From d342857b198dbc892f12fa3d515abded7c6d885f Mon Sep 17 00:00:00 2001
From: Y <theYinYeti@yalis.fr>
Date: Sun, 25 Mar 2018 18:59:31 +0200
Subject: [PATCH] initial configuration

---
 README.adoc     |  56 ++++++++++++++++
 haproxy.cfg     |  36 +++++++++++
 journal.log     | 165 ++++++++++++++++++++++++++++++++++++++++++++++++
 nftables.conf   |  64 +++++++++++++++++++
 nginx.conf      |  71 +++++++++++++++++++++
 prosody.cfg.lua | 121 +++++++++++++++++++++++++++++++++++
 ssowat.json     |  10 +++
 7 files changed, 523 insertions(+)
 create mode 100644 README.adoc
 create mode 100644 haproxy.cfg
 create mode 100644 journal.log
 create mode 100644 nftables.conf
 create mode 100644 nginx.conf
 create mode 100644 prosody.cfg.lua
 create mode 100644 ssowat.json

diff --git a/README.adoc b/README.adoc
new file mode 100644
index 0000000..6f2c82a
--- /dev/null
+++ b/README.adoc
@@ -0,0 +1,56 @@
+= XMPP file-upload not working.
+
+== Problem
+
+When I want to upload a photo to a group-chat using Gajim, I can see on the server that a directory is created to receive the image, but the image never gets there.
+Thus, Gajim reports an empty file (actually a 404 error, according to Nginx).
+
+== Configuration
+
+My PC (XMPP client) runs Gajim on Archlinux.
+The PC has IP 192.168.1.99.
+
+The server runs Archlinux too.
+Here is the network setup:
+
+[ditaa]
+-------
+        +-----------------------------------------------------------------+
+        | Server                                                          |
+        |  +-----------+  +----------------+  +-------------------------+ |
++----+  |  | nftables  |  | haproxy (tcp)  |  |  nginx : /…/https+.pp   | |
+| PC +->+->+ :443 dnat +->+ :444 tls_plus  +->+   ↓                     | |
++--+-+  |  | → :444 OK |  | → /…/https+.pp |  | /---------------------\ | |
+   |    |  +-----------+  +----------------+  | |       ssowat        | | |
+   |    |                                     | | "/x…": pass-through | | |
+   |    |  +---------------+                  | \---------------------/ | |
+   |    |  |    prosody    |                  |   ↓                     | |
+   \--->+->+ :5222   :5280 +<-----------------+  location /xmpp- { … }  | |
+        |  +---------------+                  +-------------------------+ |
+        |                                                                 |
+        +-----------------------------------------------------------------+
+-------
+
+== Versions
+
+PC::
+    * Archlinux kernel 4.15.11
+    * Gajim 1.0.0
+    * Gajim plugin httpupload 0.4.6
+
+Server::
+    * Archlinux kernel 4.15.11
+    * nftables 0.8.3
+    * haproxy 1.8.4
+    * nginx 1.13.10
+    * ssowat-git (my fork)
+    * prosody 0.10.0
+    * prosody-mod-auth-external-hg r2944.37ec4c2f319a
+    * prosody-mod-auto-accept-subscriptions-hg r2944.37ec4c2f319a
+    * prosody-mod-csi-hg r2944.37ec4c2f319a
+    * prosody-mod-filter-chatstates-hg r2944.37ec4c2f319a
+    * prosody-mod-http-upload r2944.37ec4c2f319a
+    * prosody-mod-mam-adhoc 0.10.0
+    * prosody-mod-offline-email-hg r2944.37ec4c2f319a
+    * prosody-mod-smacks 2017.08.27
+    * prosody-mod-throttle_presence r2944.37ec4c2f319a
diff --git a/haproxy.cfg b/haproxy.cfg
new file mode 100644
index 0000000..a3cdd24
--- /dev/null
+++ b/haproxy.cfg
@@ -0,0 +1,36 @@
+global
+    tune.ssl.default-dh-param  2048
+    ssl-default-bind-ciphers   …
+    ssl-default-bind-options   …
+    ssl-default-server-ciphers …
+    ssl-default-server-options …
+    log                        /dev/log local0 info
+    pidfile                    /run/haproxy.pid
+    daemon
+
+defaults
+    mode tcp
+    timeout connect    5s
+    timeout client     5m
+    timeout server     5m
+    timeout tunnel     1h
+    timeout client-fin 5s
+    timeout server-fin 5s
+    log     global
+    option  logasap
+    option  log-separate-errors
+    log-format "%ci:%cp [%t] %ft %b[%bi:%bp]/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
+
+frontend tls
+    bind            :443 ssl crt /etc/haproxy/tls.pem
+    default_backend https
+
+backend https
+    server nginx unix@/run/shared_sockets/https.pp send-proxy
+
+frontend tls_plus
+    bind            :444 ssl crt /etc/haproxy/tls.pem
+    default_backend https_plus
+
+backend https_plus
+    server nginx unix@/run/shared_sockets/https+.pp send-proxy
diff --git a/journal.log b/journal.log
new file mode 100644
index 0000000..1f482dc
--- /dev/null
+++ b/journal.log
@@ -0,0 +1,165 @@
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Handled 63 incoming stanzas
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Received[c2s]: <iq id='baadadc6-daa3-4b68-b885-094a1118293a' type='get' to='yalis.fr' from='yves@yalis.fr/Gajim'>
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Given upload slot "O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg"
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: #queue = 1
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Queuing <r> (in a moment)
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Received[c2s]: <r xmlns='urn:xmpp:sm:3'>
+mars 25 16:59:13 seuil3 prosody[68]: yalis.fr:smacks: Received ack request, acking for 63
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Sending <r> (inside timer, before send)
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Sending <r> (inside timer, after send)
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: Received[c2s]: <a xmlns='urn:xmpp:sm:3' h='83'>
+mars 25 16:59:13 seuil3 prosody[68]: c2s15782d0: #queue = 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: epoll: fd:8 ev:0001 d:00007FDEB23F31F0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: accept on unix:/run/shared_sockets/https+.pp, ready: 0
+mars 25 16:59:13 seuil3 haproxy[78]: 192.168.1.99:58576 [25/Mar/2018:16:59:13.458] tls_plus~ https_plus[unix:0]/nginx 61/1/+61 +0 -- 8/3/3/3/0 0/0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: posix_memalign: 0000559D717FB940:512 @16
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 accept: unix: fd:23
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 event timer add: 23: 60000:102301826
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 reusable connection: 1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 epoll add event: fd:23 op:1 ev:80002001
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: timer delta: 205
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: worker cycle
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: epoll timer: 23235
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: epoll: fd:23 ev:0001 d:00007FDEB23F35B0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 posix_memalign: 0000559D71A67000:4096 @16
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http process request header line
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: shmtx lock
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: shmtx unlock
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 post access phase: 13
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 generic phase: 14
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 generic phase: 15
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http request body content length filter
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 malloc: 0000559D71809030:8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http read client request body
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http request count:2 blk:0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 temp fd:25
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [warn] 1898#1898: *34 a client request body is buffered to a temporary file /var/lib/nginx/client-body/0000000001, client: 192.168.1.99, server: , request: "PUT /xmpp-upload/O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg HTTP/1.1", host: "yalis.fr"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 24576
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 57344
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 147456
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 548864
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 557056
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 614400
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 622592
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 671744
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 8192 of 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 8192
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 8192 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write client request body, bufs 0000559D719FAD28
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 write: 25, 0000559D71809030, 8192, 679936
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:0, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 7284 of 7284
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http client request body recv 7284
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http body new buf t:1 f:0 0000559D71809030, pos 0000559D71809030, size: 7284 file: 0, size: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 epoll add connection: fd:26 ev:80002005
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 connect to 127.0.0.1:5280, fd:26 #35
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http upstream connect: -2
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 posix_memalign: 0000559D719D07E0:128 @16
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 event timer add: 26: 60000:102301829
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 sendfile: 695412 of 695412 @0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 chain writer out: 0000000000000000
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 event timer del: 26: 102301829
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 event timer add: 26: 60000:102301877
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: timer delta: 48
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: worker cycle
+mars 25 16:59:13 seuil3 prosody[68]: socket: accepted incoming client connection from: 127.0.0.1 45972 to 5280
+mars 25 16:59:13 seuil3 prosody[68]: http.server: Firing event: PUT yalis.fr/xmpp-upload/O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg
+mars 25 16:59:13 seuil3 prosody[68]: socket: try to close client connection with id: 1111f80
+mars 25 16:59:13 seuil3 prosody[68]: socket: closing delayed until writebuffer is empty
+mars 25 16:59:13 seuil3 prosody[68]: socket: closing client after writing
+mars 25 16:59:13 seuil3 prosody[68]: socket: closing client with id: 1111f80 client to close
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: epoll: fd:26 ev:2005 d:00007FDEB23F3880
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http upstream request: "/xmpp-upload/O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg?"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http upstream process header
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 malloc: 0000559D719F3C40:4096
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:1, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:26 470 of 4096
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http proxy status 404 "404 Not Found"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http proxy header: "Connection: close"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http proxy header: "Content-Length: 367"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http proxy header: "Date: Sun, 25 Mar 2018 14:59:13 GMT"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http proxy header done
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 add cleanup: 0000559D71A15288
+mars 25 16:59:13 seuil3 nginx[1898]: [310B blob data]
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write filter: l:0 f:0 s:271
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http proxy filter init s:404 h:0 c:0 l:367
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http upstream process non buffered downstream
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http output filter "/xmpp-upload/O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg?"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http copy filter: "/xmpp-upload/O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg?"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http write filter: l:0 f:1 s:638
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http output filter "/xmpp-upload/O-_77OOdwpLXIh5P/IMG_20180127_094908.jpg?"
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http lingering close handler
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: epoll: fd:23 ev:2015 d:00007FDEB23F35B0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: epoll_wait() error on fd:23 ev:2015
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http lingering close handler
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: eof:1, avail:1
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 recv: fd:23 0 of 4096
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 lingering read: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http request count:1 blk:0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http close request
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 http log handler
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 run cleanup: 0000559D71A15288
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 run cleanup: 0000559D71A67F90
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 free: 0000559D719F3C40
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 free: 0000559D71A67000, unused: 0
+mars 25 16:59:13 seuil3 nginx[1898]: 2018/03/25 16:59:13 [debug] 1898#1898: *34 free: 0000559D717FB940, unused: 16
+mars 25 16:59:14 seuil3 nginx[1898]: 2018/03/25 16:59:14 [debug] 1898#1898: epoll: fd:22 ev:0005 d:00007FDEB23F36A1
diff --git a/nftables.conf b/nftables.conf
new file mode 100644
index 0000000..cf60e56
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,64 @@
+#!/usr/bin/env nft -f
+flush ruleset
+
+table ip Inet4 {
+  chain NAT_in {
+    type nat hook prerouting priority -100
+
+    # Trusted hosts
+    tcp dport 443 ip saddr 192.168.1.96/29 redirect to 444
+  }
+  chain NAT_out {
+    type nat hook postrouting priority 100
+    ct status dnat masquerade
+  }
+
+  chain FilterIn {
+    type filter hook input priority 0
+    policy drop
+
+    # allow established/related connections
+    ct state {established, related} accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    meta iif lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+
+    # trusted https
+    ct status dnat accept
+
+    # https
+    tcp dport 443 accept
+
+    # xmpp client
+    tcp dport 5222 accept
+
+    # xmpp server
+    tcp dport 5269 accept
+
+    # xmpp components
+    tcp dport 5347 accept
+  }
+
+  chain FilterOut {
+    type filter hook output priority 0
+    policy drop
+
+    ct state {established, related} accept
+    meta oif lo accept
+
+	# DNS
+    ip daddr 80.67.169.12 accept
+    ip daddr 80.67.169.40 accept
+    ip daddr 87.98.175.85 accept
+    ip daddr 5.135.183.146 accept
+    ip daddr 8.8.8.8 accept
+
+    meta skuid prosody accept
+  }
+}
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..50ebe06
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,71 @@
+load_module /usr/lib/nginx/modules/ndk_http_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+
+worker_processes auto;
+error_log syslog:server=unix:/dev/log,nohostname debug;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+
+    # SSO
+    lua_shared_dict  cache 10m;
+    init_by_lua_file /etc/ssowat/init.lua;
+
+    # Global configuration
+    client_max_body_size 10000M;
+    gzip on;
+    gzip_comp_level 6;
+    gzip_proxied any;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/javascript text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
+    index index.php index.html;
+    log_format proxy_log '…';
+    reset_timedout_connection on;
+    server_tokens off;
+    root /srv/http;
+
+    # server for regular HTTPS contents
+    server {
+        listen unix:/run/shared_sockets/https.pp proxy_protocol;
+        …
+    }
+
+    # server for privileged HTTPS contents
+    server {
+        listen unix:/run/shared_sockets/https+.pp proxy_protocol;
+        access_log /var/log/nginx/https_access.log proxy_log;
+        set_real_ip_from unix:;
+        real_ip_header proxy_protocol;
+
+        access_by_lua_file        /etc/ssowat/access.lua;
+        header_filter_by_lua_file /etc/ssowat/headers.lua;
+
+        …
+
+        location /xmpp- {
+            proxy_pass http://localhost:5280;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_buffering off;
+            tcp_nodelay on;
+        }
+        location /xmpp-websocket {
+            proxy_pass http://localhost:5280;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_read_timeout 30m;
+            proxy_buffering off;
+            tcp_nodelay on;
+        }
+
+        …
+    }
+}
diff --git a/prosody.cfg.lua b/prosody.cfg.lua
new file mode 100644
index 0000000..de39234
--- /dev/null
+++ b/prosody.cfg.lua
@@ -0,0 +1,121 @@
+daemonize = true
+pidfile = "/run/prosody/prosody.pid"
+admins = { … }
+use_libevent = true;
+
+modules_enabled = {
+
+	-- Additional modules
+	"auto_accept_subscriptions"; -- friends automatically accepted
+	"csi";                       -- filter activity depending on mobile state
+	"filter_chatstates";         -- csi: filter chat states when inactive
+	"http_upload";               -- share files in MUCs
+	"lastactivity";              -- query users’ idle time
+	"mam_adhoc";                 -- manage mam from the client
+	"offline_email";             -- get missed messages by email
+	"pubsub";                    -- publish-suscribe / lien social
+	"smacks";                    -- ignore temporary disconnects
+	"throttle_presence";         -- csi: limit presence updates when inactive
+
+	-- Generally required
+	"roster";
+	"saslauth";
+	"tls";
+	"dialback";
+	"disco";
+
+	-- Not essential, but recommended
+	"carbons";
+	"pep";
+	"private";
+	"blocklist";
+	"vcard";
+
+	-- Nice to have
+	"version";
+	"uptime";
+	"time";
+	"ping";
+	"register";
+	"mam";
+
+	-- Admin interfaces
+	"admin_adhoc";
+
+	-- HTTP modules
+	"bosh";
+	"websocket";
+	"http_files";
+	"groups";
+}
+
+modules_disabled = {
+}
+
+allow_registration = false
+c2s_require_encryption = true
+s2s_require_encryption = true
+s2s_secure_auth = false
+authentication = "external"
+storage = "sql"
+sql = { … }
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+log = {
+	"*syslog"; -- Uncomment this for logging to syslog
+}
+
+certificates = "certs"
+
+-- configure bash authentication
+external_auth_command = "/etc/prosody/external_auth.sh"
+
+-- hide OS type from mod_version output
+hide_os_type = true
+
+-- limit registration
+allow_registration = true
+whitelist_registration_only = true
+registration_whitelist = { '127.0.0.1' }
+
+-- configure HTTP
+http_files_dir = "/var/lib/prosody/httpd"
+http_paths = {
+  websocket = "/xmpp-websocket";
+  bosh = "/xmpp-bind";
+  files = "/xmpp-shared";
+}
+http_default_host = "yalis.fr"
+http_external_url = "https://yalis.fr/xmpp-"
+
+-- configure uploads
+http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
+
+-- configure websockets (ws:localhost:5280/websocket)
+cross_domain_websocket = true
+consider_websocket_secure = true
+
+-- configure BOSH (http://localhost:5280/bind)
+cross_domain_bosh = true
+consider_bosh_secure = true
+
+-- configure MAM
+default_archive_policy = "roster"
+archive_expires_after = "1m"
+archive_cleanup_interval = 24 * 60 * 60 -- once a day
+muc_log_by_default = true
+max_history_messages = 500
+
+-- configure email sending
+smtp_from = "xmpp-offline-do-not-reply@yalis.fr"
+
+-- setup the virtual host
+VirtualHost "yalis.fr"
+
+-- declare publish-suscribe
+Component "jabps.yalis.fr" "pubsub"
+
+-- declare Multi-User Chat
+Component "www.yalis.fr" "muc"
+
+VirtualHost "localhost"
diff --git a/ssowat.json b/ssowat.json
new file mode 100644
index 0000000..e9a2828
--- /dev/null
+++ b/ssowat.json
@@ -0,0 +1,10 @@
+{
+   "portal_scheme": "https",
+   "portal_domain": "yalis.fr",
+   …
+   "skipped_regex": [
+      "^/x",
+      …
+   ],
+   …
+}