From ae7eb92dbf8164318ce04a5ba647dee1711ac569 Mon Sep 17 00:00:00 2001
From: Christophe Romain <christophe.romain@process-one.net>
Date: Thu, 13 Dec 2018 18:37:27 +0100
Subject: [PATCH] Update config and put 5280 listener back

---
 ecs/Dockerfile        |  2 +-
 ecs/conf/ejabberd.yml | 27 ++++++++++++++++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/ecs/Dockerfile b/ecs/Dockerfile
index e8978a9..9fa31d3 100644
--- a/ecs/Dockerfile
+++ b/ecs/Dockerfile
@@ -74,7 +74,7 @@ ADD --chown=ejabberd:ejabberd https://download.process-one.net/cacert.pem conf/c
 # Set up runtime environment
 USER ejabberd
 VOLUME ["$HOME/database","$HOME/conf","$HOME/logs"]
-EXPOSE 5222 5269 5443
+EXPOSE 5222 5269 5280 5443
 
 ENTRYPOINT ["/home/ejabberd/bin/ejabberdctl"]
 CMD ["foreground"]
diff --git a/ecs/conf/ejabberd.yml b/ecs/conf/ejabberd.yml
index eb88a50..5166ad2 100644
--- a/ecs/conf/ejabberd.yml
+++ b/ecs/conf/ejabberd.yml
@@ -42,6 +42,25 @@ certfiles:
 
 ca_file: "/home/ejabberd/conf/cacert.pem"
 
+define_macro:
+  # TLS options for client not being able to use modern ciphers (Windows XP+, Android 3.0+)
+  CIPHERS_INTERMEDIATE: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+  PROTOCOL_OPTIONS_INTERMEDIATE:
+    - "no_sslv2"
+    - "no_sslv3"
+
+  # TLS options for client able to use modern ciphers (Windows 7+, Android 5.0+)
+  CIPHERS_MODERN: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+  PROTOCOL_OPTIONS_MODERN:
+    - "no_sslv2"
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1_1"
+
+c2s_ciphers: CIPHERS_INTERMEDIATE
+c2s_protocol_options: PROTOCOL_OPTIONS_INTERMEDIATE
+
+
 listen:
   -
     port: 5222
@@ -68,7 +87,14 @@ listen:
       "/oauth": ejabberd_oauth
     web_admin: true
     captcha: false
+    ciphers: CIPHERS_INTERMEDIATE
+    protocol_options: PROTOCOL_OPTIONS_INTERMEDIATE
     tls: true
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    web_admin: true
 
 s2s_use_starttls: optional
 
@@ -79,7 +105,6 @@ acl:
     ip:
       - "127.0.0.0/8"
       - "::1/128"
-      - "::FFFF:127.0.0.1/128"
 
 access_rules:
   local: