service.conflict_behaviour
- Syntax: string, one of:
"disconnect"
,"kick_old"
- Default:
"disconnect"
- Example:
conflict_behaviour = "kick_old"
By default, when a component tries to connect and a registration conflict occurs, the connection is dropped with the following error:
1 2 3 4 |
|
It makes implementing the reconnection logic difficult, because the old connection would not allow any other connections.
By setting this option to kick_old
, we drop any old connections registered at the same host before accepting new ones.
listen.service.max_fsm_queue
- Syntax: positive integer
- Default: not set - no limit
- Example:
max_fsm_queue = 1000
Message queue limit to prevent resource exhaustion; overrides the value set in the general
section.
Custom extension to the protocol
In order to register a component for all virtual hosts served by the server (see hosts
in the general
section), the component must add the attribute is_subdomain="true"
to the opening stream element.
This maybe helpful if someone wants to have a single instance of a component serving multiple virtual hosts.
The is_subdomain
attribute is optional and the default behaviour is as described in XEP-0114: Jabber Component Protocol.
Service listener example
The following section configures a service listener, accepting connections from external components.
The IP address is limited to loopback to prevent connections from different hosts.
All components are allowed to connect, but they need to provide the password.
The shaper named fast
needs to be defined in the shaper
section.
1 2 3 4 5 6 |
|
HTTP-based services: [[listen.http]]
Manages all HTTP-based services, such as BOSH (HTTP long-polling), WebSocket, GraphQL and REST. It uses the Cowboy web server. Recommended port number: 5280 for BOSH/WS.
There are the following options for each of the HTTP listeners:
listen.http.handlers
-
Syntax: each handler is specified in a subsection starting with
[[listen.http.handlers.type]]
wheretype
is one of the allowed handler types, handling different connection types:mod_bosh
- for BOSH connections,mod_websockets
- for WebSocket connections,mongoose_graphql_handler
- for GraphQL API,mongoose_admin_api
,mongoose_client_api
- for REST API.
These types are described below in more detail. The double-bracket syntax is used because there can be multiple handlers of a given type, so for each type there is a TOML array of one or more tables (subsections).
-
Default:
[]
- no handlers enabled, all of them need to be specified explicitly. - Example: two handlers, one for BOSH and one for WebSockets
1 2 3 4 5 6 7
[[listen.http.handlers.mod_bosh]] host = "_" path = "/http-bind" [[listen.http.handlers.mod_websockets]] host = "_" path = "/ws-xmpp"
Common handler options
listen.http.handlers.*.host
- Syntax: string
- Default: no default, mandatory option
- Example:
host = "localhost"
Host name for this handler or "_"
for any host.
listen.http.handlers.*.path
- Syntax: string
- Default: no default, mandatory option
- Example:
path = "/ws-xmpp"
Path for this handler.
Handler types: BOSH - mod_bosh
The recommended configuration is shown in Example 1 below.
To handle incoming BOSH traffic you need to configure the mod_bosh
module in the modules
section as well.
Handler types: WebSockets - mod_websockets
The recommended configuration is shown in Example 1 below. Websocket connections as defined in RFC 7395. You can pass the following optional parameters:
listen.http.handlers.mod_websockets.timeout
- Syntax: non-negative integer or the string
"infinity"
- Default:
"infinity"
- Example:
timeout = 60_000
The time (in milliseconds) after which an inactive user is disconnected.
listen.http.handlers.mod_websockets.ping_rate
- Syntax: positive integer
- Default: not set - pings disabled
- Example:
ping_rate = 10_000
The time (in milliseconds) between pings sent by server. By setting this option you enable server-side pinging.
listen.http.handlers.mod_websockets.max_stanza_size
- Syntax: positive integer or the string
"infinity"
- Default:
"infinity"
- Example:
max_stanza_size = 10_000
Maximum allowed incoming stanza size in bytes.
Warning
This limit is checked after the input data parsing, so it does not apply to the input data size itself.
listen.http.handlers.mod_websockets.c2s_state_timeout
Same as the C2S option
listen.http.handlers.mod_websockets.backwards_compatible_session
Same as the C2S option
Handler types: GraphQL API - mongoose_graphql_handler
For more information about the API, see the Admin interface and User interface documentation. The following options are supported for this handler:
listen.http.handlers.mongoose_graphql_handler.schema_endpoint
- Syntax: string, one of
"admin"
,"domain_admin"
,"user"
- Default: no default, this option is mandatory
- Example:
schema_endpoint = "admin"
Specifies the schema endpoint:
admin
- Endpoint with the admin commands. A global admin has permission to execute all commands. See the recommended configuration - Example 2.domain_admin
- Endpoint with the admin commands. A domain admin has permission to execute only commands with the owned domain. See the recommended configuration - Example 3.user
- Endpoint with the user commands. Used to manage the authorized user. See the recommended configuration - Example 4.
listen.http.handlers.mongoose_graphql_handler.username
- only for admin
- Syntax: string
- Default: not set
- Example:
username = "admin"
When set, enables authentication for the admin API, otherwise it is disabled. Requires setting password
.
listen.http.handlers.mongoose_graphql_handler.password
- only for admin
- Syntax: string
- Default: not set
- Example:
password = "secret"
listen.http.handlers.mongoose_graphql_handler.allowed_categories
- Syntax: non-empty array of strings. Allowed values:
"checkAuth", "account", "domain", "last", "muc", "muc_light", "session", "stanza", "roster", "vcard", "private", "metric", "stat", "gdpr", "mnesia", "server", "inbox", "http_upload", "offline", "token"
- Default: all GraphQL categories enabled
- Example:
allowed_categories = ["domain", "last"]
By default, when the option is not included, all GraphQL categories are enabled, so you don't need to add this option. When this option is added, only listed GraphQL categories will be processed. For others, the error "category disabled" will be returned.
Handler types: REST API - Admin - mongoose_admin_api
The recommended configuration is shown in Example 5 below. For more information about the API, see the REST interface documentation. The following options are supported for this handler:
listen.http.handlers.mongoose_admin_api.username
- Syntax: string
- Default: not set
- Example:
username = "admin"
When set, enables authentication for the admin API, otherwise it is disabled. Requires setting password
.
listen.http.handlers.mongoose_admin_api.password
- Syntax: string
- Default: not set
- Example:
password = "secret"
Required to enable authentication for the admin API.
listen.http.handlers.mongoose_admin_api.handlers
- Syntax: array of strings. Allowed values:
"contacts"
,"users"
,"sessions"
,"messages"
,"stanzas"
,"muc_light"
,"muc"
,"inbox"
,"domain"
,"metrics"
. - Default: all API handler modules enabled
- Example:
handlers = ["domain"]
The admin API consists of several handler modules, each of them implementing a subset of the functionality. By default all modules are enabled, so you don't need to change this option.
Handler types: REST API - Client - mongoose_client_api
The recommended configuration is shown in Example 6 below. Please refer to REST interface documentation for more information. The following options are supported for this handler:
listen.http.handlers.mongoose_client_api.handlers
- Syntax: array of strings. Allowed values:
"sse"
,"messages"
,"contacts"
,"rooms"
,"rooms_config"
,"rooms_users"
,"rooms_messages"
. - Default: all API handler modules enabled
- Example:
handlers = ["messages", "sse"]
The client API consists of several handler modules, each of them implementing a subset of the functionality. By default all modules are enabled, so you don't need to change this option.
listen.http.handlers.mongoose_client_api.docs
- Syntax: boolean
- Default:
true
- Example:
docs = "false"
The Swagger documentation of the client API is hosted at the /api-docs
path.
You can disable the hosted documentation by setting this option to false
.
Transport options
The options listed below are used to modify the HTTP transport settings.
listen.http.transport.num_acceptors
- Syntax: positive integer
- Default:
100
- Example:
transport.num_acceptors = 10
Number of HTTP connection acceptors.
listen.http.transport.max_connections
- Syntax: positive integer or the string
"infinity"
- Default:
1024
- Example:
transport.max_connections = "infinity"
Maximum number of open connections. The default value of 1024 is set by the Ranch library.
TLS (HTTPS) options
By default the HTTP listener does not use TLS.
To use TLS (HTTPS), you need to add a TOML table (subsection) called tls
to the config file with the certfile
and keyfile
options that specify the location of the certificate and private key files, respectively.
If the keyfile is password-protected, password
is required as well.
If the certificate is signed by an intermediate CA, one will probably want to specify the CA chain with the cacertfile
option.
The library used for HTTP is the Erlang TLS implementation provided by OTP - see ranch_ssl for details.
The options accepted here are: verify_mode
, certfile
, cacertfile
, ciphers
, keyfile
, password
, versions
, dhfile
. They have the same semantics as the corresponding c2s options for just_tls
.
Protocol options
These are some additional options of the HTTP protocol.
listen.http.protocol.compress
- Syntax: boolean
- Default: false
- Example:
protocol.compress = "true"
Compresses response bodies automatically when the client supports it.
HTTP listener examples
The examples shown below are included in the provided default configuration file.
Example 1. BOSH and WS
The following listener accepts BOSH and WebSocket connections and has TLS configured.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Example 2. Admin GraphQL API
GraphQL API for administration, the listener is bound to 127.0.0.1 for increased security. The number of acceptors and connections is specified (reduced).
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Example 3. Domain Admin GraphQL API
GraphQL API for the domain admin.
1 2 3 4 5 6 7 8 9 10 |
|
Example 4. User GraphQL API
GraphQL API for the user.
1 2 3 4 5 6 7 8 9 10 |
|
Example 5. Admin REST API
REST API for administration, the listener is bound to 127.0.0.1
for increased security.
The number of acceptors and connections is specified (reduced).
Basic HTTP authentication is used as well.
1 2 3 4 5 6 7 8 9 10 11 |
|
Example 6. Client REST API
REST API for clients.
1 2 3 4 5 6 7 8 |
|