From my nginx config:

upstream chat_cluster {
server localhost:5280;
}

Then, in the main 'server' stanza:
```
location /http-bind {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

proxy_redirect off;
proxy_connect_timeout 5;
proxy_buffering       off;

proxy_read_timeout    70;
keepalive_timeout     70;
send_timeout          70;

client_max_body_size 4M;
client_body_buffer_size 128K;

proxy_pass http://chat_cluster;

I'll have to look at it (I'm at work and don't have access to look at my configs), but from what I can see, it's pretty much just like your's Brian. :( I just don't know what I'm doing wrong here

I assume you've followed everything here? https://wiki.diasporafoundation.org/Integration/XMPP/Prosody

Let me run outside on my phone and see if I can grab these configs though, that should help I hope.

Other things to check:
* Is prosody running?
* Is port 5269 open for server-to-server connections?
* Is port 5222 open for direct client connections? (optional)

https://diaspsocial.com/http-bind/ is up and running, but I can't connect to 5222 ot 5269 from here.

They are running, so I don't understand why they can't connect. One sec and I'll upload my files for you to review

Are they allowed by iptables? I'm connecting over ipv6 FWIW.

No joy trying with ipv4 either...

Diaspsocial.com.conf:
````
upstream diaspora_server {
server unix:/home/diaspora/diaspora/tmp/diaspora.sock;
}

upstream chat_cluster {
server localhost:5280;
}

server {
if ($host = www.diaspsocial.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

 if ($host = diaspsocial.com) {
     return 301 https://$host$request_uri;
 } # managed by Certbot

listen 80;
listen [::]:80;
server_name www.diaspsocial.com diaspsocial.com;
return 301 https://diaspsocial.com$request_uri;

access_log /dev/null;
error_log /dev/null;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.diaspsocial.com diaspsocial.com;

if ($host = www.diaspsocial.com) {
return 301 https://diaspsocial.com$request_uri;
}

access_log /var/log/nginx/diaspsocial-access.log;
error_log /var/log/nginx/diaspsocial-error.log;

# ssl_certificate /etc/nginx/https/redacted.pem;
# ssl_certificate_key /etc/nginx/https/redacted.pem;

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve X25519:P-521:P-384:P-256;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 80.67.169.40 80.67.169.12 valid=300s;
resolver_timeout 5s;
ssl_session_cache shared:SSL:10m;

root /;

client_max_body_size 5M;
client_body_buffer_size 256K;

try_files $uri @diaspora;

location /assets/ {
expires max;
add_header Cache-Control public;
}

location @diaspora {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://diaspora_server;
}

location /http-bind {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;

 proxy_redirect off;
 proxy_connect_timeout 5;
 proxy_buffering       off;

 proxy_read_timeout    70;
 keepalive_timeout     70;
 send_timeout          70;


 client_max_body_size 4M;
 client_body_buffer_size 128K;

 proxy_pass http://chat_cluster;

}

 ssl_certificate /<redacted>; # managed by Certbot
 ssl_certificate_key /<redacted>; # managed by Certbot

}
````

diaspora.yml:
````

Some notes about this file:

- All comments start with a double

- All settings are commented out with a single

To change the default settings, you need both to uncomment the lines

AND, in most cases, to change the value that is given.

- Take care to keep proper indentation, that is by simply deleting

the original #, with no additional space before the setting's name.

- Take care to keep proper quoting. All ' must have a matching ' at

the end of the same line. The same goes for "

- Lines containing "## Section" are section headings. Do not edit them!

- Lists need the space after the -

- The values true, false and numbers should have no quote marks.

Single words don't need quote marks, but it doesn't do any harm to have them.

##

You can set and/or override all these settings through environment variables

with the following conversion rules:

- Strip the top level namespace (configuration, production, etc.)

- Build the path to the setting, for example environment.s3.enable

- Replace the dots with underscores: environment_s3_enable

- Convert to upper case: ENVIRONMENT_S3_ENABLE

- Specify lists/arrays as comma-separated values

##

- For example, on Heroku:

heroku config:set SERVICES_FACEBOOK_APP_ID=yourappid SERVICES_FACEBOOK_SECRET=yourappsecret

configuration: ## Section

## You need to change or at least review the settings in this section
## in order for your pod to work.
environment: ## Section

## Set the hostname of the machine you're running Diaspora on, as seen
## from the internet. This should be the URL you want to use to
## access the pod. So if you plan to use a reverse proxy, it should be
## the URL the proxy listens on. DO NOT CHANGE THIS AFTER INITIAL SETUP!
## However changing http to https is okay and has no consequences.
## If you do change the URL, you will have to start again as the URL
## will be hardcoded into the database.
url: "https://diaspsocial.com/"

## Set the bundle of certificate authorities (CA) certificates.
## This is specific to your operating system.
## Examples (uncomment the relevant one or add your own):
## For Debian, Ubuntu, Archlinux, Gentoo (package ca-certificates):
certificate_authorities: '/etc/ssl/certs/ca-certificates.crt'
## For CentOS, Fedora:
#certificate_authorities: '/etc/pki/tls/certs/ca-bundle.crt'

## URL for a remote Redis (default=localhost).
## Don't forget to restrict IP access if you uncomment these!
#redis: 'redis://example_host'
#redis: 'redis://username:password@host:6379/0'
#redis: 'unix:///tmp/redis.sock'

## Require SSL (default=true).
## When set, your pod will force the use of HTTPS in production mode.
## Since OAuth2 requires SSL, Diaspora's future API might not work if
## you're not using SSL. Also there is no guarantee that posting to
## services will be possible if SSL is disabled.
## Do not change this default unless you are sure!
#require_ssl: true

## Single-process mode (default=false).
## If set to true, Diaspora will work with just the appserver (Unicorn by
## default) running. However, this makes it quite slow as intensive jobs
## must be run all the time inside the request cycle. We strongly
## recommended you leave this disabled for production setups.
## Set to true to enable.
#single_process_mode: false

## Sidekiq - background processing
sidekiq: ## Section

  ## Number of parallel threads Sidekiq uses (default=5).
  ## If you touch this, please set the pool setting in your database.yml
  ## to a value that's at minimum close to this! You can safely increase
  ## it to 25 and more on a medium-sized pod. This applies per started
  ## Sidekiq worker, so if you set it to 25 and start two workers, you'll
  ## process up to 50 jobs in parallel.
  #concurrency: 5

  ## Number of times a job is retried (default=10).
  ## There's an exponential effect to this: if you set this too high you
  ## might get too many jobs building up in the queue.
  ## Set it to 0 to disable it completely.
  #retry: 10

  ## Lines of backtrace that are stored on failure (default=15).
  ## Set n to the required value. Set this to false to reduce Redis memory
  ## usage (and log size) if you're not interested in this data.
  #backtrace: 15

  ## Number of jobs to keep in the dead queue (default=5000).
  ## Jobs get into the dead queue after they failed and exhausted all retries.
  ## Increasing this setting will increase the memory usage of Redis.
  ## Once gone from the dead queue, a failed job is permanently lost and
  ## cannot be retried manually.
  # dead_jobs_limit: 1000

  ## Number of seconds a job remains in the dead queue (default=3628800 (six weeks)).
  ## Jobs get into the dead queue after they failed and exhausted all retries.
  ## Increasing this setting will increase the memory usage of Redis.
  ## Once gone from the dead queue, a failed job is permanently lost and
  ## cannot be retried manually.
  # dead_jobs_timeout: 15552000 # 6 months

  ## Log file for Sidekiq (default="log/sidekiq.log")
  #log: "log/sidekiq.log"

## Use Amazon S3 instead of your local filesystem
## to handle uploaded pictures (disabled by default).
s3: ## Section

  #enable: true
  #key: 'change_me'
  #secret: 'change_me'
  #bucket: 'my_photos'
  #region: 'us-east-1'

  ## Use max-age header on Amazon S3 resources (default=true).
  ## When true, this allows locally cached images to be served for up to
  ## one year. This can improve load speed and save requests to the image
  ## host. Set to false to revert to browser defaults (usually less than
  ## one year).
  #cache : true

## Set redirect URL for an external image host (Amazon S3 or other).
## If hosting images for your pod on an external server (even your own),
## add its URL here. All requests made to images under /uploads/images
## will be redirected to https://yourhost.tld/uploads/images/
#image_redirect_url: 'https://images.example.org'

assets: ## Section

  ## Serve static assets via the appserver (default=false).
  ## This is highly discouraged for production use. Let your reverse
  ## proxy/webserver do it by serving the files under public/ directly.
  #serve: false

  ## Upload your assets to S3 (default=false).
  #upload: false

  ## Specify an asset host. Ensure it does not have a trailing slash (/).
  #host: http://cdn.example.org/diaspora

## Pubsub server (default='https://pubsubhubbub.appspot.com/').
## Diaspora is only tested against the default pubsub server.
## You probably don't want to uncomment or change this.
#pubsub_server: 'https://pubsubhubbub.appspot.com/'

## Logger configuration
logging: ## Section

  logrotate: ## Section

    ## Roll the application log on a daily basis (default=true).
    #enable: true

    ## The number of days to keep (default=7)
    #days: 7

  ## Debug logging
  debug: ## Section

    ## Enables the debug-logging for SQL (default=false)
    ## This logs every SQL-statement!
    #sql: true

    ## Enables the federation-debug-log (default=false)
    ## This logs all XMLs that are used for the federation
    #federation: true

## Settings affecting how ./script/server behaves.
server: ## Section
## Where the appserver should listen to (default=unix:tmp/diaspora.sock)
#listen: 'unix:tmp/diaspora.sock'
#listen: 'unix:/run/diaspora/diaspora.sock'
#listen: '127.0.0.1:3000'

## Set the path for the PID file of the unicorn master process (default=tmp/pids/web.pid)
#pid: 'tmp/pids/web.pid'

## Rails environment (default='development').
## The environment in which the server should be started by default.
## Change this to 'production' if you wish to run a production environment.
rails_environment: 'production'

## Write unicorn stderr and stdout log.
#stderr_log: '/usr/local/app/diaspora/log/unicorn-stderr.log'
#stdout_log: '/usr/local/app/diaspora/log/unicorn-stdout.log'

## Number of Unicorn worker processes (default=2).
## Increase this if you have many users.
#unicorn_worker: 2

## Number of seconds before a request is aborted (default=90).
## Increase if you get empty responses, or if large image uploads fail.
## Decrease if you're under heavy load and don't care if some
## requests fail.
#unicorn_timeout: 90

## Embed a Sidekiq worker inside the unicorn process (default=false).
## Useful for minimal Heroku setups.
#embed_sidekiq_worker: false

## Number of Sidekiq worker processes (default=1).
## In most cases it is better to
## increase environment.sidekiq.concurrency instead!
#sidekiq_workers: 1

## Diaspora has an internal XMPP web-client. If you want to enable the chat
## functionality or want to use a custom XMPP server, then you should edit
## the following configuration.
chat: ## Section

## Enable the chat service and all its components.
##
## Please make sure that you followed the Installation-Instructions first:
## https://wiki.diasporafoundation.org/Integration/Chat#Installation.2FUpdate
enabled: true

## Custom XMPP server configuration goes here.
server: ## Section

  ## Use the configuration bridge to prosody (default=true).
  ## In case you want to run your own server or want to configure
  ## prosody on your own, you should disable it.
  enabled: true

  ## Set the directory in which to look for virtual hosts TLS certificates.
  certs: 'config/certs'

  ## XEP-0124 BOSH requests
  ## The easiest way of avoiding certificate and mixed-content issues
  ## is to use a proxy, e.g.:
  ##
  ## Apache: https://wiki.diasporafoundation.org/Integration/Chat#Apache2
  ## Nginx: https://wiki.diasporafoundation.org/Integration/Chat#Nginx
  ##
  ## If you configured your proxy correctly,
  ## you should set the proxy option to 'true'
  bosh: ## Section

    ## If you'd like to use a proxy, you should set the proxy
    ## option to true, otherwise jsxc always tries to
    ## connect directly to the port specified below.
    proxy: true

    ## Configure the protocol used to access the BOSH endpoint
    proto: http

    ## Configure the address that prosody should listen on.
    address: '<redacted>’

    ## Configure the BOSH port.
    port: 5280

    ## Configure the bind endpoint.
    bind: '/http-bind'

  ## Specify log behaviour here.
  log: ## Section

    ## Log file location.
    info: 'log/prosody.log'

    ## Error log file location.
    error: 'log/prosody.err'

    ## The debug level logs all XML sent and received by the server.
    debug: true

## Displays the location of a post in a map. Per default we are using the map
## tiles of the Heidelberg University (http://giscience.uni-hd.de).
## You also have the possibility to use the map tiles of https://www.mapbox.com
## which is probably more reliable. There you have to create an account to get
## an access token which is limited. If you want to get an unlimited account
## you can write an email to team@diasporafoundation.org.
## Please enable mapbox and fill out your access_token.
map: ##Section

mapbox:
  #enabled: false
  #access_token: "youraccesstoken"
  #style: "mapbox/streets-v9"

## Settings potentially affecting the privacy of your users.
privacy: ## Section

## Include jQuery from jquery.com's CDN (default=false).
## Enabling this can reduce traffic and speed up load time since most
## clients already have this one cached. When set to false (the default),
## the jQuery library will be loaded from your pod's own resources.
#jquery_cdn: false

## Google Analytics (disabled by default).
## Provide a key to enable tracking by Google Analytics.
#google_analytics_key: UA-126122735-1

## Piwik Tracking (disabled by default).
## Provide a site ID and the host piwik is running on to enable
## tracking through Piwik.
piwik: ## Section

  enable: true
  host: 'redacted'
  site_id: redacted

## Statistics
## Your pod will report its name, software version and whether
## or not registrations are open via /statistics.json.
## Uncomment the options below to enable more statistics.
statistics: ## Section

  ## Local user total and 6 month active counts.
  user_counts: true

  ## Local post total count.
  #post_counts: true
  comment_counts: true

## Use Camo to proxy embedded remote images.
## Do not enable this setting unless you have a working Camo setup. Using
## camo to proxy embedded images will improve the privacy and security of
## your pod's frontend, but it will increase the traffic on your server.
## Check out https://wiki.diasporafoundation.org/Installation/Camo for
## more details and installation instructions.
camo: ## Section

  ## Proxy images embedded via markdown (default=false).
  ## Embedded images are quite often from non-SSL sites and may cause a
  ## partial content warning, so this is recommended.
  #proxy_markdown_images: true

  ## Proxy Open Graph thumbnails (default=false).
  ## Open Graph thumbnails may or may not be encrypted and loaded from
  ## servers outside the network. Recommended.
  #proxy_opengraph_thumbnails: true

  ## Proxy remote pod's images (default=false).
  ## Profile pictures and photos from other pods usually are encrypted,
  ## so enabling this is only useful if you want to avoid HTTP requests to
  ## third-party servers. This will create a lot of traffic on your camo
  ## instance. You have been warned.
  #proxy_remote_pod_images: true

  ## Root of your Camo installation
  #root: "https://example.com/camo/"

  ## Shared key of your Camo installation
  #key: "example123example456example!"

## General settings
settings: ## Section

## Pod name (default="diaspora*")
## The pod name displayed in various locations, including the header.
pod_name: "DiaspSocial"

## Allow registrations (default=true)
## Set this to false to prevent people from signing up to your pod
## without an invitation. Note that this needs to be set to true
## (or commented out) to enable the first registration (you).
#enable_registrations: true

## Auto-follow on sign-up (default=true)
## Users will automatically follow a specified account on creation.
## Set this to false if you don't want your users to automatically
## follow an account upon creation.
autofollow_on_join: true

## Auto-follow account (default='hq@pod.diaspora.software')
## The diaspora* HQ account keeps users up to date with news about Diaspora.
## If you set another auto-follow account (for example your podmin account),
## please consider resharing diaspora* HQ's posts for your pod's users!
autofollow_on_join_user: 'erwright@diaspsocial.com'

## Welcome Message settings
welcome_message: ##Section

  ## Welcome Message on registration (default=false)
  ## Send a message to new users after registration
  ## to tell them about your pod and how things
  ## are handled on it.
  enabled: false

  ## Welcome Message subject (default='Welcome Message')
  ## The subject of the conversation that is started
  ## by your welcome message.
  subject: "Welcome Message"

  ## Welcome Message text (default='Hello %{username}, welcome to diaspora.')
  ## The content of your welcome message.
  ## The placeholder "%{username}" will be replaced by the username
  ## of the new user.
  text: "Hello %{username}, welcome to diaspora! Please be sure to also follow hq@pod.diaspora.software so you can get regular updates on Diaspora software!! Please make sure you make a #newhere post as well. Thanks for joining!! -Podmin"

## Invitation settings
invitations: ## Section

  ## Enable invitations (default=true)
  ## Set this to false if you don't want users to be able to send invites.
  #open: true

  ## Number of invitations per invite link (default=25)
  ## Every user will see such a link if you have enabled
  ## invitations on your pod.
  #count: 25

## Paypal donations (disabled by default)
## You can set details for a Paypal button here to allow donations
## towards running the pod.
## First, enable the function, then set the currency in which you
## wish to receive donations, and **either** a hosted button id
## **or** an encrypted key for an unhosted button.
paypal_donations: ## Section
  enable: true

  ## Currency used (USD, EUR...)
  currency: USD

  ## hosted Paypal button id
  paypal_hosted_button_id: "redacted"
  ## OR encrypted key of unhosted button
  #paypal_unhosted_button_encrypted: "-----BEGIN PKCS7-----"

## Liberapay.com is a free platform which allow donations like patreon
## Set your username to include your liberapay button
# liberapay_username: "change_me"

## Bitcoin donations
## You can provide a bitcoin address here to allow your users to provide
## donations towards the running of their pod.
bitcoin_address: "3EXBNYoL5PQFaeFGsT9Z8obJSv2JjyvQfK"

## Community spotlight (disabled by default)
## The community spotlight shows new users public posts from people you
## think are interesting in Diaspora's community. To add an account
## to the community spotlight add the 'spotlight' role to it.
community_spotlight: ## Section

  #enable: true

  ## E-mail address to which users can make suggestions about who
  ## should be in the community spotlight (optional).
  #suggest_email: 'admin@example.org'

## CURL debug (default=false)
## Turn on extra verbose output when sending stuff. Note: you
## don't need to touch this unless explicitly told to.
#typhoeus_verbose: false

## Maximum number of parallel HTTP requests made to other pods (default=20)
## Be careful, raising this setting will heavily increase the memory usage
## of your Sidekiq workers.
#typhoeus_concurrency: 20

## Maximum number of parallel user data export jobs (default=1)
## Be careful, exports of big/old profiles can use a lot of memory, running
## many of them in parallel can be a problem for small servers.
#export_concurrency: 1

## Captcha settings
captcha: ## Section

  ## Enable captcha (default=true)
  ## Set this to false if you don't want to use captcha for signup process.
  enable: true

  ## Captcha image size (default='120x20')
  #image_size: '120x20'

  ## Length of captcha text (default=5)(max=12)
  #captcha_length: 5

  ## Captcha image style (default='simply_green')
  ## Available options for captcha image styles are: 'simply_blue',
  ## 'simply_red' 'simply_green', 'charcoal_grey', 'embossed_silver',
  ## 'all_black', 'distorted_black', 'almost_invisible', 'random'.
  #image_style: 'simply_green'

  ## Captcha image distortion (default='low')
  ## Sets the level of image distortion used in the captcha.
  ## Available options are: 'low', 'medium', 'high', 'random'.
  #distortion: 'low'

## Terms of Service
## Show a default or customized terms of service for users.
## You can create a custom Terms of Service by placing a template
## as app/views/terms/terms.haml or app/views/terms/terms.erb
## The default terms of service that can be extended is
## at app/views/terms/default.haml
## NOTE! The default terms have not been checked over by a lawyer and
## thus are unlikely to provide full legal protection for all situations
## for a podmin using them. They are also not specific to all countries
## and jurisdictions. If you are unsure, please check with a lawyer.
## We provide these for podmins as some basic rules that podmins
## can communicate to users easily via the diaspora* server software.
## Uncomment to enable this feature.
terms: ## Section

  ## First enable it by uncommenting below.
  enable: true

  ## Important! If you enable the terms, you should always
  ## set a location under which laws any disputes are governed
  ## under. For example, country or state/country, depending
  ## on the country in question.
  ## If this is not set, the whole paragraph about governing
  ## laws *is not shown* in the terms page.
  #jurisdiction: ""

  ## Age limit for signups.
  ## Set a number to activate this setting. This age limit is shown
  ## in the default ToS document.
  minimum_age: 13

## Maintenance
## Various pod maintenance related settings are controlled from here.
maintenance: ## Section

  ## Removing old inactive users can be done automatically by background
  ## processing. The amount of inactivity is set by `after_days`. A warning
  ## email will be sent to the user and after an additional `warn_days`, the
  ## account will be automatically closed.
  ## This maintenance is not enabled by default.
  remove_old_users: ## Section

    enable: true
    after_days: 730
    warn_days: 30

    ## Limit queuing for removal per day.
    limit_removals_to_per_day: 100

## Source code URL
## URL to the source code your pod is currently running.
## If not set your pod will provide a downloadable archive.
#source_url: 'https://example.org/username/diaspora'

## Changelog URL
## URL to the changelog of the diaspora-version your pod is currently running.
## If not set an auto-generated url to github is used.
changelog_url: "https://github.com/diaspora/diaspora/blob/master/Changelog.md"

## Default color theme
## You can change which color theme is displayed when a user is not signed in
## or has not selected any color theme from the available ones. You simply have
## to enter the name of the theme's folder in "app/assets/stylesheets/color_themes/".
## ("original" for the theme in "app/assets/stylesheets/color_themes/original/", for
## example).
#default_color_theme: "original"

## Default meta tags
## You can change here the default meta tags content included on the pages of your pod.
## Title will be used for the opengraph og:site_name property while description will be used
## for description and og:description.
default_metas:
  #title: 'diaspora* social network'
  #description: 'diaspora* is the online social world where you are in control.'

## CSP (Content Security Policy) header
## CSP allows limiting origins from where resources are allowed to be loaded. This
## improves security, since it helps to detect and mitigate cross-site scripting
## and data injection attacks. The default policy of diaspora* allows all third
## party domains from services that are included in diaspora*, like OEmbed
## scripts, so you can safely activate it by setting `report_only` to false. If
## you customized diaspora* (edited templates or added own JS), additional work
## may be required. You can test the policy with the `report_uri`. Our default CSP
## does not work with Google analytics or Piwik, because they inject JS code that
## is blocked by CSP.
csp:

  ## Report-Only header (default=true)
  ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
  ## this to false, the "Content-Security-Policy" header is added instead.
  #report_only: false

  ## CSP report URI (default=)
  ## You can set an URI here, where the user agent reports violations as JSON document via a POST request.
  #report_uri: "/csp_violation_reports"

## Posting from Diaspora to external services (all are disabled by default).
services: ## Section

## OAuth credentials for Facebook
facebook: ## Section

  enable: false
  app_id: '743005289374831'
  secret: '7e35ab131ae35e92be48cbf3607bdb2e'

  ## This setting is required to define whether the Facebook app has permissions to post
  ##   false == No permissions (default)
  ##   true == Permissions for all users to post. App MUST have 'publish_actions' approved by Facebook!
  ##   "username" == Set to local username to allow a single user to cross-post. The person who has created
  ##                 the Facebook app will always be able to cross-post, even without 'publish_actions'.
  authorized: true

## OAuth credentials for Twitter
twitter: ## Section

  enable: true
  key: 'redacted'
  secret: 'redacted'

## OAuth credentials for Tumblr
tumblr: ## Section

  enable: true
  key: 'redacted'
  secret: 'redacted'

## OAuth credentials for Wordpress
wordpress: ## Section

  enable: true
  client_id: 'redacted'
  secret: 'redacted'

## Allow your pod to send emails for notifications, password recovery
## and other purposes (disabled by default).
mail: ## Section

## First you need to enable it.
enable: true

## Sender address used in mail sent by Diaspora.
sender_address: 'redacted

## This selects which mailer should be used. Use 'smtp' for a smtp
## connection or 'sendmail' to use the sendmail binary.
method: 'smtp'

## Ignore if method isn't 'smtp'.
smtp: ## Section

  ## Host and port of the smtp server handling outgoing mail.
  ## This should match the common name of the certificate sent by
  ## the SMTP server, if it sends one. (default port=587)
  host: ‘redacted'
  port: 587

  ## Authentication required to send mail (default='plain').
  ## Use one of 'plain', 'login' or 'cram_md5'. Use 'none'
  ## if server does not support authentication.
  authentication: 'plain'

  ## Credentials to log in to the SMTP server.
  ## May be necessary if authentication is not 'none'.
  username: redacted'
  password: 'redacted'

  ## Automatically enable TLS (default=true).
  ## Leave this commented out if authentication is set to 'none'.
  starttls_auto: true

  ## The domain for the HELO command, if needed.
  #domain: 'smtp.example.org'

  ## OpenSSL verify mode used when connecting to a SMTP server with TLS.
  ## Set this to 'none' if you have a self-signed certificate. Possible
  ## values: 'none', 'peer'.
  #openssl_verify_mode: 'none'

## Ignore if method isn't 'sendmail'
sendmail: ## Section

  ## The path to the sendmail binary (default='/usr/sbin/sendmail')
  #location: '/usr/sbin/sendmail'

  ## Use exim and sendmail (default=false)
  #exim_fix: false

## Administrator settings
admins: ## Section

## Set the admin account.
## This doesn't make the user an admin but is used when a generic
## admin contact is needed, much like the postmaster role in mail
## systems. Set only the username, NOT the full ID.
account: "erwright"

## E-mail address to contact the administrator.
podmin_email: 'shawneric@diaspsocial.com'

## Settings related to relays
relay: ## Section

## Relays are applications that exist to push public posts around to
## pods which want to subscribe to them but would not otherwise
## receive them due to not having direct contact with the remote pods.
##
## See more regarding relays: https://wiki.diasporafoundation.org/Relay_servers_for_public_posts

outbound: ## Section
  ## Enable this setting to send out public posts from this pod to a relay
  send: true
  ## Change default remote relay url used for sending out here
  url: 'https://relay.iliketoast.net/receive/public'

inbound: ## Section
  ## Enable this to receive public posts from relays
  subscribe: true

  ## Scope is either 'all' or 'tags' (default).
  ## - 'all', means this pod wants to receive all public posts from a relay
  ## - 'tags', means this pod wants only posts tagged with certain tags
  scope: all

  ## If scope is 'tags', should we include tags that users on this pod follow?
  ## These are added in addition to 'pod_tags', if set.
  #include_user_tags: false

  ## If scope is 'tags', a comma separated list of tags here can be set.
  ## For example "linux,diaspora", to receive posts related to these tags
  #pod_tags:

Here you can override settings defined above if you need

to have them different in different environments.

production: ## Section
environment: ## Section
#redis: 'redis://production.example.org:6379'

development: ## Section
environment: ## Section
#redis: 'redis://production.example.org:6379'
````

prosody.cfg.lua:
````

-- Prosody Example Configuration File

-- Information on configuring Prosody can be found on our

-- website at https://prosody.im/doc/configure

-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
-- prosodyctl check config
-- If there are any errors, it will let you know what and where

-- they are, otherwise it will keep quiet.

-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!

---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "eric@diaspsocial.com" }

-- Enable use of libevent for better performance under high load
-- For more information see: https://prosody.im/doc/libevent
--use_libevent = true

-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
plugin_paths = { "/etc/prosody/modules" }

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {

-- Generally required
    "roster"; -- Allow users to have a roster. Recommended ;)
    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
    "tls"; -- Add support for secure TLS on c2s/s2s connections
    "dialback"; -- s2s dialback support
    "disco"; -- Service discovery

-- Not essential, but recommended
    "carbons"; -- Keep multiple clients in sync
    "pep"; -- Enables users to publish their mood, activity, playing music and more
    "private"; -- Private XML storage (for room bookmarks, etc.)
    "blocklist"; -- Allow users to block communications with other users
    "vcard"; -- Allow users to set vCards

-- Nice to have
    "version"; -- Replies to server version requests
    "uptime"; -- Report how long server has been running
    "time"; -- Let others know the time here on this server
    "ping"; -- Replies to XMPP pings with pongs
    "register"; -- Allow users to register on this server using a client and change passwords
    --"mam"; -- Store messages in an archive and allow users to access it

-- Admin interfaces
    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
    --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

-- HTTP modules
    "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
    --"websocket"; -- XMPP over WebSockets
    --"http_files"; -- Serve static files from a directory over HTTP

-- Other specific functionality
    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
    --"limits"; -- Enable bandwidth limiting for XMPP connections
    --"groups"; -- Shared roster support
    --"server_contact_info"; -- Publish contact information for this service
    --"announce"; -- Send announcement to all online users
    --"welcome"; -- Welcome users who register accounts
    --"watchregistrations"; -- Alert admins of registrations
    --"motd"; -- Send a message to users when they log in
    --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
    --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use

}

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
}

-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false

-- Debian:

-- send the server to background.

daemonize = true;

-- Debian:
-- Please, don't change this option since /var/run/prosody/

-- is one of the few directories Prosody is allowed to write to

pidfile = "/var/run/prosody/prosody.pid";

-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = true

-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.
-- Note that this is different from authentication

s2s_require_encryption = true

-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see https://prosody.im/doc/s2s#security

s2s_secure_auth = true

-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.

--s2s_insecure_domains = { "insecure.example" }

-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "jabber.org" }

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "internal_hashed"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See https://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)

-- For the "sql" backend, you can uncomment one of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.

archive_expires_after = "1w" -- Remove archived messages after 1 week

-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam

-- Logging configuration

-- For advanced logging see https://prosody.im/doc/logging

-- Debian:
-- Logs info and higher to /var/log
-- Logs errors to syslog also
log = {
-- Log files (change 'info' to 'debug' for debug logs):
info = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
-- Syslog:
{ levels = { "error" }; to = "syslog"; };
}

-- Uncomment to enable statistics
-- For more info see https://prosody.im/doc/statistics
-- statistics = "internal"

-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates

-- Location of directory to find certificates in (relative to main config file):
certificates = "certs"
ssl = {
key = "redacted";
certificate = "redacted";
}

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply only to that host.

--VirtualHost "diaspsocial.com"
-- certificate = "/path/to/example.crt"

VirtualHost "diaspsocial.com"
authentication = "diaspora"
-- Uncomment and adjust username and password for MySQL/MariaDB
--auth_diaspora = { driver = "MySQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" }
-- Uncomment and adjust username and password for PostgreSQL
auth_diaspora = { driver = "PostgreSQL", database = "diaspora_production", username = "redacted", password = "redacted", host = "localhost" }

modules_enabled = {
"diaspora_contacts";
"bosh";
};

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see https://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"

---Set up an external component (default component port is 5347)

-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info

-- see: https://prosody.im/doc/components#adding_an_external_component

--Component "gateway.example.com"
-- component_secret = "password"

------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/

Include "conf.d/*.cfg.lua"

Two things I noticed on first pass in diaspora.yml
* the proto should be http*s*
* I'm not sure how the "address" field is used by D*, but make sure prodosy is actually bound to whatever address you have configured there.

Ah, you're right that should be https, I'll change that in a few. I'm not sure how to bind the prosody to the address???

Ok, proto is changed to https

Since you didn't specify anything to override the default behavior in the config, it should be binding to 0.0.0.0 (all interfaces), but since I can't see what you put in diaspora.yml I just wanted to make sure I noted it.

Also, if you compare your prosody.cfg.lua to mine, you'll see yours is missing ssl parameters.

yours is missing ssl parameters.

In the VirtualHost, that is. I think the global settings should be enough, but for whatever reason when I did my config I repeated them in the vhost, and my setup works.

Also, you have authentication set to "internal_hashed" where mine is "internal_plain".

You are also missing bosh_ports = { 5280 }, so it may not be listening on 5280.

Actually, I have all of the following bosh settings, which you do not:

bosh_ports = { 5280 }
bosh_max_inactivity = 1800
consider_bosh_secure = true
cross_domain_bosh = true

That's quite a bit, I've got some work to do tonight when I get home. lol no way I can do all those edits from my phone :P

It's been a long time since I set this up, and I'm by no means an XMPP expert, so I can't guarantee all of these settings are necessary. Good luck :)

Thanks man, I'm hoping it finally works when I do these updates. Goodness knows I've been smashing my head on the table for several days now just waiting for support on the diaspora discourse without much success.

I'm actually gonna go and try to make a few updates right now, might as well, lunch break :D

Brian, where should these settings be located?

bosh_ports = { 5280 }
bosh_max_inactivity = 1800
consider_bosh_secure = true
cross_domain_bosh = true

Ok, now at least my contacts all show up in the chat window, but I can't seem to send messages to anyone

Those are top-level settings, so wherever.

I still can't telnet to 5269, so if you're trying to send messages to people on another server, that's probably why.

O.o why on earth would be using telnet? thought that was obsolete and insecure? Or you just testing to see if the port is even up?

Ah, so I can confirm, it does work locally :) just need to figure out how to get it to work across networks hmmm

Or you just testing to see if the port is even up?

Ding!

is that just this command ufw allow 5269/tcp or do I need to have that port identified somewhere?

I've never used ufw, but I would guess the answer is yes. You should also open 5222 so people can connect with their own chat clients as well. The built in JS chat kinda sucks.

You can send a test to me. I'll be online for at least another hour and a half, and I'll reply back right away.

I think I've already actually opened both of these ports via the firewall, so there's no reason you shouldn't be able to connect to them??????
but let me try it anyway to see

ok, I ran the command, I still can't connect with any of my other accounts on other pods, only local.

I still can't connect to the ports either. Looks like your server is behind cloudflare, though. That might be a dealbreaker.

O.o ughhh it is behind cloudflare, wonder why that would screw it up???

Because from the outside people are hitting a cloudflare IP instead of your own. Cloudflare only forwards web traffic. You'll need to set it to pass through so the name resolves to your real IP.

welp I guess there goes ddos protection -_-

looks like that wasn't the issue anyway. cloudflare is offline, but still no chat

I can connect to the ports now. I'll try sending you a message.

ok, haven't received anything

I'll be heading out in 15 minutes and it's a 45 minute drive for me back to my house, will you be on in the next hour and a half or so? I can test in real time then since I can edit files directly on my computer

I'll be going out in about an hour, but I'll be connected on my phone using the account listed in my profile

rgr, sounds good

ok I'm home, I've tried changing some configs, but it looks like in the prosody.log that all s2s connections are failing. I can 100% confirm that ports 5222 and 5269 ARE indeed wide open. Firewall is not blocking them.

No useful error messages?

yeah I kind of made a screw up, I added legacy_ssl_ports to my config, and when I removed it, the setting was still there even though I reset it
so, now I'm just setting this up, might as well: https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS

Only thing is, I don't know where to add this portion:

You should add new SRV records.

# Try the following order, 5222/xmpp, 5223/tls, 443/xmpp, 443/tls
_xmpp-client._tcp.im.example.org. 86400 IN SRV 5 1 5222 im.example.org.
_xmpps-client._tcp.im.example.org. 86400 IN SRV 10 1 5223 im.example.org.
_xmpp-client._tcp.im.example.org. 86400 IN SRV 15 1 443 im.example.org.
_xmpps-client._tcp.im.example.org. 86400 IN SRV 20 1 443 im.example.org.

ohhh derp, that's dns

I don't understand why, but now I can't load all my contacts. No connection whatsoever, but I'm not seeing error reports for it.

well, no idea what happened. I'm worse off than before. now htt-bind won't even respond. sigh

have you tried turning it off and back on..... seriously man, well done for trying and owning the mess up - the only way to learn

Of course I did, as per my newest post. I am a Systems Administrator after all. But slamming my head on the wall all day does nothing to help me actually learn, and I don't have time for this. I only have one more day to get this to work, after that it's offline for a very long time. I really could use another set of hands working on this.

You you tried editing the configs I posted and using those rather than tweaking what you have?

I actually did use yours, exactly your's and just substituted my own. But I'm afraid something happened that I can't get rid of. I think it's this https configuration (I added legacy_ssl_ports = { 5532 } to my prosody.cfg.lua config file and even after removing that config, it still tries to load it.

That doesn't make a lot of sense.

If you look here: https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS

you'll see one of the steps is to add this to my file (I had the port wrong, it's 5223, that's what I set). Anyway, after I tried to set that up, I figured I'd just go back to what I had before, since it was known working, but even after removing the configuration prosody still tried to load https even after restarting prosody and restarting the server. It would just say in the prosody.log file portmanager: activated legacy_ssl on No_Port

But it would still attempt to load some kind of ssl even though the config didn't specifiy for it to. So, I'm lost, I don't know how to fix that.

I really could use another set of hands working on this.

If you want to give me shell access, I can take a look. I realize that's probably not gonna happen, but that's all I can offer at this point.